Control Kubernetes Ingress and Egress Together with NGINX
Nginx
562 views
27 slides
Feb 23, 2021
Slide 1 of 27
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
About This Presentation
Join our resident Kubernetes and modern apps experts in a discussion of the challenges of Kubernetes traffic management in today’s technology landscape. While Kubernetes Ingress gets most of the attention, how you handle egress traffic is just as important. Egress isn’t just about traffic leavin...
Slide Content
Control Ingress and Egress traffic in Kubernetes with NGINX Amir Rawdat Technical Marketing Engineer, NGINX
Agenda Common challenges with managing traffic inside Kubernetes Moving away from annotations with NGINX Ingress Resources Enhancing troubleshooting and logging Controlling ingress/ egrees traffic with a single configuration Enabling agile deployments and maintaining uptime Going even further with NGINX Service Mesh Q&A
Kubernetes becoming platform for developing, testing and running applications Applications are becoming ephemeral by nature This brings limitations to Layer 4 Kubernetes Networking NGINX provides L5-7 networking policies as an alternative to IP addresses Cybersecurity is an ever-growing, ever-complicating field Traditional firewalls and anti virus security is irrelevant or obsolete. Data breaches on the rise and will continue to rise throughout 2021. What we see in the market Kubernetes-centric perspective Source: information Example Adoption of managed and commercial Kubernetes platforms We see rapid adoption of OpenShift and Rancher in the private cloud space EKS and GKE adoption in public cloud
My Favorite Article Titles But K8s Adoption Brings Complexity “ Let’s Use Kubernetes!”Now You Have 8 Problems” ”Will Complexity Kill Kubernetes?” “Has Kubernetes Already Become To Unnecessarily Complex for Enterprise IT?” ”Why Kubernetes Networking Is Hard – And What You Can Do About It”
What’s missing in K8s and What do you really want and need from a mesh? Networking: K8s, L4-L7 K8s, and CNI, provides L4 servicing – IP endpoints Many, complex options https://kubernetes.io/docs/concepts/cluster-administration/networking/ L7 Traffic Management is missing Policy-based routing Service-level access control SSL/ mTLS enforcement Integrated Ingress/Egress Enter: KIC + Service Mesh – Taking control of Kubernetes networking
Controlling ingress/egress traffic with NGINX KIC CONFIDENTIAL
Problems with Ingress Resources Confidential – Do Not Distribute Kubernetes Ingress resources are limited to basic SSL/TLS and HTTP load balancing Configuration can be further customized with Annotations, ConfigMaps , and templates Global scoped and not fine grained Very error prone Difficult to pint point validation errors
NGINX Ingress Resources Confidential – Do Not Distribute Native Type-Safe Configuration Provides advanced app delivery features with native Kubernetes workflow. Increased modularity and reusability Finer grained multi-tenancy with NGINX cross- namespacing
apiVersion : k8s.nginx.org/v1alpha1 kind: Policy metadata: name: egress- mtls -policy spec: egressMTLS : tlsSecret : egress- mtls -secret trustedCertSecret : egress-trusted-ca-secret verifyServer : on serverName : on sslName : secure-app.example.com apiVersion : k8s.nginx.org/v1alpha1 kind: Policy metadata: name: ingress- mtls -policy spec: ingressMTLS : clientCertSecret : ingress- mtls -secret verifyClient : "on" verifyDepth : 1 Ingress/Egress mTLS (KIC) Policies
apiVersion: k8s.nginx.org/v1
kind: VirtualServer
metadata:
name: app
spec:
host: app.example.com
...
policies:
-name: ingress-mtls-policy-cafe
-name: egress-mtls-policy-cafe apiVersion : k8s.nginx.org/v1 kind: VirtualServerRoute metadata: name: app spec: host: app.example.com subroutes - path: /admin/portal/console policies: - name: ingress- mtls -policy-cafe - name: egress- mtls -policy-cafe Applying Ingress/Egress policies to the IC Virtualserver & VirtualServerRoute
kind: VirtualServer
metadata:
name: app
spec:
host: app.example.com
...
policies:
-name: ingress-mtls-policy-cafe
-name: egress-mtls-policy-cafe apiVersion : k8s.nginx.org/v1 kind: VirtualServerRoute metadata: name: app spec: host: app.example.com subroutes - path: /admin/portal/console policies: - name: ingress- mtls -policy-cafe - name: egress- mtls -policy-cafe Applying Ingress/Egress policies to the IC Virtualserver & VirtualServerRoute
apiVersion: k8s.nginx.org/v1
kind: VirtualServer
metadata:
name: app
spec:
host: app.example.com
upstreams:
- name: app
service: app-svc
port: 80
routes:
- path: /
action:
proxy:
upstream: app
requestHeaders:
pass: true
set:
- name: Content-Type
value: application/json Virtualserver Applying Ingress HTTP header manipulation
kind: VirtualServer
metadata:
name: app
spec:
host: app.example.com
upstreams:
- name: app
service: app-svc
port: 80
routes:
- path: /
action:
proxy:
upstream: app
requestHeaders:
pass: true
set:
- name: Content-Type
value: application/json Virtualserver Applying Ingress HTTP header manipulation
apiVersion: k8s.nginx.org/v1
kind: VirtualServer
metadata:
name: app
spec:
host: app.example.com
upstreams:
- name: app
service: app-svc
port: 80
routes:
- path: /
action:
proxy:
upstream: app
responseHeaders:
add:
- name: Access-Control-Allow-Origin
value: "*"
always: true
hide:
- x-internal-version
ignore:
- Expires
- Set-Cookie Virtualserver Applying Egress HTTP header manipulation
kind: VirtualServer
metadata:
name: app
spec:
host: app.example.com
upstreams:
- name: app
service: app-svc
port: 80
routes:
- path: /
action:
proxy:
upstream: app
responseHeaders:
add:
- name: Access-Control-Allow-Origin
value: "*"
always: true
hide:
- x-internal-version
ignore:
- Expires
- Set-Cookie Virtualserver Applying Egress HTTP header manipulation
Agile Deployments using Sophisticated Routing CONFIDENTIAL
CONFIDENTIAL Agile deployments using Advanced Routing Topology
kind: VirtualServer metadata: name: cafe spec: host: cafe.example.com upstreams: - name: app-edge service: app-edge-svc port: 80 - name: app-stable service: app-stable-svc port: 80 routes: - path: / matches: - conditions: - cookie: session value: suxxis-12hs6dds-dhfgry-ssss action: pass: app-edge action: pass: app-stable CONFIDENTIAL Debug Routing Virtualserver
kind: VirtualServer metadata: name: cafe spec: host: app.example.com upstreams: - name: products-v2 service: products-v2-svc port: 80 - name: products-v1 service: products-v1-svc port: 80 routes: - path: /products splits: - weight: 90 action: pass: products-v1 - weight: 10 action: pass: products-v2 CONFIDENTIAL A/B testing and Blue-Green Deployments Virtualserver
Protecting your Kubernetes Apps from Vulnerabilities and Attacks CONFIDENTIAL
Consolidating the NGINX Ingress Controller with a battle tested WAF Configuration is fully managed by the Kubernetes API Leverage Kubernetes RBAC to securely delegate WAF configurations to a dedicated DevSecOps team Block unrecognized threats with user defined signatures WAF CONFIDENTIAL Blocking Threats with NGINX App Protect
CONFIDENTIAL Blocking Threats with NGINX App Protect Secure perimeter for your applications in Kubernetes
Advanced App Centric Configuration Confidential – Do Not Distribute
Going Even Further with NGINX Service Mesh CONFIDENTIAL
Data Plane Control Plane
Bookinfo demo Confidential – Do Not Distribute
What Does A Service Mesh Do? Service Mesh controls communications between pods and external apps Secure Traffic End-to-end encryption (Mutual TLS / mTLS ), ACLs Manage All Service Traffic Load Balance, Circuit breaker, B|G, Rate Limiting… Orchestration Injection and sidecar management, K8s API integration Measure Traffic Generate transaction traces and real-time monitoring
When Am I Ready For A Service Mesh? You have a mature, fully-automated CI/CD pipeline ( GitOps -enabled) You are fully invested in Kubernetes You are deploying frequently to production (at least once per day) You have a zero-trust production environment (so need mTLS ) You need/want additional visibility of container traffic interaction
Get Started with the NGINX Ingress Controller -- https://github.com/nginxinc/kubernetes-ingress Get a free trial of NGINX Plus Ingress Controller -- https://www.nginx.com/free-trial-request-nginx-ingress-controller/ OPEN TALK: Securing and Managing K8s Apps with Ease: NGINX Service Mesh Download NGINX Service Mesh for free -- https://downloads.f5.com Get Started Today !!
Q&A Contact Us: Amir Rawdat : [email protected] NGINX: [email protected]
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 562
- Slides 27
- Age 1743 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
46 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
46 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
20 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
24 views