2. 2.
NEW DE-FACTO STANDARDS:
Growing Industry Trend: Containers and Kubernetes
APPLICATIONS
Moving from Monolith to Micro Services
APPLICATION DEPLOYMENTS
Moving from Hardware Servers or
Virtual Machines to Containers
o Adopted by all industry major players
– AWS, Azure, Google, VMWare, RedHat.
o 10X increase in usage in Azure and GCP last year
o 10X increase in deployment last 3 years
o Deployment Size increased 75% in a year
Growing Kubernetes Adoption
3. 3.
Key Requirements of Modern Teams …
EFFICIENT
OPERATIONS
VISIBILITY &
CONTROL
Application
Security
SSL Encryption
Access Control
Attack Protection
and Mitigation
Analytics
Faster
troubleshooting
Operational
intelligence
Central Management
Multi-services
Multi-cloud
5. 5.
An E-Com Company: Access Control between Microservices
o For Security and compliance
reason, communication
between microservices must
be controlled
o In absence of logical policy
enforcement, this company
isolated clusters
Kubernetes Node
Kubernetes Node
Kubernetes Node
Kubernetes Node
6. 6.
A FinTech Company: Blind on Traffic Flow Information
o This company implements all
important microservices in
separate namespace
o Traffic between microservices
across namespaces must pass
through application gateway
o Some information about the
traffic is collected from
application gateway Kubernetes Node Kubernetes Node
Kubernetes NodeKubernetes Node
7. 7.
A Media Service Company: Worried about Cost of Operations
o Sidecar deployment model
significantly enhances the
resource requirement
o Management overhead also
increases with size of
deployment
Kubernetes Node
8. 8.
Challenges in Kubernetes Environment
o Knowledge and Learning Curve
o Internal and External Networks are
isolated
o IP addresses of Pods keep
changing
o No access control between
microservices
o No application layer visibility
o Cost of operation
Kubernetes NodeKubernetes Node
10. 10.
How to Ingress and Distribute Traffic
o Kubernetes provides
Kubeproxy for simple usage
• Works by adjusting iptables rules
(Layer 3)
o Implementation of Advance
Traffic Ingress is left to
ecosystem vendors
Kubernetes NodeKubernetes Node
OR
11. 11.
Keeping LB config in sync with Infrastructure
o Kubernetes replaces pods as
they are ill
• IP address of the pod changes
o Ingress Controller is defined
by Kubernetes but not
implemented
Kubernetes NodeKubernetes Node
OR
12. 12.
Security for North-South Traffic
o SSL Offload
o HTTP 2.0
o OWASP Top 10
o Malware, Bad BOTs
o Application DDoS attack
Kubernetes NodeKubernetes Node
OR
14. 14.
Kubernetes Cluster Kubernetes Cluster
Central Management for Large Deployments
Kubernetes NodeKubernetes Node
OR
Kubernetes NodeKubernetes Node
16. 16.
Kubernetes Cluster
Distributed and Elastic Deployment Architecture
o ADC as DaemonSet
• Hub-Spoke deployment within node
• Active-Active cluster within namespace
o Monitoring of infrastructure
• Updates at per pod lifecycle events
o Central Controller
• Keep all configuration in sync
Kubernetes NodeKubernetes Node
17. 17.
Access Control between Microservices
o Transparent Proxy
• Automatically intercept the
traffic and enforce policy
o Policy using service
labels
• No IP addresses
18. 18.
Transparent Encryption
o Intelligent SSL
• Only the traffic between nodes is
encrypted
o No code change
• App service need not implement SSL
Node 1 Node 2
S1
S2
19. 19.
Kubernetes Cluster
Deployment Architecture – Distributed and Elastic
• Container-native advance load
balancer (proxy) is
automatically deployed with
each new node
Node Node Node
Kubernetes
Connector
Central Controller
• Kubernetes Connector detects
changes in application service
scale and communicates new
config to the load balancer (proxy)
via controller
• The load balancer (proxy) connect
to controller and get relevant
configuration automatically
• Metrics/Logs flow from load
balancer (proxy) to the Controller
22. 22.
Getting to the root of Anomalies
Time series distribution of
o Requests
o Bandwidth consumption
o IP addresses clients sending high traffic
o Drill down to their transaction logs to
confirm genuineness
23. 23.
Troubleshooting Response Time Issues
Reach to individual transaction(s) for identifying the root cause
View segmentation of response time by various
properties like URLs, countries, servers etc.
Keep a tab on end-to-end response time and time
taken in various portions of request/response cycle
24. 24.
Summary: Security with Simplicity
o Simple architecture with unified solution
and central management and control
o ADC Config ‘as code’ in Kubernetes format
o No change in microservices’ code
o Traffic visibility for optimizations and
enhancements