Control Kubernetes Ingress and Egress Together with NGINX

Nginx 537 views 16 slides Jan 21, 2021
Slide 1
Slide 1 of 16
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16

About This Presentation

On-Demand Recording
https://www.nginx.com/resources/webinars/control-kubernetes-ingress-egress-together-nginx/

About the Webinar
Join our resident Kubernetes and modern apps experts in a discussion of the challenges of Kubernetes traffic management in today’s technology landscape. While Kubernete...

Size: 1.35 MB
Language: en
Added: Jan 21, 2021
Slides: 16 pages

Slide Content

Control Ingress and Egress traffic in Kubernetes with NGINX
Amir Rawdat
Technical Marketing Engineer, NGINX
Faisal Memon
Software Engineer, NGINX

| ©2020 F52
Agenda
•Common challenges with managing traffic inside Kubernetes
•Controlling ingress/egreestraffic with a single configuration
•Choosing the right solution depending on your requirements
•Live demo
•Q&A

| ©2020 F53
Kubernetes becoming platform
for developing, testing and
running applications
Applications are becoming ephemeral by
nature
This brings limitations to Layer 4 Kubernetes
Networking
NGINX provides L5-7 networking policies as
an alternative to IP addresses
Cybersecurity is an ever-
growing, ever-complicating field
Traditional firewalls and anti virus security is
irrelevant or obsolete.
Data breaches on the rise and will continue
to rise throughout 2021.
What we see in the market
KUBERNETES-CENTRIC PERSPECTIVE
SOURCE: INFORMATION EXAMPLE
Adoption of managed and
commercial Kubernetes platforms
We see rapid adoption of OpenShift and
Rancher in the private cloud space
EKS and GKE adoption in public cloud

| ©2020 F54
MY FAVORITE ARTICLE TITLESBut K8s Adoption Brings Complexity
“Let’s Use
Kubernetes!”Now
You Have 8
Problems”
”Will Complexity
Kill Kubernetes?”
“Has Kubernetes
Already Become To
Unnecessarily
Complex for
Enterprise IT?”
”Why Kubernetes Networking Is Hard –And What
You Can Do About It”

| ©2020 F55
WHAT’S MISSING IN K8S AND WHAT DO YOU REALLY WANT AND NEED FROM A MESH?Networking: K8s, L4-L7
•K8s, and CNI, provides L4 servicing –IP endpoints
•Many, complex options
•https://kubernetes.io/docs/concepts/cluster-administration/networking/
•L7 Traffic Management is missing
•Policy-based routing
•Service-level access control
•SSL/mTLSenforcement
•Integrated Ingress/Egress
•Enter: KIC + Service Mesh –Taking control of Kubernetes networking

| ©2020 F56
Controlling ingress/egress traffic with NGINX KIC + Service Mesh
CONFIDENTIAL

| ©2020 F57
Integrated N/S Ingress/Egress
•N/S as a core feature
•Ingress/egress traffic treated as S2S
service traffic
•Full integration with service IdPand
SSL key store
•mTLSfor ingress/egress
•Egress name service support
•Egress opt-in allowlist
•Sidecar ”default route” to Ingress
Controller

| ©2020 F58
apiVersion: k8s.nginx.org/v1alpha1
kind: Policy
metadata:
name: egress-mtls-policy
spec:
egressMTLS:
tlsSecret: egress-mtls-secret
trustedCertSecret: egress-trusted-ca-secret
verifyServer: on
serverName: on
sslName: secure-app.example.com
apiVersion: k8s.nginx.org/v1alpha1
kind: Policy
metadata:
name: ingress-mtls-policy
spec:
ingressMTLS:
clientCertSecret: ingress-mtls-secret
verifyClient: "on"
verifyDepth: 1
Ingress/Egress mTLS (KIC)
POLICIES

| ©2020 F59
apiVersion: k8s.nginx.org/v1
kind: VirtualServer
metadata:
name: app
spec:
host: app.example.com
...
policies:
-name: ingress-mtls-policy-cafe
-name: egress-mtls-policy-cafe
VIRTUALSERVERApplying Ingress/Egress policies to the IC

| ©2020 F510
apiVersion: k8s.nginx.org/v1
kind: VirtualServer
metadata:
name: app
spec:
host: app.example.com
upstreams:
-name: app
service: app-svc
port: 80
routes:
-path: /
action:
proxy:
upstream: app
requestHeaders:
pass: true
set:
-name: Content-Type
value: application/json
VIRTUALSERVERApplying Ingress HTTP header manipulation

| ©2020 F511
apiVersion: k8s.nginx.org/v1
kind: VirtualServer
metadata:
name: app
spec:
host: app.example.com
upstreams:
-name: app
service: app-svc
port: 80
routes:
-path: /
action:
proxy:
upstream: app
responseHeaders:
add:
-name: Access-Control-Allow-Origin
value: "*"
always: true
hide:
-x-internal-version
ignore:
-Expires
-Set-Cookie
VIRTUALSERVERApplying Egress HTTP header manipulation

| ©2020 F512
Advanced App Centric Configuration
Confidential –Do Not
Distribute

| ©2020 F513
Data PlaneControl Plane

| ©2020 F514
Bookinfo demo
Confidential –Do Not
Distribute

| ©2020 F521
§Download NGINX Service Mesh for free --https://downloads.f5.com
§Get Started with the NGINX Ingress Controller --
https://github.com/nginxinc/kubernetes-ingress
§Get a free trial of NGINX Plus Ingress Controller --https://www.nginx.com/free-trial-
request-nginx-ingress-controller/
Get Started Today !!

Q&A
Contact Us:
Amir Rawdat: [email protected]
NGINX: [email protected]
Tags
kubernetes nginx ingress controller egress
Categories
General
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 537
  • Slides 16
  • Age 1776 days
Related Slideshows
Pray For The Peace Of Jerusalem and You Will Prosper 22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
32 views
Don_t_Waste_Your_Life_God.....powerpoint 26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
33 views
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf 31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
31 views
Fertility awareness methods for women in the society 14
Fertility awareness methods for women in the society
Isaiah47
30 views
Chapter 5 Arithmetic Functions Computer Organisation and Architecture 35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
27 views
syakira bhasa inggris (1) (1).pptx....... 5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
29 views
View More in This Category