SlideShare a Scribd company logo

Control Kubernetes Ingress and Egress Together with NGINX

Download as PPTX, PDF
N
NGINX, Inc.

The document discusses the challenges of managing ingress and egress traffic in Kubernetes, proposing solutions using NGINX ingress resources and service mesh for improved networking capabilities. It highlights the limitations of traditional Kubernetes ingress resources and offers advanced features for traffic control and security. Additionally, it emphasizes the growing complexity associated with Kubernetes adoption and the importance of agile deployment practices.

Technology
1 of 27
Downloaded 29 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
Control Ingress and Egress traffic in Kubernetes with NGINX Amir Rawdat Technical Marketing Engineer, NGINX
| ©2020 F5 2 Agenda • Common challenges with managing traffic inside Kubernetes • Moving away from annotations with NGINX Ingress Resources • Enhancing troubleshooting and logging • Controlling ingress/egrees traffic with a single configuration • Enabling agile deployments and maintaining uptime • Going even further with NGINX Service Mesh • Q&A
| ©2020 F5 3 Kubernetes becoming platform for developing, testing and running applications Applications are becoming ephemeral by nature This brings limitations to Layer 4 Kubernetes Networking NGINX provides L5-7 networking policies as an alternative to IP addresses Cybersecurity is an ever- growing, ever-complicating field Traditional firewalls and anti virus security is irrelevant or obsolete. Data breaches on the rise and will continue to rise throughout 2021. What we see in the market KUBERNETES-CENTRIC PERSPECTIVE SOURCE: INFORMATION EXAMPLE Adoption of managed and commercial Kubernetes platforms We see rapid adoption of OpenShift and Rancher in the private cloud space EKS and GKE adoption in public cloud
| ©2020 F5 4 MY FAVORITE ARTICLE TITLES But K8s Adoption Brings Complexity “Let’s Use Kubernetes!”N ow You Have 8 Problems” ”Will Complexity Kill Kubernetes?” “Has Kubernetes Already Become To Unnecessarily Complex for Enterprise IT?” ”Why Kubernetes Networking Is Hard – And What You Can Do About It”
| ©2020 F5 5 WHAT’S MISSING IN K8S AND WHAT DO YOU REALLY WANT AND NEED FROM A MESH? Networking: K8s, L4-L7 • K8s, and CNI, provides L4 servicing – IP endpoints • Many, complex options • https://kubernetes.io/docs/concepts/cluster-administration/networking/ • L7 Traffic Management is missing • Policy-based routing • Service-level access control • SSL/mTLS enforcement • Integrated Ingress/Egress • Enter: KIC + Service Mesh – Taking control of Kubernetes networking
| ©2020 F5 6 Controlling ingress/egress traffic with NGINX KIC CONFIDENTIAL
| ©2020 F5 7 Problems with Ingress Resources Confidential – Do Not Distribute • Kubernetes Ingress resources are limited to basic SSL/TLS and HTTP load balancing • Configuration can be further customized with Annotations, ConfigMaps, and templates • Global scoped and not fine grained • Very error prone • Difficult to pint point validation errors
| ©2020 F5 8 NGINX Ingress Resources Confidential – Do Not Distribute • Native Type-Safe Configuration • Provides advanced app delivery features with native Kubernetes workflow. • Increased modularity and reusability • Finer grained multi-tenancy with NGINX cross-namespacing
| ©2020 F5 9 apiVersion: k8s.nginx.org/v1alpha1 kind: Policy metadata: name: egress-mtls-policy spec: egressMTLS: tlsSecret: egress-mtls-secret trustedCertSecret: egress-trusted-ca-secret verifyServer: on serverName: on sslName: secure-app.example.com apiVersion: k8s.nginx.org/v1alpha1 kind: Policy metadata: name: ingress-mtls-policy spec: ingressMTLS: clientCertSecret: ingress-mtls-secret verifyClient: "on" verifyDepth: 1 Ingress/Egress mTLS (KIC) POLICIES
| ©2020 F5 10 apiVersion: k8s.nginx.org/v1 kind: VirtualServer metadata: name: app spec: host: app.example.com ... policies: -name: ingress-mtls-policy-cafe -name: egress-mtls-policy-cafe apiVersion: k8s.nginx.org/v1 kind: VirtualServerRoute metadata: name: app spec: host: app.example.com subroutes - path: /admin/portal/console policies: - name: ingress-mtls-policy-cafe - name: egress-mtls-policy-cafe Applying Ingress/Egress policies to the IC VIRTUALSERVER & VIRTUALSERVERROUTE
| ©2020 F5 11 apiVersion: k8s.nginx.org/v1 kind: VirtualServer metadata: name: app spec: host: app.example.com upstreams: - name: app service: app-svc port: 80 routes: - path: / action: proxy: upstream: app requestHeaders: pass: true set: - name: Content-Type value: application/json VIRTUALSERVER Applying Ingress HTTP header manipulation
| ©2020 F5 12 apiVersion: k8s.nginx.org/v1 kind: VirtualServer metadata: name: app spec: host: app.example.com upstreams: - name: app service: app-svc port: 80 routes: - path: / action: proxy: upstream: app responseHeaders: add: - name: Access-Control-Allow-Origin value: "*" always: true hide: - x-internal-version ignore: - Expires - Set-Cookie VIRTUALSERVER Applying Egress HTTP header manipulation
| ©2020 F5 13 Agile Deployments using Sophisticated Routing CONFIDENTIAL
| ©2020 F5 14 CONFIDENTIAL Agile deployments using Advanced Routing TOPOLOGY
| ©2020 F5 15 kind: VirtualServer metadata: name: cafe spec: host: cafe.example.com upstreams: - name: app-edge service: app-edge-svc port: 80 - name: app-stable service: app-stable-svc port: 80 routes: - path: / matches: - conditions: - cookie: session value: suxxis-12hs6dds-dhfgry-ssss action: pass: app-edge action: pass: app-stable CONFIDENTIAL Debug Routing VIRTUALSERVER
| ©2020 F5 16 kind: VirtualServer metadata: name: cafe spec: host: app.example.com upstreams: - name: products-v2 service: products-v2-svc port: 80 - name: products-v1 service: products-v1-svc port: 80 routes: - path: /products splits: - weight: 90 action: pass: products-v1 - weight: 10 action: pass: products-v2 CONFIDENTIAL A/B testing and Blue-Green Deployments VIRTUALSERVER
| ©2020 F5 17 Protecting your Kubernetes Apps from Vulnerabilities and Attacks CONFIDENTIAL
| ©2020 F5 18  Consolidating the NGINX Ingress Controller with a battle tested WAF  Configuration is fully managed by the Kubernetes API  Leverage Kubernetes RBAC to securely delegate WAF configurations to a dedicated DevSecOps team  Block unrecognized threats with user defined signatures WAF CONFIDENTIAL Blocking Threats with NGINX App Protect
| ©2020 F5 19 CONFIDENTIAL Blocking Threats with NGINX App Protect SECURE PERIMETER FOR YOUR APPLICATIONS IN KUBERNETES
| ©2020 F5 20 AdvancedApp Centric Configuration Confidential – Do Not Distribute
| ©2020 F5 21 Going Even Further with NGINX Service Mesh CONFIDENTIAL
| ©2020 F5 22 Data Plane Control Plane
| ©2020 F5 23 Bookinfo demo Confidential – Do Not Distribute
| ©2020 F5 24 What DoesAService Mesh Do? Service Mesh controls communications between pods and external apps Secure Traffic End-to-end encryption (Mutual TLS / mTLS), ACLs Manage All Service Traffic Load Balance, Circuit breaker, B|G, Rate Limiting… Orchestration Injection and sidecar management, K8s API integration Measure Traffic Generate transaction traces and real-time monitoring
| ©2020 F5 25 WhenAm I Ready ForAService Mesh?  You have a mature, fully-automated CI/CD pipeline (GitOps-enabled)  You are fully invested in Kubernetes  You are deploying frequently to production (at least once per day)  You have a zero-trust production environment (so need mTLS)  You need/want additional visibility of container traffic interaction
| ©2020 F5 26  Get Started with the NGINX Ingress Controller -- https://github.com/nginxinc/kubernetes-ingress  Get a free trial of NGINX Plus Ingress Controller -- https://www.nginx.com/free-trial- request-nginx-ingress-controller/ § OPEN TALK: Securing and Managing K8s Apps with Ease: NGINX Service Mesh § Download NGINX Service Mesh for free -- https://downloads.f5.com Get Started Today !!
Q&A Contact Us: Amir Rawdat: a.rawdat@f5.com NGINX: sales@nginx.com

More Related Content

PDF
Istio : Service Mesh
Knoldus Inc.
 
PPTX
Introduction to product development flow
Yuval Yeret
 
PPTX
Kubernetes
Henry He
 
PDF
Gain Better Observability with OpenTelemetry and InfluxDB
InfluxData
 
PDF
Kubernetes GitOps featuring GitHub, Kustomize and ArgoCD
Sunnyvale
 
PDF
Helm - Application deployment management for Kubernetes
Alexei Ledenev
 
PDF
Ceph Object Storage Performance Secrets and Ceph Data Lake Solution
Karan Singh
 
PDF
ArgoCD Meetup PPT final.pdf
amanmakwana3
 
Istio : Service Mesh
Knoldus Inc.
 
Introduction to product development flow
Yuval Yeret
 
Kubernetes
Henry He
 
Gain Better Observability with OpenTelemetry and InfluxDB
InfluxData
 
Kubernetes GitOps featuring GitHub, Kustomize and ArgoCD
Sunnyvale
 
Helm - Application deployment management for Kubernetes
Alexei Ledenev
 
Ceph Object Storage Performance Secrets and Ceph Data Lake Solution
Karan Singh
 
ArgoCD Meetup PPT final.pdf
amanmakwana3
 

What's hot (20)

PPTX
THE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.io
DevOpsDays Tel Aviv
 
PPTX
Manchester MuleSoft Meetup #6 - Runtime Fabric with Mulesoft
Akshata Sawant
 
PDF
Designing a complete ci cd pipeline using argo events, workflow and cd products
Julian Mazzitelli
 
PDF
Ceph Tech Talk: Ceph at DigitalOcean
Ceph Community
 
PDF
stackconf 2022: Open Source for Better Observability
NETWAYS
 
PDF
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
SlideTeam
 
PDF
Gain Deep Visibility into APIs and Integrations with Anypoint Monitoring
InfluxData
 
PDF
Containers: The What, Why, and How
Sneha Inguva
 
PDF
Kubernetes Docker Container Implementation Ppt PowerPoint Presentation Slide ...
SlideTeam
 
PDF
Platform Engineering
Opsta
 
PPTX
Bare Metal Cluster with Kubernetes, Istio and Metallb | Nguyen Phuong An, Ngu...
Vietnam Open Infrastructure User Group
 
PPTX
Kubernetes Basics
Antonin Stoklasek
 
PDF
Red Hat OpenShift Operators - Operators ABC
Robert Bohne
 
PDF
Flow Base Programming with Node-RED and Functional Reactive Programming with ...
Sven Beauprez
 
PDF
Terraform introduction
Jason Vance
 
PDF
Exploring the power of OpenTelemetry on Kubernetes
Red Hat Developers
 
PDF
Cncf checkov and bridgecrew
LibbySchulze
 
PDF
Introduction to Kubernetes with demo
Opsta
 
PPTX
The Happy Marriage of Redis and Protobuf by Scott Haines of Twilio - Redis Da...
Redis Labs
 
PPTX
OpenTelemetry For Architects
Kevin Brockhoff
 
THE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.io
DevOpsDays Tel Aviv
 
Manchester MuleSoft Meetup #6 - Runtime Fabric with Mulesoft
Akshata Sawant
 
Designing a complete ci cd pipeline using argo events, workflow and cd products
Julian Mazzitelli
 
Ceph Tech Talk: Ceph at DigitalOcean
Ceph Community
 
stackconf 2022: Open Source for Better Observability
NETWAYS
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
SlideTeam
 
Gain Deep Visibility into APIs and Integrations with Anypoint Monitoring
InfluxData
 
Containers: The What, Why, and How
Sneha Inguva
 
Kubernetes Docker Container Implementation Ppt PowerPoint Presentation Slide ...
SlideTeam
 
Platform Engineering
Opsta
 
Bare Metal Cluster with Kubernetes, Istio and Metallb | Nguyen Phuong An, Ngu...
Vietnam Open Infrastructure User Group
 
Kubernetes Basics
Antonin Stoklasek
 
Red Hat OpenShift Operators - Operators ABC
Robert Bohne
 
Flow Base Programming with Node-RED and Functional Reactive Programming with ...
Sven Beauprez
 
Terraform introduction
Jason Vance
 
Exploring the power of OpenTelemetry on Kubernetes
Red Hat Developers
 
Cncf checkov and bridgecrew
LibbySchulze
 
Introduction to Kubernetes with demo
Opsta
 
The Happy Marriage of Redis and Protobuf by Scott Haines of Twilio - Redis Da...
Redis Labs
 
OpenTelemetry For Architects
Kevin Brockhoff
 
Ad

Similar to Control Kubernetes Ingress and Egress Together with NGINX (20)

PPTX
Production-Grade Kubernetes With NGINX Ingress Controller
NGINX, Inc.
 
PDF
Control Kubernetes Ingress and Egress Together with NGINX
NGINX, Inc.
 
PDF
Deploying NGINX in Cloud Native Kubernetes
Kangaroot
 
PPTX
Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAP
Olivia LaMar
 
PDF
Securing Your Apps & APIs in the Cloud
Olivia LaMar
 
PDF
Get the Most Out of Kubernetes with NGINX
NGINX, Inc.
 
PDF
Relevez les défis Kubernetes avec NGINX
NGINX, Inc.
 
PDF
Service Mesh: Two Big Words But Do You Need It?
DevOps.com
 
PPTX
F5 and HashiCorp Multi-Cloud
abenyeung1
 
PDF
Nginx app protect-for-meetup-v1.0-202006_lk
Juraj Hantak
 
PDF
Data Plane Matters! A Deep Dive and Demo on NGINX Service Mesh
NGINX, Inc.
 
PDF
Secure Your Kubernetes Apps from Attacks with NGINX
NGINX, Inc.
 
PPTX
Gain multi-cloud versatility with software load balancing designed for cloud-...
Ashnikbiz
 
PDF
From Code to Customer with F5 and NGNX London Nov 19
NGINX, Inc.
 
PDF
What's New with NGINX Application Security Solutions
NGINX, Inc.
 
PDF
IDM Crack 2025 Internet Download Manger Patch
wistrendugftr
 
PDF
IObit Uninstaller Pro Crack 13.2.0.5 + Key Download 2025
maharajput103
 
PDF
Movavi Screen Recorder Studio 22.5.2 Crack
aladdinkhana47
 
PPTX
Migrating from BIG-IP Deployment to NGINX ADC
NGINX, Inc.
 
PDF
Call of Duty: Warzone for Windows With Crack Free Download 2025
Iobit Uninstaller Pro Crack
 
Production-Grade Kubernetes With NGINX Ingress Controller
NGINX, Inc.
 
Control Kubernetes Ingress and Egress Together with NGINX
NGINX, Inc.
 
Deploying NGINX in Cloud Native Kubernetes
Kangaroot
 
Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAP
Olivia LaMar
 
Securing Your Apps & APIs in the Cloud
Olivia LaMar
 
Get the Most Out of Kubernetes with NGINX
NGINX, Inc.
 
Relevez les défis Kubernetes avec NGINX
NGINX, Inc.
 
Service Mesh: Two Big Words But Do You Need It?
DevOps.com
 
F5 and HashiCorp Multi-Cloud
abenyeung1
 
Nginx app protect-for-meetup-v1.0-202006_lk
Juraj Hantak
 
Data Plane Matters! A Deep Dive and Demo on NGINX Service Mesh
NGINX, Inc.
 
Secure Your Kubernetes Apps from Attacks with NGINX
NGINX, Inc.
 
Gain multi-cloud versatility with software load balancing designed for cloud-...
Ashnikbiz
 
From Code to Customer with F5 and NGNX London Nov 19
NGINX, Inc.
 
What's New with NGINX Application Security Solutions
NGINX, Inc.
 
IDM Crack 2025 Internet Download Manger Patch
wistrendugftr
 
IObit Uninstaller Pro Crack 13.2.0.5 + Key Download 2025
maharajput103
 
Movavi Screen Recorder Studio 22.5.2 Crack
aladdinkhana47
 
Migrating from BIG-IP Deployment to NGINX ADC
NGINX, Inc.
 
Call of Duty: Warzone for Windows With Crack Free Download 2025
Iobit Uninstaller Pro Crack
 
Ad

More from NGINX, Inc. (20)

PDF
【NGINXセミナー】 Ingressを使ってマイクロサービスの運用を楽にする方法
NGINX, Inc.
 
PDF
【NGINXセミナー】 NGINXのWAFとは?その使い方と設定方法 解説セミナー
NGINX, Inc.
 
PDF
【NGINXセミナー】API ゲートウェイとしてのNGINX Plus活用方法
NGINX, Inc.
 
PPTX
Get Hands-On with NGINX and QUIC+HTTP/3
NGINX, Inc.
 
PPTX
Managing Kubernetes Cost and Performance with NGINX & Kubecost
NGINX, Inc.
 
PDF
Manage Microservices Chaos and Complexity with Observability
NGINX, Inc.
 
PDF
Accelerate Microservices Deployments with Automation
NGINX, Inc.
 
PDF
Unit 2: Microservices Secrets Management 101
NGINX, Inc.
 
PDF
Unit 1: Apply the Twelve-Factor App to Microservices Architectures
NGINX, Inc.
 
PDF
NGINX基本セミナー(セキュリティ編)~NGINXでセキュアなプラットフォームを実現する方法!
NGINX, Inc.
 
PDF
Easily View, Manage, and Scale Your App Security with F5 NGINX
NGINX, Inc.
 
PDF
NGINXセミナー(基本編)~いまさら聞けないNGINXコンフィグなど基本がわかる!
NGINX, Inc.
 
PDF
Keep Ahead of Evolving Cyberattacks with OPSWAT and F5 NGINX
NGINX, Inc.
 
PPTX
Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...
NGINX, Inc.
 
PPTX
Protecting Apps from Hacks in Kubernetes with NGINX
NGINX, Inc.
 
PPTX
NGINX Kubernetes API
NGINX, Inc.
 
PPTX
Successfully Implement Your API Strategy with NGINX
NGINX, Inc.
 
PPTX
Installing and Configuring NGINX Open Source
NGINX, Inc.
 
PPTX
Shift Left for More Secure Apps with F5 NGINX
NGINX, Inc.
 
PPTX
How to Avoid the Top 5 NGINX Configuration Mistakes.pptx
NGINX, Inc.
 
【NGINXセミナー】 Ingressを使ってマイクロサービスの運用を楽にする方法
NGINX, Inc.
 
【NGINXセミナー】 NGINXのWAFとは?その使い方と設定方法 解説セミナー
NGINX, Inc.
 
【NGINXセミナー】API ゲートウェイとしてのNGINX Plus活用方法
NGINX, Inc.
 
Get Hands-On with NGINX and QUIC+HTTP/3
NGINX, Inc.
 
Managing Kubernetes Cost and Performance with NGINX & Kubecost
NGINX, Inc.
 
Manage Microservices Chaos and Complexity with Observability
NGINX, Inc.
 
Accelerate Microservices Deployments with Automation
NGINX, Inc.
 
Unit 2: Microservices Secrets Management 101
NGINX, Inc.
 
Unit 1: Apply the Twelve-Factor App to Microservices Architectures
NGINX, Inc.
 
NGINX基本セミナー(セキュリティ編)~NGINXでセキュアなプラットフォームを実現する方法!
NGINX, Inc.
 
Easily View, Manage, and Scale Your App Security with F5 NGINX
NGINX, Inc.
 
NGINXセミナー(基本編)~いまさら聞けないNGINXコンフィグなど基本がわかる!
NGINX, Inc.
 
Keep Ahead of Evolving Cyberattacks with OPSWAT and F5 NGINX
NGINX, Inc.
 
Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...
NGINX, Inc.
 
Protecting Apps from Hacks in Kubernetes with NGINX
NGINX, Inc.
 
NGINX Kubernetes API
NGINX, Inc.
 
Successfully Implement Your API Strategy with NGINX
NGINX, Inc.
 
Installing and Configuring NGINX Open Source
NGINX, Inc.
 
Shift Left for More Secure Apps with F5 NGINX
NGINX, Inc.
 
How to Avoid the Top 5 NGINX Configuration Mistakes.pptx
NGINX, Inc.
 

Recently uploaded (20)

PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Encapsulation theory and applications.pdf
gurumoop
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Teaching material agriculture food technology
LiaRayya
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 

Control Kubernetes Ingress and Egress Together with NGINX

  • 1. Control Ingress and Egress traffic in Kubernetes with NGINX Amir Rawdat Technical Marketing Engineer, NGINX
  • 2. | ©2020 F5 2 Agenda • Common challenges with managing traffic inside Kubernetes • Moving away from annotations with NGINX Ingress Resources • Enhancing troubleshooting and logging • Controlling ingress/egrees traffic with a single configuration • Enabling agile deployments and maintaining uptime • Going even further with NGINX Service Mesh • Q&A
  • 3. | ©2020 F5 3 Kubernetes becoming platform for developing, testing and running applications Applications are becoming ephemeral by nature This brings limitations to Layer 4 Kubernetes Networking NGINX provides L5-7 networking policies as an alternative to IP addresses Cybersecurity is an ever- growing, ever-complicating field Traditional firewalls and anti virus security is irrelevant or obsolete. Data breaches on the rise and will continue to rise throughout 2021. What we see in the market KUBERNETES-CENTRIC PERSPECTIVE SOURCE: INFORMATION EXAMPLE Adoption of managed and commercial Kubernetes platforms We see rapid adoption of OpenShift and Rancher in the private cloud space EKS and GKE adoption in public cloud
  • 4. | ©2020 F5 4 MY FAVORITE ARTICLE TITLES But K8s Adoption Brings Complexity “Let’s Use Kubernetes!”N ow You Have 8 Problems” ”Will Complexity Kill Kubernetes?” “Has Kubernetes Already Become To Unnecessarily Complex for Enterprise IT?” ”Why Kubernetes Networking Is Hard – And What You Can Do About It”
  • 5. | ©2020 F5 5 WHAT’S MISSING IN K8S AND WHAT DO YOU REALLY WANT AND NEED FROM A MESH? Networking: K8s, L4-L7 • K8s, and CNI, provides L4 servicing – IP endpoints • Many, complex options • https://kubernetes.io/docs/concepts/cluster-administration/networking/ • L7 Traffic Management is missing • Policy-based routing • Service-level access control • SSL/mTLS enforcement • Integrated Ingress/Egress • Enter: KIC + Service Mesh – Taking control of Kubernetes networking
  • 6. | ©2020 F5 6 Controlling ingress/egress traffic with NGINX KIC CONFIDENTIAL
  • 7. | ©2020 F5 7 Problems with Ingress Resources Confidential – Do Not Distribute • Kubernetes Ingress resources are limited to basic SSL/TLS and HTTP load balancing • Configuration can be further customized with Annotations, ConfigMaps, and templates • Global scoped and not fine grained • Very error prone • Difficult to pint point validation errors
  • 8. | ©2020 F5 8 NGINX Ingress Resources Confidential – Do Not Distribute • Native Type-Safe Configuration • Provides advanced app delivery features with native Kubernetes workflow. • Increased modularity and reusability • Finer grained multi-tenancy with NGINX cross-namespacing
  • 9. | ©2020 F5 9 apiVersion: k8s.nginx.org/v1alpha1 kind: Policy metadata: name: egress-mtls-policy spec: egressMTLS: tlsSecret: egress-mtls-secret trustedCertSecret: egress-trusted-ca-secret verifyServer: on serverName: on sslName: secure-app.example.com apiVersion: k8s.nginx.org/v1alpha1 kind: Policy metadata: name: ingress-mtls-policy spec: ingressMTLS: clientCertSecret: ingress-mtls-secret verifyClient: "on" verifyDepth: 1 Ingress/Egress mTLS (KIC) POLICIES
  • 10. | ©2020 F5 10 apiVersion: k8s.nginx.org/v1 kind: VirtualServer metadata: name: app spec: host: app.example.com ... policies: -name: ingress-mtls-policy-cafe -name: egress-mtls-policy-cafe apiVersion: k8s.nginx.org/v1 kind: VirtualServerRoute metadata: name: app spec: host: app.example.com subroutes - path: /admin/portal/console policies: - name: ingress-mtls-policy-cafe - name: egress-mtls-policy-cafe Applying Ingress/Egress policies to the IC VIRTUALSERVER & VIRTUALSERVERROUTE
  • 11. | ©2020 F5 11 apiVersion: k8s.nginx.org/v1 kind: VirtualServer metadata: name: app spec: host: app.example.com upstreams: - name: app service: app-svc port: 80 routes: - path: / action: proxy: upstream: app requestHeaders: pass: true set: - name: Content-Type value: application/json VIRTUALSERVER Applying Ingress HTTP header manipulation
  • 12. | ©2020 F5 12 apiVersion: k8s.nginx.org/v1 kind: VirtualServer metadata: name: app spec: host: app.example.com upstreams: - name: app service: app-svc port: 80 routes: - path: / action: proxy: upstream: app responseHeaders: add: - name: Access-Control-Allow-Origin value: "*" always: true hide: - x-internal-version ignore: - Expires - Set-Cookie VIRTUALSERVER Applying Egress HTTP header manipulation
  • 13. | ©2020 F5 13 Agile Deployments using Sophisticated Routing CONFIDENTIAL
  • 14. | ©2020 F5 14 CONFIDENTIAL Agile deployments using Advanced Routing TOPOLOGY
  • 15. | ©2020 F5 15 kind: VirtualServer metadata: name: cafe spec: host: cafe.example.com upstreams: - name: app-edge service: app-edge-svc port: 80 - name: app-stable service: app-stable-svc port: 80 routes: - path: / matches: - conditions: - cookie: session value: suxxis-12hs6dds-dhfgry-ssss action: pass: app-edge action: pass: app-stable CONFIDENTIAL Debug Routing VIRTUALSERVER
  • 16. | ©2020 F5 16 kind: VirtualServer metadata: name: cafe spec: host: app.example.com upstreams: - name: products-v2 service: products-v2-svc port: 80 - name: products-v1 service: products-v1-svc port: 80 routes: - path: /products splits: - weight: 90 action: pass: products-v1 - weight: 10 action: pass: products-v2 CONFIDENTIAL A/B testing and Blue-Green Deployments VIRTUALSERVER
  • 17. | ©2020 F5 17 Protecting your Kubernetes Apps from Vulnerabilities and Attacks CONFIDENTIAL
  • 18. | ©2020 F5 18  Consolidating the NGINX Ingress Controller with a battle tested WAF  Configuration is fully managed by the Kubernetes API  Leverage Kubernetes RBAC to securely delegate WAF configurations to a dedicated DevSecOps team  Block unrecognized threats with user defined signatures WAF CONFIDENTIAL Blocking Threats with NGINX App Protect
  • 19. | ©2020 F5 19 CONFIDENTIAL Blocking Threats with NGINX App Protect SECURE PERIMETER FOR YOUR APPLICATIONS IN KUBERNETES
  • 20. | ©2020 F5 20 AdvancedApp Centric Configuration Confidential – Do Not Distribute
  • 21. | ©2020 F5 21 Going Even Further with NGINX Service Mesh CONFIDENTIAL
  • 22. | ©2020 F5 22 Data Plane Control Plane
  • 23. | ©2020 F5 23 Bookinfo demo Confidential – Do Not Distribute
  • 24. | ©2020 F5 24 What DoesAService Mesh Do? Service Mesh controls communications between pods and external apps Secure Traffic End-to-end encryption (Mutual TLS / mTLS), ACLs Manage All Service Traffic Load Balance, Circuit breaker, B|G, Rate Limiting… Orchestration Injection and sidecar management, K8s API integration Measure Traffic Generate transaction traces and real-time monitoring
  • 25. | ©2020 F5 25 WhenAm I Ready ForAService Mesh?  You have a mature, fully-automated CI/CD pipeline (GitOps-enabled)  You are fully invested in Kubernetes  You are deploying frequently to production (at least once per day)  You have a zero-trust production environment (so need mTLS)  You need/want additional visibility of container traffic interaction
  • 26. | ©2020 F5 26  Get Started with the NGINX Ingress Controller -- https://github.com/nginxinc/kubernetes-ingress  Get a free trial of NGINX Plus Ingress Controller -- https://www.nginx.com/free-trial- request-nginx-ingress-controller/ § OPEN TALK: Securing and Managing K8s Apps with Ease: NGINX Service Mesh § Download NGINX Service Mesh for free -- https://downloads.f5.com Get Started Today !!
  • 27. Q&A Contact Us: Amir Rawdat: a.rawdat@f5.com NGINX: sales@nginx.com

Editor's Notes

  • #4: Cybersecurity is an ever-growing, ever-complicating field Authentication is enforced independent of IP addresses Both the client and server before connections are accepted.   Broader shift away from perimeter focused, firewall-based security to where security is everywhere and is based on identity (such as identity of applications sharing or requesting information) 
  • #7: While we can’t solve all of the complexity that comes with K8s, we can offer up a simpler and more secure way to manage all service-to-service traffic.
  • #14: While we can’t solve all of the complexity that comes with K8s, we can offer up a simpler and more secure way to manage all service-to-service traffic.
  • #18: While we can’t solve all of the complexity that comes with K8s, we can offer up a simpler and more secure way to manage all service-to-service traffic.
  • #22: While we can’t solve all of the complexity that comes with K8s, we can offer up a simpler and more secure way to manage all service-to-service traffic.
  • #26: If you can’t say “yes” to these six checkpoints, you’ll not benefit from a services mesh yet. Complexity of application: IDC report “Vendors Stake Out Positions in Emerging Istio Service Mesh Landscape" Aspen Mesh believes cloud-native environments with more than 20 services reach a point of complexity at which services meshes, such as Istio, become increasingly necessary IBM believes it becomes difficult to manage a microservices network when customers reach a threshold of 25 microservices.