The document discusses the implementation of zero trust security in API gateways using Cilium within Kubernetes architecture. It highlights the advantages of using Cilium as an API gateway, addressing challenges such as traffic management and policy enforcement, while emphasizing the evolution of API management through the Kubernetes Gateway API. Additionally, it presents architectural considerations and operational benefits, including enhanced security and flexibility in choosing multiple API gateways.

1. Implementing Zero Trust Security in API
Gateway with Cilium
October, 2024

2. Hello!
Pubudu Gunatilaka
Senior Technical Lead, WSO2
pubudug@wso2.com

3. Kubernetes Application Architecture
3
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: order-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /orderList
spec:
ingressClassName: nginx
rules:
- host: "tickets.mn.com"
http:
paths:
- path: /orders
pathType: Prefix
backend:
service:
name: order-service
port:
number:9090
apiVersion: v1
kind: Service
metadata:
name: order-service
spec:
selector:
app.kubernetes.io/name: order-app
ports:
- protocol: TCP
port: 9090
targetPort: 9090
Client Applications Load Balancer Ingress Controller Order Service
Order Pod
Order Pod

4. Namespace bar
Namespace foo
Introduction to Kubernetes Gateway API
4
Image Source: https://kubernetes.io/blog/2021/04/22/evolving-kubernetes-networking-with-the-gateway-api/
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: prod-gateway
spec:
gatewayClassName: default-gateway
listeners:
- protocol: HTTP
port: 80
name: prod-gw-http
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
name: default-gateway
spec:
controllerName: "gw.io/gateway-controller"
Application
Developer
Application
Developer
GatewayClass
Gateway
HTTPRoute HTTPRoute
Service Service
Cluster Operator
Infrastructure
Provider

5. Order Service
From OpenAPI to HTTPRoute
5
apiVersion :
gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
name: order-route
spec:
hostnames:
- "tickets.mn.com"
rules:
- matches:
- method: POST
path:
type: RegularExpression
value: /orders
filters:
- type: URLRewrite
urlRewrite :
path:
replaceFullPath : /orderList
type: ReplaceFullPath
- type: RequestHeaderModifier
requestHeaderModifier :
add:
- name: x-order-id
value: "PG-109"
backendRefs:
- name: order-service
port: 9090

6. ● Continuous Development and Open Source Benefits
● Envoy as an Ingress Controller in Kubernetes
● Essential API Management Features
● Support for REST and gRPC Services
● Extensibility options to enhance and customize its
capabilities
● Flexible Deployment Patterns
Envoy Proxy: The Backbone of Modern API Gateways
6

7. Introduction to Cilium
7
Image Source: https://cilium.io/blog/2020/11/10/ebpf-future-of-networking/

8. Node
Kernel
User
L3 / L4 Policies in Cilium
8
Client Applications Load Balancer
Control Plane
Developer
1 2
3 3. Program Kernel
2. Receive CR Updates
1. Apply K8s CRs
Order Pod Cilium Agent

9. L7 Policies in Cilium
9
Node
Kernel
User
Client Applications Load Balancer
Control Plane
Developer
1 2
3. Program Kernel
2. Receive CR Updates
1. Apply K8s CRs
4. Program Envoy
3 4
Order Pod Cilium Agent
Cilium Proxy

10. How API Gateway Fits in with Cilium
10
Node
Kernel
User
Client Applications Load Balancer
Control Plane
Developer
1 2
3. Program Kernel
2. Receive CR Updates
1. Apply K8s CRs
4. Program Envoy
3
API
Gateway
5
4
Order Pod Cilium Agent
Cilium Proxy

11. ● Complex Traffic Management: Increased complexity in networking and routing.
● Latency: Potential overhead due to additional request hops.
● Inconsistent Policy Enforcement: Potential gaps or redundancy in policy
application.
● Scalability Issues: Independent scaling may lead to bottlenecks.
● Monitoring Challenges: Difficult to maintain unified observability across both
systems.
● Operational Overhead: Managing two separate systems increases complexity.
● Configuration Burden: Maintaining consistency across both systems adds
management effort.
Architectural Challenges of Running API Gateway with Cilium
11

12. Why a Separate API Gateway?
Cilium Proxy = API Gateway
12

13. No Separate API Gateway Required: Cilium Handles It All
13
Node
Kernel
User
Client Applications Load Balancer
Control Plane
Developer
1 2
4. Program Kernel
3. Receive CR Updates
1. Apply K8s CRs
5. Program Envoy
3
Order Pod Cilium Agent
Cilium Proxy
Gateway
Functions
4
Operator
for API
Gateway
Functions
New
2. Create Cilium Envoy
Configurations

14. Data Plane
Control Plane
Unified API Management Architecture Powered by Cilium
14
API Publisher API Developer Portal Analytics
Admin Portal Key Manager
Microservice Microservice Microservice
Cilium

15. Data Plane
Kubernetes API Server
The API Developer and API Product Manager Perspective
15
Control Plane
Cilium
Order Service
Payment Service
Movie Service
API Publisher
(Back Office)
Control Plane Apps
(Admin/Developer Portal)
API Developer
Kubernetes CRs
API Documents
API Product
Manager
Cilium Proxy
Gateway
Functions
HTTP Route
Gateway
Gateway Class
Control Instructions
(Apps, subscriptions, policies)

16. ● Align API Management: Sync architecture with evolving standards.
● Kubernetes Gateway API: Replaces Ingress, enhancing API management.
● Commoditized Gateways: Standardization makes gateways infrastructure
staples.
● Unified API Definition: Governs API standards in Kubernetes and beyond.
● Avoid Vendor Lock-in: Flexibility to choose multiple API gateways.
● Enhanced Traffic Management: Improves north-south and east-west
traffic.
● Zero Trust Security: Strengthens overall security posture.
Getting Ready for Change
16

17. wso2.com
Thanks!