SlideShare a Scribd company logo

Control Kubernetes Ingress and Egress Together with NGINX

Download as PPTX, PDF
N
NGINX, Inc.

Join our resident Kubernetes and modern apps experts in a discussion of the challenges of Kubernetes traffic management in today’s technology landscape. While Kubernetes Ingress gets most of the attention, how you handle egress traffic is just as important. Egress isn’t just about traffic leaving a cluster, either, but also concerns traffic among managed and unmanaged services within the cluster. We demo a solution using NGINX Service Mesh and NGINX Ingress Controller to control egress from the cluster and between NGINX Service Mesh and unmanaged services. Whether you’re new to modern application architectures, or looking to improve your current microservices deployment, this webinar is for you. Join this webinar to learn: * Solutions to common challenges when managing traffic in Kubernetes * How to control both ingress and egress in a single configuration * Which solutions from NGINX can best serve your needs, depending on your requirements * About NGINX Service Mesh and NGINX Ingress Controller with live demos

Technology
1 of 27
Control Ingress and Egress traffic in Kubernetes with NGINX Amir Rawdat Technical Marketing Engineer, NGINX
| ©2020 F5 2 Agenda • Common challenges with managing traffic inside Kubernetes • Moving away from annotations with NGINX Ingress Resources • Enhancing troubleshooting and logging • Controlling ingress/egrees traffic with a single configuration • Enabling agile deployments and maintaining uptime • Going even further with NGINX Service Mesh • Q&A
| ©2020 F5 3 Kubernetes becoming platform for developing, testing and running applications Applications are becoming ephemeral by nature This brings limitations to Layer 4 Kubernetes Networking NGINX provides L5-7 networking policies as an alternative to IP addresses Cybersecurity is an ever- growing, ever-complicating field Traditional firewalls and anti virus security is irrelevant or obsolete. Data breaches on the rise and will continue to rise throughout 2021. What we see in the market KUBERNETES-CENTRIC PERSPECTIVE SOURCE: INFORMATION EXAMPLE Adoption of managed and commercial Kubernetes platforms We see rapid adoption of OpenShift and Rancher in the private cloud space EKS and GKE adoption in public cloud
| ©2020 F5 4 MY FAVORITE ARTICLE TITLES But K8s Adoption Brings Complexity “Let’s Use Kubernetes!”N ow You Have 8 Problems” ”Will Complexity Kill Kubernetes?” “Has Kubernetes Already Become To Unnecessarily Complex for Enterprise IT?” ”Why Kubernetes Networking Is Hard – And What You Can Do About It”
| ©2020 F5 5 WHAT’S MISSING IN K8S AND WHAT DO YOU REALLY WANT AND NEED FROM A MESH? Networking: K8s, L4-L7 • K8s, and CNI, provides L4 servicing – IP endpoints • Many, complex options • https://kubernetes.io/docs/concepts/cluster-administration/networking/ • L7 Traffic Management is missing • Policy-based routing • Service-level access control • SSL/mTLS enforcement • Integrated Ingress/Egress • Enter: KIC + Service Mesh – Taking control of Kubernetes networking
| ©2020 F5 6 Controlling ingress/egress traffic with NGINX KIC CONFIDENTIAL
| ©2020 F5 7 Problems with Ingress Resources Confidential – Do Not Distribute • Kubernetes Ingress resources are limited to basic SSL/TLS and HTTP load balancing • Configuration can be further customized with Annotations, ConfigMaps, and templates • Global scoped and not fine grained • Very error prone • Difficult to pint point validation errors
| ©2020 F5 8 NGINX Ingress Resources Confidential – Do Not Distribute • Native Type-Safe Configuration • Provides advanced app delivery features with native Kubernetes workflow. • Increased modularity and reusability • Finer grained multi-tenancy with NGINX cross-namespacing
| ©2020 F5 9 apiVersion: k8s.nginx.org/v1alpha1 kind: Policy metadata: name: egress-mtls-policy spec: egressMTLS: tlsSecret: egress-mtls-secret trustedCertSecret: egress-trusted-ca-secret verifyServer: on serverName: on sslName: secure-app.example.com apiVersion: k8s.nginx.org/v1alpha1 kind: Policy metadata: name: ingress-mtls-policy spec: ingressMTLS: clientCertSecret: ingress-mtls-secret verifyClient: "on" verifyDepth: 1 Ingress/Egress mTLS (KIC) POLICIES
| ©2020 F5 10 apiVersion: k8s.nginx.org/v1 kind: VirtualServer metadata: name: app spec: host: app.example.com ... policies: -name: ingress-mtls-policy-cafe -name: egress-mtls-policy-cafe apiVersion: k8s.nginx.org/v1 kind: VirtualServerRoute metadata: name: app spec: host: app.example.com subroutes - path: /admin/portal/console policies: - name: ingress-mtls-policy-cafe - name: egress-mtls-policy-cafe Applying Ingress/Egress policies to the IC VIRTUALSERVER & VIRTUALSERVERROUTE
| ©2020 F5 11 apiVersion: k8s.nginx.org/v1 kind: VirtualServer metadata: name: app spec: host: app.example.com upstreams: - name: app service: app-svc port: 80 routes: - path: / action: proxy: upstream: app requestHeaders: pass: true set: - name: Content-Type value: application/json VIRTUALSERVER Applying Ingress HTTP header manipulation
| ©2020 F5 12 apiVersion: k8s.nginx.org/v1 kind: VirtualServer metadata: name: app spec: host: app.example.com upstreams: - name: app service: app-svc port: 80 routes: - path: / action: proxy: upstream: app responseHeaders: add: - name: Access-Control-Allow-Origin value: "*" always: true hide: - x-internal-version ignore: - Expires - Set-Cookie VIRTUALSERVER Applying Egress HTTP header manipulation
| ©2020 F5 13 Agile Deployments using Sophisticated Routing CONFIDENTIAL
| ©2020 F5 14 CONFIDENTIAL Agile deployments using Advanced Routing TOPOLOGY
| ©2020 F5 15 kind: VirtualServer metadata: name: cafe spec: host: cafe.example.com upstreams: - name: app-edge service: app-edge-svc port: 80 - name: app-stable service: app-stable-svc port: 80 routes: - path: / matches: - conditions: - cookie: session value: suxxis-12hs6dds-dhfgry-ssss action: pass: app-edge action: pass: app-stable CONFIDENTIAL Debug Routing VIRTUALSERVER
| ©2020 F5 16 kind: VirtualServer metadata: name: cafe spec: host: app.example.com upstreams: - name: products-v2 service: products-v2-svc port: 80 - name: products-v1 service: products-v1-svc port: 80 routes: - path: /products splits: - weight: 90 action: pass: products-v1 - weight: 10 action: pass: products-v2 CONFIDENTIAL A/B testing and Blue-Green Deployments VIRTUALSERVER
| ©2020 F5 17 Protecting your Kubernetes Apps from Vulnerabilities and Attacks CONFIDENTIAL
| ©2020 F5 18  Consolidating the NGINX Ingress Controller with a battle tested WAF  Configuration is fully managed by the Kubernetes API  Leverage Kubernetes RBAC to securely delegate WAF configurations to a dedicated DevSecOps team  Block unrecognized threats with user defined signatures WAF CONFIDENTIAL Blocking Threats with NGINX App Protect
| ©2020 F5 19 CONFIDENTIAL Blocking Threats with NGINX App Protect SECURE PERIMETER FOR YOUR APPLICATIONS IN KUBERNETES
| ©2020 F5 20 AdvancedApp Centric Configuration Confidential – Do Not Distribute
| ©2020 F5 21 Going Even Further with NGINX Service Mesh CONFIDENTIAL
| ©2020 F5 22 Data Plane Control Plane
| ©2020 F5 23 Bookinfo demo Confidential – Do Not Distribute
| ©2020 F5 24 What DoesAService Mesh Do? Service Mesh controls communications between pods and external apps Secure Traffic End-to-end encryption (Mutual TLS / mTLS), ACLs Manage All Service Traffic Load Balance, Circuit breaker, B|G, Rate Limiting… Orchestration Injection and sidecar management, K8s API integration Measure Traffic Generate transaction traces and real-time monitoring
| ©2020 F5 25 WhenAm I Ready ForAService Mesh?  You have a mature, fully-automated CI/CD pipeline (GitOps-enabled)  You are fully invested in Kubernetes  You are deploying frequently to production (at least once per day)  You have a zero-trust production environment (so need mTLS)  You need/want additional visibility of container traffic interaction
| ©2020 F5 26  Get Started with the NGINX Ingress Controller -- https://github.com/nginxinc/kubernetes-ingress  Get a free trial of NGINX Plus Ingress Controller -- https://www.nginx.com/free-trial- request-nginx-ingress-controller/ § OPEN TALK: Securing and Managing K8s Apps with Ease: NGINX Service Mesh § Download NGINX Service Mesh for free -- https://downloads.f5.com Get Started Today !!
Q&A Contact Us: Amir Rawdat: a.rawdat@f5.com NGINX: sales@nginx.com

Recommended

OpenTelemetry For Developers
OpenTelemetry For DevelopersOpenTelemetry For Developers
OpenTelemetry For Developers
Kevin Brockhoff
 
Kubernetes環境で実現するWebアプリケーションセキュリティ
Kubernetes環境で実現するWebアプリケーションセキュリティKubernetes環境で実現するWebアプリケーションセキュリティ
Kubernetes環境で実現するWebアプリケーションセキュリティ
NGINX, Inc.
 
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Edureka!
 
Introduction to Open Telemetry as Observability Library
Introduction to Open Telemetry as Observability LibraryIntroduction to Open Telemetry as Observability Library
Introduction to Open Telemetry as Observability Library
Tonny Adhi Sabastian
 
Ingressの概要とLoadBalancerとの比較
Ingressの概要とLoadBalancerとの比較Ingressの概要とLoadBalancerとの比較
Ingressの概要とLoadBalancerとの比較
Mei Nakamura
 
Successfully Implement Your API Strategy with NGINX
Successfully Implement Your API Strategy with NGINXSuccessfully Implement Your API Strategy with NGINX
Successfully Implement Your API Strategy with NGINX
NGINX, Inc.
 
Beautiful Monitoring With Grafana and InfluxDB
Beautiful Monitoring With Grafana and InfluxDBBeautiful Monitoring With Grafana and InfluxDB
Beautiful Monitoring With Grafana and InfluxDB
leesjensen
 
(ARC307) Infrastructure as Code
(ARC307) Infrastructure as Code(ARC307) Infrastructure as Code
(ARC307) Infrastructure as Code
Amazon Web Services
 

Recommended

OpenTelemetry For Developers
OpenTelemetry For DevelopersOpenTelemetry For Developers
OpenTelemetry For Developers
Kevin Brockhoff
 
Kubernetes環境で実現するWebアプリケーションセキュリティ
Kubernetes環境で実現するWebアプリケーションセキュリティKubernetes環境で実現するWebアプリケーションセキュリティ
Kubernetes環境で実現するWebアプリケーションセキュリティ
NGINX, Inc.
 
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Edureka!
 
Introduction to Open Telemetry as Observability Library
Introduction to Open Telemetry as Observability LibraryIntroduction to Open Telemetry as Observability Library
Introduction to Open Telemetry as Observability Library
Tonny Adhi Sabastian
 
Ingressの概要とLoadBalancerとの比較
Ingressの概要とLoadBalancerとの比較Ingressの概要とLoadBalancerとの比較
Ingressの概要とLoadBalancerとの比較
Mei Nakamura
 
Successfully Implement Your API Strategy with NGINX
Successfully Implement Your API Strategy with NGINXSuccessfully Implement Your API Strategy with NGINX
Successfully Implement Your API Strategy with NGINX
NGINX, Inc.
 
Beautiful Monitoring With Grafana and InfluxDB
Beautiful Monitoring With Grafana and InfluxDBBeautiful Monitoring With Grafana and InfluxDB
Beautiful Monitoring With Grafana and InfluxDB
leesjensen
 
(ARC307) Infrastructure as Code
(ARC307) Infrastructure as Code(ARC307) Infrastructure as Code
(ARC307) Infrastructure as Code
Amazon Web Services
 
Grafana Loki: like Prometheus, but for Logs
Grafana Loki: like Prometheus, but for LogsGrafana Loki: like Prometheus, but for Logs
Grafana Loki: like Prometheus, but for Logs
Marco Pracucci
 
Distributed Tracing in Practice
Distributed Tracing in PracticeDistributed Tracing in Practice
Distributed Tracing in Practice
DevOps.com
 
Introduction to the Container Network Interface (CNI)
Introduction to the Container Network Interface (CNI)Introduction to the Container Network Interface (CNI)
Introduction to the Container Network Interface (CNI)
Weaveworks
 
FIWARE Wednesday Webinars - Introduction to NGSI-LD
FIWARE Wednesday Webinars - Introduction to NGSI-LDFIWARE Wednesday Webinars - Introduction to NGSI-LD
FIWARE Wednesday Webinars - Introduction to NGSI-LD
FIWARE
 
OpenTelemetry For Operators
OpenTelemetry For OperatorsOpenTelemetry For Operators
OpenTelemetry For Operators
Kevin Brockhoff
 
ELK Stack
ELK StackELK Stack
ELK Stack
Phuc Nguyen
 
BigQuery ML - Machine learning at scale using SQL
BigQuery ML - Machine learning at scale using SQLBigQuery ML - Machine learning at scale using SQL
BigQuery ML - Machine learning at scale using SQL
Márton Kodok
 
Kubernetes & Google Kubernetes Engine (GKE)
Kubernetes & Google Kubernetes Engine (GKE)Kubernetes & Google Kubernetes Engine (GKE)
Kubernetes & Google Kubernetes Engine (GKE)
Akash Agrawal
 
Google Kubernetes Engine (GKE) deep dive
Google Kubernetes Engine (GKE) deep diveGoogle Kubernetes Engine (GKE) deep dive
Google Kubernetes Engine (GKE) deep dive
Akash Agrawal
 
Diving Through The Layers: Investigating runc, containerd, and the Docker eng...
Diving Through The Layers: Investigating runc, containerd, and the Docker eng...Diving Through The Layers: Investigating runc, containerd, and the Docker eng...
Diving Through The Layers: Investigating runc, containerd, and the Docker eng...
Phil Estes
 
Replacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with CiliumReplacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with Cilium
Michal Rostecki
 
OpenTelemetry For Architects
OpenTelemetry For ArchitectsOpenTelemetry For Architects
OpenTelemetry For Architects
Kevin Brockhoff
 
Openshift Container Platform
Openshift Container PlatformOpenshift Container Platform
Openshift Container Platform
DLT Solutions
 
大規模DCのネットワークデザイン
大規模DCのネットワークデザイン大規模DCのネットワークデザイン
大規模DCのネットワークデザイン
Masayuki Kobayashi
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes Basics
Eueung Mulyana
 
OSMC 2022 | OpenTelemetry 101 by Dotan Horovit s.pdf
OSMC 2022 | OpenTelemetry 101 by Dotan Horovit s.pdfOSMC 2022 | OpenTelemetry 101 by Dotan Horovit s.pdf
OSMC 2022 | OpenTelemetry 101 by Dotan Horovit s.pdf
NETWAYS
 
OSMC 2023 | What’s new with Grafana Labs’s Open Source Observability stack by...
OSMC 2023 | What’s new with Grafana Labs’s Open Source Observability stack by...OSMC 2023 | What’s new with Grafana Labs’s Open Source Observability stack by...
OSMC 2023 | What’s new with Grafana Labs’s Open Source Observability stack by...
NETWAYS
 
THE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.io
THE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.ioTHE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.io
THE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.io
DevOpsDays Tel Aviv
 
CD using ArgoCD(KnolX).pdf
CD using ArgoCD(KnolX).pdfCD using ArgoCD(KnolX).pdf
CD using ArgoCD(KnolX).pdf
Knoldus Inc.
 
DeNAの大規模ライブ配信基盤を支える技術
DeNAの大規模ライブ配信基盤を支える技術DeNAの大規模ライブ配信基盤を支える技術
DeNAの大規模ライブ配信基盤を支える技術
DeNA
 
Production-Grade Kubernetes With NGINX Ingress Controller
Production-Grade Kubernetes With NGINX Ingress ControllerProduction-Grade Kubernetes With NGINX Ingress Controller
Production-Grade Kubernetes With NGINX Ingress Controller
NGINX, Inc.
 
Control Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINXControl Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINX
NGINX, Inc.
 

More Related Content

What's hot

Grafana Loki: like Prometheus, but for Logs
Grafana Loki: like Prometheus, but for LogsGrafana Loki: like Prometheus, but for Logs
Grafana Loki: like Prometheus, but for Logs
Marco Pracucci
 
Distributed Tracing in Practice
Distributed Tracing in PracticeDistributed Tracing in Practice
Distributed Tracing in Practice
DevOps.com
 
BigQuery ML - Machine learning at scale using SQL
BigQuery ML - Machine learning at scale using SQLBigQuery ML - Machine learning at scale using SQL
BigQuery ML - Machine learning at scale using SQL
Márton Kodok
 
Replacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with CiliumReplacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with Cilium
Michal Rostecki
 
OSMC 2022 | OpenTelemetry 101 by Dotan Horovit s.pdf
OSMC 2022 | OpenTelemetry 101 by Dotan Horovit s.pdfOSMC 2022 | OpenTelemetry 101 by Dotan Horovit s.pdf
OSMC 2022 | OpenTelemetry 101 by Dotan Horovit s.pdf
NETWAYS
 
THE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.io
THE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.ioTHE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.io
THE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.io
DevOpsDays Tel Aviv
 

What's hot (20)

Grafana Loki: like Prometheus, but for Logs
Grafana Loki: like Prometheus, but for LogsGrafana Loki: like Prometheus, but for Logs
Grafana Loki: like Prometheus, but for Logs
 
Distributed Tracing in Practice
Distributed Tracing in PracticeDistributed Tracing in Practice
Distributed Tracing in Practice
 
Introduction to the Container Network Interface (CNI)
Introduction to the Container Network Interface (CNI)Introduction to the Container Network Interface (CNI)
Introduction to the Container Network Interface (CNI)
 
FIWARE Wednesday Webinars - Introduction to NGSI-LD
FIWARE Wednesday Webinars - Introduction to NGSI-LDFIWARE Wednesday Webinars - Introduction to NGSI-LD
FIWARE Wednesday Webinars - Introduction to NGSI-LD
 
OpenTelemetry For Operators
OpenTelemetry For OperatorsOpenTelemetry For Operators
OpenTelemetry For Operators
 
ELK Stack
ELK StackELK Stack
ELK Stack
 
BigQuery ML - Machine learning at scale using SQL
BigQuery ML - Machine learning at scale using SQLBigQuery ML - Machine learning at scale using SQL
BigQuery ML - Machine learning at scale using SQL
 
Kubernetes & Google Kubernetes Engine (GKE)
Kubernetes & Google Kubernetes Engine (GKE)Kubernetes & Google Kubernetes Engine (GKE)
Kubernetes & Google Kubernetes Engine (GKE)
 
Google Kubernetes Engine (GKE) deep dive
Google Kubernetes Engine (GKE) deep diveGoogle Kubernetes Engine (GKE) deep dive
Google Kubernetes Engine (GKE) deep dive
 
Diving Through The Layers: Investigating runc, containerd, and the Docker eng...
Diving Through The Layers: Investigating runc, containerd, and the Docker eng...Diving Through The Layers: Investigating runc, containerd, and the Docker eng...
Diving Through The Layers: Investigating runc, containerd, and the Docker eng...
 
Replacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with CiliumReplacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with Cilium
 
OpenTelemetry For Architects
OpenTelemetry For ArchitectsOpenTelemetry For Architects
OpenTelemetry For Architects
 
Openshift Container Platform
Openshift Container PlatformOpenshift Container Platform
Openshift Container Platform
 
大規模DCのネットワークデザイン
大規模DCのネットワークデザイン大規模DCのネットワークデザイン
大規模DCのネットワークデザイン
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes Basics
 
OSMC 2022 | OpenTelemetry 101 by Dotan Horovit s.pdf
OSMC 2022 | OpenTelemetry 101 by Dotan Horovit s.pdfOSMC 2022 | OpenTelemetry 101 by Dotan Horovit s.pdf
OSMC 2022 | OpenTelemetry 101 by Dotan Horovit s.pdf
 
OSMC 2023 | What’s new with Grafana Labs’s Open Source Observability stack by...
OSMC 2023 | What’s new with Grafana Labs’s Open Source Observability stack by...OSMC 2023 | What’s new with Grafana Labs’s Open Source Observability stack by...
OSMC 2023 | What’s new with Grafana Labs’s Open Source Observability stack by...
 
THE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.io
THE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.ioTHE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.io
THE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.io
 
CD using ArgoCD(KnolX).pdf
CD using ArgoCD(KnolX).pdfCD using ArgoCD(KnolX).pdf
CD using ArgoCD(KnolX).pdf
 
DeNAの大規模ライブ配信基盤を支える技術
DeNAの大規模ライブ配信基盤を支える技術DeNAの大規模ライブ配信基盤を支える技術
DeNAの大規模ライブ配信基盤を支える技術
 

Similar to Control Kubernetes Ingress and Egress Together with NGINX

Control Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINXControl Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINX
NGINX, Inc.
 
Deploying NGINX in Cloud Native Kubernetes
Deploying NGINX in Cloud Native KubernetesDeploying NGINX in Cloud Native Kubernetes
Deploying NGINX in Cloud Native Kubernetes
Kangaroot
 
Securing Your Apps & APIs in the Cloud
Securing Your Apps & APIs in the CloudSecuring Your Apps & APIs in the Cloud
Securing Your Apps & APIs in the Cloud
Olivia LaMar
 
Get the Most Out of Kubernetes with NGINX
Get the Most Out of Kubernetes with NGINXGet the Most Out of Kubernetes with NGINX
Get the Most Out of Kubernetes with NGINX
NGINX, Inc.
 
Relevez les défis Kubernetes avec NGINX
Relevez les défis Kubernetes avec NGINXRelevez les défis Kubernetes avec NGINX
Relevez les défis Kubernetes avec NGINX
NGINX, Inc.
 
Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?
DevOps.com
 
Secure Your Kubernetes Apps from Attacks with NGINX
Secure Your Kubernetes Apps from Attacks with NGINXSecure Your Kubernetes Apps from Attacks with NGINX
Secure Your Kubernetes Apps from Attacks with NGINX
NGINX, Inc.
 
Migrating from BIG-IP Deployment to NGINX ADC
Migrating from BIG-IP Deployment to NGINX ADCMigrating from BIG-IP Deployment to NGINX ADC
Migrating from BIG-IP Deployment to NGINX ADC
NGINX, Inc.
 
Deploying Elastic Self-Service Load Balancing
Deploying Elastic Self-Service Load BalancingDeploying Elastic Self-Service Load Balancing
Deploying Elastic Self-Service Load Balancing
Avi Networks
 

Similar to Control Kubernetes Ingress and Egress Together with NGINX (20)

Production-Grade Kubernetes With NGINX Ingress Controller
Production-Grade Kubernetes With NGINX Ingress ControllerProduction-Grade Kubernetes With NGINX Ingress Controller
Production-Grade Kubernetes With NGINX Ingress Controller
 
Control Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINXControl Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINX
 
Deploying NGINX in Cloud Native Kubernetes
Deploying NGINX in Cloud Native KubernetesDeploying NGINX in Cloud Native Kubernetes
Deploying NGINX in Cloud Native Kubernetes
 
Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAP
Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAPSecuring Kubernetes Clusters with NGINX Plus Ingress Controller & NAP
Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAP
 
Securing Your Apps & APIs in the Cloud
Securing Your Apps & APIs in the CloudSecuring Your Apps & APIs in the Cloud
Securing Your Apps & APIs in the Cloud
 
Get the Most Out of Kubernetes with NGINX
Get the Most Out of Kubernetes with NGINXGet the Most Out of Kubernetes with NGINX
Get the Most Out of Kubernetes with NGINX
 
Relevez les défis Kubernetes avec NGINX
Relevez les défis Kubernetes avec NGINXRelevez les défis Kubernetes avec NGINX
Relevez les défis Kubernetes avec NGINX
 
Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?
 
F5 and HashiCorp Multi-Cloud
F5 and HashiCorp Multi-CloudF5 and HashiCorp Multi-Cloud
F5 and HashiCorp Multi-Cloud
 
Nginx app protect-for-meetup-v1.0-202006_lk
Nginx app protect-for-meetup-v1.0-202006_lkNginx app protect-for-meetup-v1.0-202006_lk
Nginx app protect-for-meetup-v1.0-202006_lk
 
Data Plane Matters! A Deep Dive and Demo on NGINX Service Mesh
Data Plane Matters! A Deep Dive and Demo on NGINX Service MeshData Plane Matters! A Deep Dive and Demo on NGINX Service Mesh
Data Plane Matters! A Deep Dive and Demo on NGINX Service Mesh
 
Secure Your Kubernetes Apps from Attacks with NGINX
Secure Your Kubernetes Apps from Attacks with NGINXSecure Your Kubernetes Apps from Attacks with NGINX
Secure Your Kubernetes Apps from Attacks with NGINX
 
Gain multi-cloud versatility with software load balancing designed for cloud-...
Gain multi-cloud versatility with software load balancing designed for cloud-...Gain multi-cloud versatility with software load balancing designed for cloud-...
Gain multi-cloud versatility with software load balancing designed for cloud-...
 
From Code to Customer with F5 and NGNX London Nov 19
From Code to Customer with F5 and NGNX London Nov 19From Code to Customer with F5 and NGNX London Nov 19
From Code to Customer with F5 and NGNX London Nov 19
 
What's New with NGINX Application Security Solutions
What's New with NGINX Application Security SolutionsWhat's New with NGINX Application Security Solutions
What's New with NGINX Application Security Solutions
 
Migrating from BIG-IP Deployment to NGINX ADC
Migrating from BIG-IP Deployment to NGINX ADCMigrating from BIG-IP Deployment to NGINX ADC
Migrating from BIG-IP Deployment to NGINX ADC
 
Secured APIM-as-a-Service
Secured APIM-as-a-ServiceSecured APIM-as-a-Service
Secured APIM-as-a-Service
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes Networking
 
Deploying Elastic Self-Service Load Balancing
Deploying Elastic Self-Service Load BalancingDeploying Elastic Self-Service Load Balancing
Deploying Elastic Self-Service Load Balancing
 
F5 Distributed Cloud.pptx
F5 Distributed Cloud.pptxF5 Distributed Cloud.pptx
F5 Distributed Cloud.pptx
 

More from NGINX, Inc.

Managing Kubernetes Cost and Performance with NGINX & Kubecost
Managing Kubernetes Cost and Performance with NGINX & KubecostManaging Kubernetes Cost and Performance with NGINX & Kubecost
Managing Kubernetes Cost and Performance with NGINX & Kubecost
NGINX, Inc.
 
Protecting Apps from Hacks in Kubernetes with NGINX
Protecting Apps from Hacks in Kubernetes with NGINXProtecting Apps from Hacks in Kubernetes with NGINX
Protecting Apps from Hacks in Kubernetes with NGINX
NGINX, Inc.
 
How to Avoid the Top 5 NGINX Configuration Mistakes.pptx
How to Avoid the Top 5 NGINX Configuration Mistakes.pptxHow to Avoid the Top 5 NGINX Configuration Mistakes.pptx
How to Avoid the Top 5 NGINX Configuration Mistakes.pptx
NGINX, Inc.
 
Software Delivery and the Rube Goldberg Machine: What Is the Problem We Are T...
Software Delivery and the Rube Goldberg Machine: What Is the Problem We Are T...Software Delivery and the Rube Goldberg Machine: What Is the Problem We Are T...
Software Delivery and the Rube Goldberg Machine: What Is the Problem We Are T...
NGINX, Inc.
 

More from NGINX, Inc. (20)

【NGINXセミナー】 Ingressを使ってマイクロサービスの運用を楽にする方法
【NGINXセミナー】 Ingressを使ってマイクロサービスの運用を楽にする方法【NGINXセミナー】 Ingressを使ってマイクロサービスの運用を楽にする方法
【NGINXセミナー】 Ingressを使ってマイクロサービスの運用を楽にする方法
 
【NGINXセミナー】 NGINXのWAFとは?その使い方と設定方法 解説セミナー
【NGINXセミナー】 NGINXのWAFとは?その使い方と設定方法 解説セミナー【NGINXセミナー】 NGINXのWAFとは?その使い方と設定方法 解説セミナー
【NGINXセミナー】 NGINXのWAFとは?その使い方と設定方法 解説セミナー
 
【NGINXセミナー】API ゲートウェイとしてのNGINX Plus活用方法
【NGINXセミナー】API ゲートウェイとしてのNGINX Plus活用方法【NGINXセミナー】API ゲートウェイとしてのNGINX Plus活用方法
【NGINXセミナー】API ゲートウェイとしてのNGINX Plus活用方法
 
Get Hands-On with NGINX and QUIC+HTTP/3
Get Hands-On with NGINX and QUIC+HTTP/3Get Hands-On with NGINX and QUIC+HTTP/3
Get Hands-On with NGINX and QUIC+HTTP/3
 
Managing Kubernetes Cost and Performance with NGINX & Kubecost
Managing Kubernetes Cost and Performance with NGINX & KubecostManaging Kubernetes Cost and Performance with NGINX & Kubecost
Managing Kubernetes Cost and Performance with NGINX & Kubecost
 
Manage Microservices Chaos and Complexity with Observability
Manage Microservices Chaos and Complexity with ObservabilityManage Microservices Chaos and Complexity with Observability
Manage Microservices Chaos and Complexity with Observability
 
Accelerate Microservices Deployments with Automation
Accelerate Microservices Deployments with AutomationAccelerate Microservices Deployments with Automation
Accelerate Microservices Deployments with Automation
 
Unit 2: Microservices Secrets Management 101
Unit 2: Microservices Secrets Management 101Unit 2: Microservices Secrets Management 101
Unit 2: Microservices Secrets Management 101
 
Unit 1: Apply the Twelve-Factor App to Microservices Architectures
Unit 1: Apply the Twelve-Factor App to Microservices ArchitecturesUnit 1: Apply the Twelve-Factor App to Microservices Architectures
Unit 1: Apply the Twelve-Factor App to Microservices Architectures
 
NGINX基本セミナー(セキュリティ編)~NGINXでセキュアなプラットフォームを実現する方法!
NGINX基本セミナー(セキュリティ編)~NGINXでセキュアなプラットフォームを実現する方法!NGINX基本セミナー(セキュリティ編)~NGINXでセキュアなプラットフォームを実現する方法!
NGINX基本セミナー(セキュリティ編)~NGINXでセキュアなプラットフォームを実現する方法!
 
Easily View, Manage, and Scale Your App Security with F5 NGINX
Easily View, Manage, and Scale Your App Security with F5 NGINXEasily View, Manage, and Scale Your App Security with F5 NGINX
Easily View, Manage, and Scale Your App Security with F5 NGINX
 
NGINXセミナー(基本編)~いまさら聞けないNGINXコンフィグなど基本がわかる!
NGINXセミナー(基本編)~いまさら聞けないNGINXコンフィグなど基本がわかる!NGINXセミナー(基本編)~いまさら聞けないNGINXコンフィグなど基本がわかる!
NGINXセミナー(基本編)~いまさら聞けないNGINXコンフィグなど基本がわかる!
 
Keep Ahead of Evolving Cyberattacks with OPSWAT and F5 NGINX
Keep Ahead of Evolving Cyberattacks with OPSWAT and F5 NGINXKeep Ahead of Evolving Cyberattacks with OPSWAT and F5 NGINX
Keep Ahead of Evolving Cyberattacks with OPSWAT and F5 NGINX
 
Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...
Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...
Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...
 
Protecting Apps from Hacks in Kubernetes with NGINX
Protecting Apps from Hacks in Kubernetes with NGINXProtecting Apps from Hacks in Kubernetes with NGINX
Protecting Apps from Hacks in Kubernetes with NGINX
 
NGINX Kubernetes API
NGINX Kubernetes APINGINX Kubernetes API
NGINX Kubernetes API
 
Installing and Configuring NGINX Open Source
Installing and Configuring NGINX Open SourceInstalling and Configuring NGINX Open Source
Installing and Configuring NGINX Open Source
 
Shift Left for More Secure Apps with F5 NGINX
Shift Left for More Secure Apps with F5 NGINXShift Left for More Secure Apps with F5 NGINX
Shift Left for More Secure Apps with F5 NGINX
 
How to Avoid the Top 5 NGINX Configuration Mistakes.pptx
How to Avoid the Top 5 NGINX Configuration Mistakes.pptxHow to Avoid the Top 5 NGINX Configuration Mistakes.pptx
How to Avoid the Top 5 NGINX Configuration Mistakes.pptx
 
Software Delivery and the Rube Goldberg Machine: What Is the Problem We Are T...
Software Delivery and the Rube Goldberg Machine: What Is the Problem We Are T...Software Delivery and the Rube Goldberg Machine: What Is the Problem We Are T...
Software Delivery and the Rube Goldberg Machine: What Is the Problem We Are T...
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Recently uploaded (20)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 

Control Kubernetes Ingress and Egress Together with NGINX

  • 1. Control Ingress and Egress traffic in Kubernetes with NGINX Amir Rawdat Technical Marketing Engineer, NGINX
  • 2. | ©2020 F5 2 Agenda • Common challenges with managing traffic inside Kubernetes • Moving away from annotations with NGINX Ingress Resources • Enhancing troubleshooting and logging • Controlling ingress/egrees traffic with a single configuration • Enabling agile deployments and maintaining uptime • Going even further with NGINX Service Mesh • Q&A
  • 3. | ©2020 F5 3 Kubernetes becoming platform for developing, testing and running applications Applications are becoming ephemeral by nature This brings limitations to Layer 4 Kubernetes Networking NGINX provides L5-7 networking policies as an alternative to IP addresses Cybersecurity is an ever- growing, ever-complicating field Traditional firewalls and anti virus security is irrelevant or obsolete. Data breaches on the rise and will continue to rise throughout 2021. What we see in the market KUBERNETES-CENTRIC PERSPECTIVE SOURCE: INFORMATION EXAMPLE Adoption of managed and commercial Kubernetes platforms We see rapid adoption of OpenShift and Rancher in the private cloud space EKS and GKE adoption in public cloud
  • 4. | ©2020 F5 4 MY FAVORITE ARTICLE TITLES But K8s Adoption Brings Complexity “Let’s Use Kubernetes!”N ow You Have 8 Problems” ”Will Complexity Kill Kubernetes?” “Has Kubernetes Already Become To Unnecessarily Complex for Enterprise IT?” ”Why Kubernetes Networking Is Hard – And What You Can Do About It”
  • 5. | ©2020 F5 5 WHAT’S MISSING IN K8S AND WHAT DO YOU REALLY WANT AND NEED FROM A MESH? Networking: K8s, L4-L7 • K8s, and CNI, provides L4 servicing – IP endpoints • Many, complex options • https://kubernetes.io/docs/concepts/cluster-administration/networking/ • L7 Traffic Management is missing • Policy-based routing • Service-level access control • SSL/mTLS enforcement • Integrated Ingress/Egress • Enter: KIC + Service Mesh – Taking control of Kubernetes networking
  • 6. | ©2020 F5 6 Controlling ingress/egress traffic with NGINX KIC CONFIDENTIAL
  • 7. | ©2020 F5 7 Problems with Ingress Resources Confidential – Do Not Distribute • Kubernetes Ingress resources are limited to basic SSL/TLS and HTTP load balancing • Configuration can be further customized with Annotations, ConfigMaps, and templates • Global scoped and not fine grained • Very error prone • Difficult to pint point validation errors
  • 8. | ©2020 F5 8 NGINX Ingress Resources Confidential – Do Not Distribute • Native Type-Safe Configuration • Provides advanced app delivery features with native Kubernetes workflow. • Increased modularity and reusability • Finer grained multi-tenancy with NGINX cross-namespacing
  • 9. | ©2020 F5 9 apiVersion: k8s.nginx.org/v1alpha1 kind: Policy metadata: name: egress-mtls-policy spec: egressMTLS: tlsSecret: egress-mtls-secret trustedCertSecret: egress-trusted-ca-secret verifyServer: on serverName: on sslName: secure-app.example.com apiVersion: k8s.nginx.org/v1alpha1 kind: Policy metadata: name: ingress-mtls-policy spec: ingressMTLS: clientCertSecret: ingress-mtls-secret verifyClient: "on" verifyDepth: 1 Ingress/Egress mTLS (KIC) POLICIES
  • 10. | ©2020 F5 10 apiVersion: k8s.nginx.org/v1 kind: VirtualServer metadata: name: app spec: host: app.example.com ... policies: -name: ingress-mtls-policy-cafe -name: egress-mtls-policy-cafe apiVersion: k8s.nginx.org/v1 kind: VirtualServerRoute metadata: name: app spec: host: app.example.com subroutes - path: /admin/portal/console policies: - name: ingress-mtls-policy-cafe - name: egress-mtls-policy-cafe Applying Ingress/Egress policies to the IC VIRTUALSERVER & VIRTUALSERVERROUTE
  • 11. | ©2020 F5 11 apiVersion: k8s.nginx.org/v1 kind: VirtualServer metadata: name: app spec: host: app.example.com upstreams: - name: app service: app-svc port: 80 routes: - path: / action: proxy: upstream: app requestHeaders: pass: true set: - name: Content-Type value: application/json VIRTUALSERVER Applying Ingress HTTP header manipulation
  • 12. | ©2020 F5 12 apiVersion: k8s.nginx.org/v1 kind: VirtualServer metadata: name: app spec: host: app.example.com upstreams: - name: app service: app-svc port: 80 routes: - path: / action: proxy: upstream: app responseHeaders: add: - name: Access-Control-Allow-Origin value: "*" always: true hide: - x-internal-version ignore: - Expires - Set-Cookie VIRTUALSERVER Applying Egress HTTP header manipulation
  • 13. | ©2020 F5 13 Agile Deployments using Sophisticated Routing CONFIDENTIAL
  • 14. | ©2020 F5 14 CONFIDENTIAL Agile deployments using Advanced Routing TOPOLOGY
  • 15. | ©2020 F5 15 kind: VirtualServer metadata: name: cafe spec: host: cafe.example.com upstreams: - name: app-edge service: app-edge-svc port: 80 - name: app-stable service: app-stable-svc port: 80 routes: - path: / matches: - conditions: - cookie: session value: suxxis-12hs6dds-dhfgry-ssss action: pass: app-edge action: pass: app-stable CONFIDENTIAL Debug Routing VIRTUALSERVER
  • 16. | ©2020 F5 16 kind: VirtualServer metadata: name: cafe spec: host: app.example.com upstreams: - name: products-v2 service: products-v2-svc port: 80 - name: products-v1 service: products-v1-svc port: 80 routes: - path: /products splits: - weight: 90 action: pass: products-v1 - weight: 10 action: pass: products-v2 CONFIDENTIAL A/B testing and Blue-Green Deployments VIRTUALSERVER
  • 17. | ©2020 F5 17 Protecting your Kubernetes Apps from Vulnerabilities and Attacks CONFIDENTIAL
  • 18. | ©2020 F5 18  Consolidating the NGINX Ingress Controller with a battle tested WAF  Configuration is fully managed by the Kubernetes API  Leverage Kubernetes RBAC to securely delegate WAF configurations to a dedicated DevSecOps team  Block unrecognized threats with user defined signatures WAF CONFIDENTIAL Blocking Threats with NGINX App Protect
  • 19. | ©2020 F5 19 CONFIDENTIAL Blocking Threats with NGINX App Protect SECURE PERIMETER FOR YOUR APPLICATIONS IN KUBERNETES
  • 20. | ©2020 F5 20 AdvancedApp Centric Configuration Confidential – Do Not Distribute
  • 21. | ©2020 F5 21 Going Even Further with NGINX Service Mesh CONFIDENTIAL
  • 22. | ©2020 F5 22 Data Plane Control Plane
  • 23. | ©2020 F5 23 Bookinfo demo Confidential – Do Not Distribute
  • 24. | ©2020 F5 24 What DoesAService Mesh Do? Service Mesh controls communications between pods and external apps Secure Traffic End-to-end encryption (Mutual TLS / mTLS), ACLs Manage All Service Traffic Load Balance, Circuit breaker, B|G, Rate Limiting… Orchestration Injection and sidecar management, K8s API integration Measure Traffic Generate transaction traces and real-time monitoring
  • 25. | ©2020 F5 25 WhenAm I Ready ForAService Mesh?  You have a mature, fully-automated CI/CD pipeline (GitOps-enabled)  You are fully invested in Kubernetes  You are deploying frequently to production (at least once per day)  You have a zero-trust production environment (so need mTLS)  You need/want additional visibility of container traffic interaction
  • 26. | ©2020 F5 26  Get Started with the NGINX Ingress Controller -- https://github.com/nginxinc/kubernetes-ingress  Get a free trial of NGINX Plus Ingress Controller -- https://www.nginx.com/free-trial- request-nginx-ingress-controller/ § OPEN TALK: Securing and Managing K8s Apps with Ease: NGINX Service Mesh § Download NGINX Service Mesh for free -- https://downloads.f5.com Get Started Today !!
  • 27. Q&A Contact Us: Amir Rawdat: a.rawdat@f5.com NGINX: sales@nginx.com

Editor's Notes

  1. Cybersecurity is an ever-growing, ever-complicating field Authentication is enforced independent of IP addresses Both the client and server before connections are accepted.   Broader shift away from perimeter focused, firewall-based security to where security is everywhere and is based on identity (such as identity of applications sharing or requesting information) 
  2. While we can’t solve all of the complexity that comes with K8s, we can offer up a simpler and more secure way to manage all service-to-service traffic.
  3. While we can’t solve all of the complexity that comes with K8s, we can offer up a simpler and more secure way to manage all service-to-service traffic.
  4. While we can’t solve all of the complexity that comes with K8s, we can offer up a simpler and more secure way to manage all service-to-service traffic.
  5. While we can’t solve all of the complexity that comes with K8s, we can offer up a simpler and more secure way to manage all service-to-service traffic.
  6. If you can’t say “yes” to these six checkpoints, you’ll not benefit from a services mesh yet. Complexity of application: IDC report “Vendors Stake Out Positions in Emerging Istio Service Mesh Landscape" Aspen Mesh believes cloud-native environments with more than 20 services reach a point of complexity at which services meshes, such as Istio, become increasingly necessary IBM believes it becomes difficult to manage a microservices network when customers reach a threshold of 25 microservices.