Ad
More Related Content
What's hot (20)
Similar to Control Kubernetes Ingress and Egress Together with NGINX (20)
Ad
More from NGINX, Inc. (20)
Ad
Recently uploaded (20)
Control Kubernetes Ingress and Egress Together with NGINX
- 1. Control Ingress and Egress traffic in Kubernetes with NGINX Amir Rawdat Technical Marketing Engineer, NGINX
- 2. | ©2020 F5 2 Agenda • Common challenges with managing traffic inside Kubernetes • Moving away from annotations with NGINX Ingress Resources • Enhancing troubleshooting and logging • Controlling ingress/egrees traffic with a single configuration • Enabling agile deployments and maintaining uptime • Going even further with NGINX Service Mesh • Q&A
- 3. | ©2020 F5 3 Kubernetes becoming platform for developing, testing and running applications Applications are becoming ephemeral by nature This brings limitations to Layer 4 Kubernetes Networking NGINX provides L5-7 networking policies as an alternative to IP addresses Cybersecurity is an ever- growing, ever-complicating field Traditional firewalls and anti virus security is irrelevant or obsolete. Data breaches on the rise and will continue to rise throughout 2021. What we see in the market KUBERNETES-CENTRIC PERSPECTIVE SOURCE: INFORMATION EXAMPLE Adoption of managed and commercial Kubernetes platforms We see rapid adoption of OpenShift and Rancher in the private cloud space EKS and GKE adoption in public cloud
- 4. | ©2020 F5 4 MY FAVORITE ARTICLE TITLES But K8s Adoption Brings Complexity “Let’s Use Kubernetes!”N ow You Have 8 Problems” ”Will Complexity Kill Kubernetes?” “Has Kubernetes Already Become To Unnecessarily Complex for Enterprise IT?” ”Why Kubernetes Networking Is Hard – And What You Can Do About It”
- 5. | ©2020 F5 5 WHAT’S MISSING IN K8S AND WHAT DO YOU REALLY WANT AND NEED FROM A MESH? Networking: K8s, L4-L7 • K8s, and CNI, provides L4 servicing – IP endpoints • Many, complex options • https://kubernetes.io/docs/concepts/cluster-administration/networking/ • L7 Traffic Management is missing • Policy-based routing • Service-level access control • SSL/mTLS enforcement • Integrated Ingress/Egress • Enter: KIC + Service Mesh – Taking control of Kubernetes networking
- 6. | ©2020 F5 6 Controlling ingress/egress traffic with NGINX KIC CONFIDENTIAL
- 7. | ©2020 F5 7 Problems with Ingress Resources Confidential – Do Not Distribute • Kubernetes Ingress resources are limited to basic SSL/TLS and HTTP load balancing • Configuration can be further customized with Annotations, ConfigMaps, and templates • Global scoped and not fine grained • Very error prone • Difficult to pint point validation errors
- 8. | ©2020 F5 8 NGINX Ingress Resources Confidential – Do Not Distribute • Native Type-Safe Configuration • Provides advanced app delivery features with native Kubernetes workflow. • Increased modularity and reusability • Finer grained multi-tenancy with NGINX cross-namespacing
- 9. | ©2020 F5 9 apiVersion: k8s.nginx.org/v1alpha1 kind: Policy metadata: name: egress-mtls-policy spec: egressMTLS: tlsSecret: egress-mtls-secret trustedCertSecret: egress-trusted-ca-secret verifyServer: on serverName: on sslName: secure-app.example.com apiVersion: k8s.nginx.org/v1alpha1 kind: Policy metadata: name: ingress-mtls-policy spec: ingressMTLS: clientCertSecret: ingress-mtls-secret verifyClient: "on" verifyDepth: 1 Ingress/Egress mTLS (KIC) POLICIES
- 10. | ©2020 F5 10 apiVersion: k8s.nginx.org/v1 kind: VirtualServer metadata: name: app spec: host: app.example.com ... policies: -name: ingress-mtls-policy-cafe -name: egress-mtls-policy-cafe apiVersion: k8s.nginx.org/v1 kind: VirtualServerRoute metadata: name: app spec: host: app.example.com subroutes - path: /admin/portal/console policies: - name: ingress-mtls-policy-cafe - name: egress-mtls-policy-cafe Applying Ingress/Egress policies to the IC VIRTUALSERVER & VIRTUALSERVERROUTE
- 11. | ©2020 F5 11 apiVersion: k8s.nginx.org/v1 kind: VirtualServer metadata: name: app spec: host: app.example.com upstreams: - name: app service: app-svc port: 80 routes: - path: / action: proxy: upstream: app requestHeaders: pass: true set: - name: Content-Type value: application/json VIRTUALSERVER Applying Ingress HTTP header manipulation
- 12. | ©2020 F5 12 apiVersion: k8s.nginx.org/v1 kind: VirtualServer metadata: name: app spec: host: app.example.com upstreams: - name: app service: app-svc port: 80 routes: - path: / action: proxy: upstream: app responseHeaders: add: - name: Access-Control-Allow-Origin value: "*" always: true hide: - x-internal-version ignore: - Expires - Set-Cookie VIRTUALSERVER Applying Egress HTTP header manipulation
- 13. | ©2020 F5 13 Agile Deployments using Sophisticated Routing CONFIDENTIAL
- 14. | ©2020 F5 14 CONFIDENTIAL Agile deployments using Advanced Routing TOPOLOGY
- 15. | ©2020 F5 15 kind: VirtualServer metadata: name: cafe spec: host: cafe.example.com upstreams: - name: app-edge service: app-edge-svc port: 80 - name: app-stable service: app-stable-svc port: 80 routes: - path: / matches: - conditions: - cookie: session value: suxxis-12hs6dds-dhfgry-ssss action: pass: app-edge action: pass: app-stable CONFIDENTIAL Debug Routing VIRTUALSERVER
- 16. | ©2020 F5 16 kind: VirtualServer metadata: name: cafe spec: host: app.example.com upstreams: - name: products-v2 service: products-v2-svc port: 80 - name: products-v1 service: products-v1-svc port: 80 routes: - path: /products splits: - weight: 90 action: pass: products-v1 - weight: 10 action: pass: products-v2 CONFIDENTIAL A/B testing and Blue-Green Deployments VIRTUALSERVER
- 17. | ©2020 F5 17 Protecting your Kubernetes Apps from Vulnerabilities and Attacks CONFIDENTIAL
- 18. | ©2020 F5 18 Consolidating the NGINX Ingress Controller with a battle tested WAF Configuration is fully managed by the Kubernetes API Leverage Kubernetes RBAC to securely delegate WAF configurations to a dedicated DevSecOps team Block unrecognized threats with user defined signatures WAF CONFIDENTIAL Blocking Threats with NGINX App Protect
- 19. | ©2020 F5 19 CONFIDENTIAL Blocking Threats with NGINX App Protect SECURE PERIMETER FOR YOUR APPLICATIONS IN KUBERNETES
- 20. | ©2020 F5 20 AdvancedApp Centric Configuration Confidential – Do Not Distribute
- 21. | ©2020 F5 21 Going Even Further with NGINX Service Mesh CONFIDENTIAL
- 22. | ©2020 F5 22 Data Plane Control Plane
- 23. | ©2020 F5 23 Bookinfo demo Confidential – Do Not Distribute
- 24. | ©2020 F5 24 What DoesAService Mesh Do? Service Mesh controls communications between pods and external apps Secure Traffic End-to-end encryption (Mutual TLS / mTLS), ACLs Manage All Service Traffic Load Balance, Circuit breaker, B|G, Rate Limiting… Orchestration Injection and sidecar management, K8s API integration Measure Traffic Generate transaction traces and real-time monitoring
- 25. | ©2020 F5 25 WhenAm I Ready ForAService Mesh? You have a mature, fully-automated CI/CD pipeline (GitOps-enabled) You are fully invested in Kubernetes You are deploying frequently to production (at least once per day) You have a zero-trust production environment (so need mTLS) You need/want additional visibility of container traffic interaction
- 26. | ©2020 F5 26 Get Started with the NGINX Ingress Controller -- https://github.com/nginxinc/kubernetes-ingress Get a free trial of NGINX Plus Ingress Controller -- https://www.nginx.com/free-trial- request-nginx-ingress-controller/ § OPEN TALK: Securing and Managing K8s Apps with Ease: NGINX Service Mesh § Download NGINX Service Mesh for free -- https://downloads.f5.com Get Started Today !!
Editor's Notes
- #4: Cybersecurity is an ever-growing, ever-complicating field Authentication is enforced independent of IP addresses Both the client and server before connections are accepted. Broader shift away from perimeter focused, firewall-based security to where security is everywhere and is based on identity (such as identity of applications sharing or requesting information)
- #7: While we can’t solve all of the complexity that comes with K8s, we can offer up a simpler and more secure way to manage all service-to-service traffic.
- #14: While we can’t solve all of the complexity that comes with K8s, we can offer up a simpler and more secure way to manage all service-to-service traffic.
- #18: While we can’t solve all of the complexity that comes with K8s, we can offer up a simpler and more secure way to manage all service-to-service traffic.
- #22: While we can’t solve all of the complexity that comes with K8s, we can offer up a simpler and more secure way to manage all service-to-service traffic.
- #26: If you can’t say “yes” to these six checkpoints, you’ll not benefit from a services mesh yet. Complexity of application: IDC report “Vendors Stake Out Positions in Emerging Istio Service Mesh Landscape" Aspen Mesh believes cloud-native environments with more than 20 services reach a point of complexity at which services meshes, such as Istio, become increasingly necessary IBM believes it becomes difficult to manage a microservices network when customers reach a threshold of 25 microservices.