OL
Uploaded byOlivia LaMar
PPTX, PDF267 views

Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAP

The document discusses securing applications and APIs in Kubernetes, focusing on deployment strategies, ingress control, and application security best practices. It highlights the importance of differentiating between greenfield and brownfield apps and outlines the criteria for deploying services efficiently. Additionally, it covers how to leverage F5's App Protect and NGINX technologies for robust application security within Kubernetes environments.

Software◦

Embed presentation

Downloaded 25 times
Securing Your Apps & APIs in Kubernetes VIRTUAL EVENT Aug 27th, 2020
| Š2020 F5 NETWORKS - CONFIDENTIAL2
| Š2020 F5 NETWORKS - CONFIDENTIAL3
| Š2020 F5 NETWORKS - CONFIDENTIAL4
| ©2020 F5 NETWORKS - CONFIDENTIAL5 There’s two types of apps in this world…. Greenfield Brownfield
| ©2020 F5 NETWORKS - CONFIDENTIAL6 Ok, so maybe that’s an oversimplification…. Brownfield Greenfield
| Š2020 F5 NETWORKS - CONFIDENTIAL7 And they often are mixed together 7 Monolithic Hybrid Microservices Modernization >60% Core, legacy business apps ~30% Legacy with micro- services add-ons ~10% Modern apps optimized for digital Statistics from 2018 NGINX Brand Survey Where most enterprises will be for years to come
| Š2020 F5 NETWORKS - CONFIDENTIAL8 Current CNCF Landscape
| ©2020 F5 NETWORKS - CONFIDENTIAL9 Ok, that’s a lot. What do I need to think about to start ramping towards actually getting to production? What flavor of Kubernetes am I going to leverage? Cloud Services Cloud Services Hybrids Vanilla Agnostic
| ©2020 F5 NETWORKS - CONFIDENTIAL10 Ok, that’s still a little more complicated than expected Is there anything I can do regardless of my platform choice? Sure, and we’re about to focus on a couple of them. Figure out your application routing, monitoring, and security strategy Platform agnostic tool chain = solve the problem once, solve it for good
| ©2020 F5 NETWORKS - CONFIDENTIAL11 Ingress Controller pod pod pod pod pod Per-Pod proxy Per-Service proxy Kubernetes adds several more locations to deploy Application Services API Gateway Load Balancer App Security Four locations to deploy Application Services: • Edge: External load balancers and proxies • Ingress Controller: Entry-point into Kubernetes • Per-Service Proxy: Interior service proxy tier • Per-Pod Proxy: Sidecar-style proxy per pod Edge
| ©2020 F5 NETWORKS - CONFIDENTIAL12 Three criteria to determine where to deploy a service 1. Is the service specific to an application, or general, for all applications? Close to the Application Close to the Edge 3. The Technical Fit – what components offer the necessary functionality and APIs? 2. Is the service configuration owned by DevOps/DevSecOps, or by NetOps/SecOps? Owned by Dev(Sec)Ops Owned by NetOps/SecOps Not app components are equal, and different configuration and APIs meet needs of different users
| ©2020 F5 NETWORKS - CONFIDENTIAL13 • Native open-source integration in container environments for F5 BIG-IP Ingress control • Enable self-service selection in orchestration for app services • Scale and secure apps through automated event discovery and service insertion • Scale and secure NGINX Ingress controller F5 Container Ingress Services (CIS) F5 Container Ingress Services Container Environments Visibility and Analytics F5 BIG-IP App Performance and Security Services F5 Container Ingress Services Orchestration Dotted line = integration control plane Solid line = traffic data plane AppServicesAcrossNetwork Node 2Node 1 Kubernetes Openshift
| ©2020 F5 NETWORKS - CONFIDENTIAL14 • Single pod deployment, running in Kubernetes as nodeport • Rich, app-oriented configuration using both Kubernetes and NGINX Ingress Resources • Supports DevOps use cases: routing, B/G, circuit breaker • Multi-tenant, secure RBAC • Typically requires external LB NGINX Ingress Controller NGINX Ingress Controller Container Environments Visibility and Analytics Orchestration Dotted line = integration control plane Solid line = traffic data plane AppServicesAcrossNetwork Node 2Node 1 Kubernetes Openshift Tracing
| Š2020 F5 NETWORKS - CONFIDENTIAL15 Ingress Controller as point of control for App Protect Ingress Controller Edge Services pod pod pod pod pod Customer DevOps requests additional capabilities using Ingress Resource extensions Kubernetes Control Plane NGINX Ingress Resource WAF policy DNS policy IPAM policy Ingress Controller automates downstream services, within boundaries controlled by NetOps Automated discovery and High-Performance Load Balancing
| ©2020 F5 NETWORKS - CONFIDENTIAL16 WAF Deployment on the Ingress Controller DEPLOY WAF POLICIES ON THE INGRESS CONTROLLER, CONFIGURED USING KUBERNETES API Ingress Controller pod pod pod pod pod Per-Pod proxy Per-Service proxy Edge K8s NetOps/DevOps-Centric Approach Appropriate solution when WAF policies are under direction of NetOps or DevOps teams. Policies are defined and associated with services using Kubernetes API. NGINX Ingress Controller RBAC allows: • Admin users to enforce policies per listener • DevOps users to select policy per Ingress Resource Leverage Container Ingress Services to scale NGINX Ingress Controller and add other application services (LB, DNS, DDoS, IAM). Appropriate for Kubernetes-native NetOps or DevOps WAF
NGINX App Protect CHRIS AKKER TECHNICAL SOLUTIONS ARCHITECT NGINX BU / F5
| Š2020 F5 NETWORKS - CONFIDENTIAL18 0 2000 4000 6000 8000 10000 12000 14000 16000 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 YoY Increase in CVEs Note: Excludes any rejections or disputes. New vulnerabilities are discovered in all manner of software all the time They are exploited by both malicious bots and human attackers Do you know how many affect your application stack(s)? Can you keep up with the pace of published vulnerabilities? Do you want to?
| Š2020 F5 NETWORKS - CONFIDENTIAL19 Strong App Security Built for Modern Apps CI/CD Friendly NGINX App Protect
| Š2020 F5 NETWORKS - CONFIDENTIAL20 Strong App Security App security and controls built using F5 Advanced WAF technology. Blocks attacks and helps prevent downtime. Easy Install & Updates OWASP Top 10 And More Regulatory Compliance IP Blocking Prevent sensitive data loss F5-based Layer 7 Attack Protection API Security
| ©2020 F5 NETWORKS - CONFIDENTIAL21 Built for Modern Apps High performance security with performance and scale Small Footprint, less than 2MB on disk – ideal for Container workloads Seamless integration into the #1 web application platform High performance Deployment options Minimizes tool sprawl Lightweight footprint Seamless NGINX Integration 20X+ faster than alternative OSS
| ©2020 F5 NETWORKS - CONFIDENTIAL22 CI/CD Friendly Enable security to keep pace with DevOps and Support “shift left” initiatives Declarative policies Speed Time to Market Reduced cost Enable AppDev Feedback loops Automate security in CI/CD cycle
| Š2020 F5 NETWORKS - CONFIDENTIAL23 CONFIDENTIAL Signature Differences Attack Signature Threat Campaign Generic form of attack Instance of a specific attack Many false positives Near 100% accurate Difficult to evade Sensitive to attack variations Updated once in couple of weeks Multiple updates per week No information if ever exploited Based on real observations Generic attack information Provides Context (Intent/Risk) Local attack indicator Global threat visibility ~4,000 ~200
| Š2020 F5 NETWORKS - CONFIDENTIAL24 Deployment options / Use Cases  Edge SW WAF  API WAF  Kubernetes IC WAF  Pod WAF  Microservice WAF
| ©2020 F5 NETWORKS - CONFIDENTIAL25 Ingress Controller pod pod pod pod pod Per-Pod proxy Per-Service proxy Kubernetes adds several more locations to deploy Application Security API Gateway Load Balancer App Security Four locations to deploy Application Services: • Edge: External load balancers and proxies • Ingress Controller: Entry-point into Kubernetes • Per-Service Proxy: Interior service proxy tier • Per-Pod Proxy: Proxy embedded in pod Edge Standard App Protect NGINX-Proxy deployment
| Š2020 F5 NETWORKS - CONFIDENTIAL26 Declarative Policy Helps CI/CD Motion INFRASTRUCTURE AND SECURITY AS CODE Source Code Repository CI/CD Pipeline Tool IT Automation Application code/config for App X security policy/config for App X Pipeline for build/test/deploy of App X Ansible playbook for deployment of App X with its app services Owned by SecOps Operated by DevOps { "entityChanges": { "type": "explicit" }, "entity": { "name": "bak" }, "entityKind": "tm:asm:policies:filetypes:filetypestate", "action": "delete", "description": "Delete Disallowed File Type" }
Demo Highlights ENVIRONMENT OVERVIEW NGINX PLUS WITH APP PROTECT - EDGE NGINX PLUS KUBERNETES INGRESS WITH APP PROTECT ELK – KIBANA DASHBOARDS EXAMPLE
357 Demo 3 INSTALL COMMANDS 5 LINES OF CONFIGURATION 7 MINUTES TO RUNNING APP PROTECT
Demo Environment Centos Server, 3-node K8s cluster, N+ KIC, ELK Server
| ©2020 F5 NETWORKS - CONFIDENTIAL30 Centos# yum install –y app-protect Centos# yum install –y app-protect-attack-signatures Centos# yum install –y app-protect-threat-campaigns 3 - Install AppProtect on Centos 7 Pre-Reqs 1. Need your NginxPlus Repo SSL nginx.crt and nginx.key 2. Add the App-Protect Signatures yum repo Centos# wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-signatures-7.repo
| ©2020 F5 NETWORKS - CONFIDENTIAL31 user nginx; worker_processes auto; error_log /var/log/nginx/error.log notice; pid /var/run/nginx.pid; load_module modules/ngx_http_app_protect_module.so; #Dynamic Module … server { listen 80; server_name localhost; proxy_http_version 1.1; app_protect_enable on; #Enable AppProtect app_protect_policy_file "/etc/nginx/NginxDefaultPolicy.json"; #Policy Definition app_protect_security_log_enable on; #Enable logging app_protect_security_log "/etc/nginx/log-default.json” syslog:server=10.1.20.6:5144; #Syslog IP:port location / { … proxy_pass http://k8s.arcadia-finance.io:30274$request_uri; } } 5 – Configure Nginx.conf with AppProtect
| ©2020 F5 NETWORKS - CONFIDENTIAL32 Centos# systemctl restart nginx Centos# cat /var/log/nginx/error.log Centos# curl –k http://localhost Centos# curl –k “http://localhost/?<script>” 7 – Running NginxPlus with AppProtect
| Š2020 F5 NETWORKS - CONFIDENTIAL33 Demo Ingress YAML with App Protect
NGINX App Protect WRAP UP SIZE ? PERFORMANCE ? RESOURCES
| Š2020 F5 NETWORKS - CONFIDENTIAL35 Yum info app-protect Name : app-protect Arch : x86_64 Version : 22+3.90.2 Release : 1.el7.ngx Size : 172 k Repo : installed From repo : nginx-plus App Protect Repo
| Š2020 F5 NETWORKS - CONFIDENTIAL36 Yum info app-protect-attack-signatures Name : app-protect-attack-signatures Arch : x86_64 Version : 2020.08.19 Release : 1.el7.ngx Size : 1.3 M Repo : installed From repo : app-protect-signatures Summary : app-protect-attack-signatures-rpm License : Commercial App Protect Signatures Repo
| Š2020 F5 NETWORKS - CONFIDENTIAL37 Yum info app-protect-threat-campaigns Name : app-protect-threat-campaigns Arch : x86_64 Version : 2020.08.24 Release : 1.el7.ngx Size : 113 k Repo : installed From repo : app-protect-signatures Summary : app-protect-threat-campaigns-rpm License : Commercial Threat Campaign Repo
| ©2020 F5 NETWORKS - CONFIDENTIAL38 NGINX App Protect Performance 0 0.5 1 1.5 2 2.5 Throughput (MB/sec) No Protection NGINX App Protect ModSec 0 2000 4000 6000 8000 10000 12000 14000 Requests/sec No Protection NGINX App Protect ModSec 0 100 200 300 400 500 600 700 800 Latency (ms) No Protection NGINX App Protect ModSec Comprehensive security policy has no impact on latency, and offers better throughput and requests/second when compared to ModSec • ModSec Configuration: OWASP Top 10 (enable all CRS v3 rules) • NGINX App Protect Configuration: OWASP Top 10 (Enable signatures), Evasion technique, Data Guard, Disallowed file types, HTTP protocol compliance​
| ©2020 F5 NETWORKS - CONFIDENTIAL39 Nginx App Protect Resources ● https://www.nginx.com/products/nginx-app-protect/ ● https://docs.nginx.com/nginx-app-protect/admin-guide/# ● https://www.nginx.com/blog/nginx-app-protect-1-0-released/ Nginx Threat Campaigns ● https://www.f5.com/pdf/products/f5_threat_campaigns_waf.pdf NGINX Ingress Controller with App Protect ● https://www.nginx.com/blog/securing-apps-in-kubernetes-nginx-app-protect/ ● https://github.com/nginxinc/kubernetes-ingress/tree/master/examples/appprotect ● https://github.com/nginxinc/ansible-role-nginx-app-protect Resources
| Š2020 F5 NETWORKS - CONFIDENTIAL40 Questions?
| ©2020 F541 September 15-17, 2020 VIRTUAL EVENT Sprint is a three-day virtual event designed to inspire and engage developers, architects, and operators looking to use NGINX technologies to develop and deliver modern applications at scale. www.nginx.com/events/nginx-sprint-2020 GOALS • Introduce solutions and evolution of NGINX. • Engage with the NGINX community and users. • Attract 1,500 live attendees/day.
| ©2020 F542 Day One: Keynotes SEPTEMBER 15 Duration: 2 hours Pre-recorded and streamed “live” • Provide thought leadership, roadmap review, and announce new solutions • Invite external influencers and maybe customers to present • Engage audience with post-keynote analysis from Tech Field Day Day Two: Demos SEPTEMBER 16 Duration: 1.5 hours Live, interactive session • Provide 6-7 short demos showing of NGINX and F5 products • Have demos build on each other, creating a single app by the end • Use delegates from Tech Field Day as audience proxy Day Three: Hackathon SEPTEMBER 17 Duration: 2-3 hours Live streamed session • Have teams present ideas and prototypes • Judge and award winners
| Š2020 F5 NETWORKS - CONFIDENTIAL43 Thank You!
NGINX App Protect BACKUP SLIDES
| Š2020 F5 NETWORKS - CONFIDENTIAL45
| Š2020 F5 NETWORKS - CONFIDENTIAL46 Kibana Overview page
| Š2020 F5 NETWORKS - CONFIDENTIAL47 Kibana Log Entry details
| Š2020 F5 NETWORKS - CONFIDENTIAL48
| Š2020 F5 NETWORKS - CONFIDENTIAL49
| Š2020 F5 NETWORKS - CONFIDENTIAL50 Arcadia Ingress

More Related Content

PDF
Relevez les dĂŠfis Kubernetes avec NGINX
byNGINX, Inc.
 
PDF
NGINX DevSecOps Workshop
byNGINX, Inc.
 
PDF
Get the Most Out of Kubernetes with NGINX
byNGINX, Inc.
 
PDF
From Code to Customer with F5 and NGNX London Nov 19
byNGINX, Inc.
 
PDF
Using NGINX and NGINX Plus as a Kubernetes Ingress
byKevin Jones
 
PPTX
Control Kubernetes Ingress and Egress Together with NGINX
byNGINX, Inc.
 
PPTX
Migrating from BIG-IP Deployment to NGINX ADC
byNGINX, Inc.
 
PPTX
NGINX Basics and Best Practices Workshop
byNGINX, Inc.
 
Relevez les dĂŠfis Kubernetes avec NGINX
byNGINX, Inc.
 
NGINX DevSecOps Workshop
byNGINX, Inc.
 
Get the Most Out of Kubernetes with NGINX
byNGINX, Inc.
 
From Code to Customer with F5 and NGNX London Nov 19
byNGINX, Inc.
 
Using NGINX and NGINX Plus as a Kubernetes Ingress
byKevin Jones
 
Control Kubernetes Ingress and Egress Together with NGINX
byNGINX, Inc.
 
Migrating from BIG-IP Deployment to NGINX ADC
byNGINX, Inc.
 
NGINX Basics and Best Practices Workshop
byNGINX, Inc.
 

What's hot

PDF
Securing k8s With Kubernetes Goat
byMuhammad Yuga Nugraha
 
PDF
Kubernetes and the NGINX Plus Ingress Controller
byKatherine Bagood
 
PDF
Securing Your Apps & APIs in the Cloud
byOlivia LaMar
 
PDF
Control Kubernetes Ingress and Egress Together with NGINX
byNGINX, Inc.
 
PDF
Secured APIM-as-a-Service
byNGINX, Inc.
 
PDF
Application Security with NGINX
byNGINX, Inc.
 
PPTX
NGINX Controller: Configuration, Management, and Troubleshooting at Scale
byNGINX, Inc.
 
PPTX
NGINX Basics: Ask Me Anything – EMEA
byNGINX, Inc.
 
PPTX
NGINX: Back to Basics – APCJ
byNGINX, Inc.
 
PPTX
NGINX Lunch and Learn Event: Kubernetes and the NGINX Plus Ingress controller
byKatherine Bagood
 
PDF
Fundamentals of microservices
byNGINX, Inc.
 
PDF
Data Plane Matters! A Deep Dive and Demo on NGINX Service Mesh
byNGINX, Inc.
 
PDF
Kubernetes Networking
byNGINX, Inc.
 
PDF
Replacing and Augmenting F5 BIG-IP with NGINX Plus - EMEA
byNGINX, Inc.
 
PDF
How to Get Started With NGINX
byNGINX, Inc.
 
PDF
DĂŠcouvrez NGINX AppProtect
byNGINX, Inc.
 
PPTX
NGINX Unit at Scale: Use Cases and the Future of Unit
byNGINX, Inc.
 
PPTX
Session: A Reference Architecture for Running Modern APIs with NGINX Unit and...
byNGINX, Inc.
 
PPTX
Global Server Load Balancing with NS1 and NGINX
byNGINX, Inc.
 
PDF
Nim tames sprawl
byNGINX, Inc.
 
Securing k8s With Kubernetes Goat
byMuhammad Yuga Nugraha
 
Kubernetes and the NGINX Plus Ingress Controller
byKatherine Bagood
 
Securing Your Apps & APIs in the Cloud
byOlivia LaMar
 
Control Kubernetes Ingress and Egress Together with NGINX
byNGINX, Inc.
 
Secured APIM-as-a-Service
byNGINX, Inc.
 
Application Security with NGINX
byNGINX, Inc.
 
NGINX Controller: Configuration, Management, and Troubleshooting at Scale
byNGINX, Inc.
 
NGINX Basics: Ask Me Anything – EMEA
byNGINX, Inc.
 
NGINX: Back to Basics – APCJ
byNGINX, Inc.
 
NGINX Lunch and Learn Event: Kubernetes and the NGINX Plus Ingress controller
byKatherine Bagood
 
Fundamentals of microservices
byNGINX, Inc.
 
Data Plane Matters! A Deep Dive and Demo on NGINX Service Mesh
byNGINX, Inc.
 
Kubernetes Networking
byNGINX, Inc.
 
Replacing and Augmenting F5 BIG-IP with NGINX Plus - EMEA
byNGINX, Inc.
 
How to Get Started With NGINX
byNGINX, Inc.
 
DĂŠcouvrez NGINX AppProtect
byNGINX, Inc.
 
NGINX Unit at Scale: Use Cases and the Future of Unit
byNGINX, Inc.
 
Session: A Reference Architecture for Running Modern APIs with NGINX Unit and...
byNGINX, Inc.
 
Global Server Load Balancing with NS1 and NGINX
byNGINX, Inc.
 
Nim tames sprawl
byNGINX, Inc.
 

Similar to Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAP

PDF
Movavi Screen Recorder Studio 22.5.2 Crack
byaladdinkhana47
 
PDF
What's New with NGINX Application Security Solutions
byNGINX, Inc.
 
PDF
IDM Crack 2025 Internet Download Manger Patch
bywistrendugftr
 
PDF
IObit Uninstaller Pro Crack 13.2.0.5 + Key Download 2025
bymaharajput103
 
PDF
Nginx app protect-for-meetup-v1.0-202006_lk
byJuraj Hantak
 
PDF
Call of Duty: Warzone for Windows With Crack Free Download 2025
byIobit Uninstaller Pro Crack
 
PDF
Grand Theft Auto 6 PC Game Cracked Full Setup Download
byIobit Uninstaller Pro Crack
 
PDF
SamFw Tool v4.9 Samsung Frp Tool Free Download
byIobit Uninstaller Pro Crack
 
PDF
IObit Uninstaller Pro Crack {2025} Download Free
byIobit Uninstaller Pro Crack
 
PDF
Application Security with NGINX | APAC
byNGINX, Inc.
 
PPTX
Protecting Apps from Hacks in Kubernetes with NGINX
byNGINX, Inc.
 
PPTX
NGINX Kubernetes Ingress Controller: Getting Started – EMEA
byAine Long
 
PDF
Secure Your Kubernetes Apps from Attacks with NGINX
byNGINX, Inc.
 
PPTX
Gain multi-cloud versatility with software load balancing designed for cloud-...
byAshnikbiz
 
PDF
InfoQ_NGINX_Fundamentals_of_Microservices.pptx.pdf
byusmanpk
 
PDF
Containerizing your Security Operations Center
byJimmy Mesta
 
PDF
WSO2Con US 2015 Kubernetes: a platform for automating deployment, scaling, an...
byBrian Grant
 
PDF
WSO2Con USA 2015: Keynote - Kubernetes – A Platform for Automating Deployment...
byWSO2
 
PPTX
Kubernetes and container security
byVolodymyr Shynkar
 
PDF
Deploying NGINX in Cloud Native Kubernetes
byKangaroot
 
Movavi Screen Recorder Studio 22.5.2 Crack
byaladdinkhana47
 
What's New with NGINX Application Security Solutions
byNGINX, Inc.
 
IDM Crack 2025 Internet Download Manger Patch
bywistrendugftr
 
IObit Uninstaller Pro Crack 13.2.0.5 + Key Download 2025
bymaharajput103
 
Nginx app protect-for-meetup-v1.0-202006_lk
byJuraj Hantak
 
Call of Duty: Warzone for Windows With Crack Free Download 2025
byIobit Uninstaller Pro Crack
 
Grand Theft Auto 6 PC Game Cracked Full Setup Download
byIobit Uninstaller Pro Crack
 
SamFw Tool v4.9 Samsung Frp Tool Free Download
byIobit Uninstaller Pro Crack
 
IObit Uninstaller Pro Crack {2025} Download Free
byIobit Uninstaller Pro Crack
 
Application Security with NGINX | APAC
byNGINX, Inc.
 
Protecting Apps from Hacks in Kubernetes with NGINX
byNGINX, Inc.
 
NGINX Kubernetes Ingress Controller: Getting Started – EMEA
byAine Long
 
Secure Your Kubernetes Apps from Attacks with NGINX
byNGINX, Inc.
 
Gain multi-cloud versatility with software load balancing designed for cloud-...
byAshnikbiz
 
InfoQ_NGINX_Fundamentals_of_Microservices.pptx.pdf
byusmanpk
 
Containerizing your Security Operations Center
byJimmy Mesta
 
WSO2Con US 2015 Kubernetes: a platform for automating deployment, scaling, an...
byBrian Grant
 
WSO2Con USA 2015: Keynote - Kubernetes – A Platform for Automating Deployment...
byWSO2
 
Kubernetes and container security
byVolodymyr Shynkar
 
Deploying NGINX in Cloud Native Kubernetes
byKangaroot
 

Recently uploaded

PDF
Cloud Automotive Software: Cost, Speed & Scalability
byShiv Technolabs Pvt. Ltd.
 
PPTX
NetworkMediaWireless (1).pptxunsnsndjdjdjjdnd
byre7022
 
PDF
Edge AI vs Cloud AI: Why Frontend Developers Must Master On-Device Machine Le...
byWorkfall hire developers
 
PDF
Princeton RSE: What's new in Python π (3.14)
byHenry Schreiner
 
PDF
A Complete Guide to Progressive Web App and Their Development
byMaxtra Technologies
 
PDF
Salesforce Data Migration Services.pdf
byRobert Mark
 
PDF
Princeton RSE: Python Histograms as objects
byHenry Schreiner
 
PDF
Shaping Your 2026 Testing Strategy | Applitools Product Pulse - January 2026
byApplitools
 
PDF
How Fireworks AI Achieves 1TB_s+ Throughput for Model Deployment Across Multi...
byAlluxio, Inc.
 
PDF
Princeton 2026: Tools That Help You
 Write Better Code
byHenry Schreiner
 
PDF
Salesforce Careers in 2026_ Trends, Certifications, and Must-Have Skills
byDele Amefo
 
PDF
Projectlify: Everything You Need to Get Things Done
byRafal Ksiazek
 
PDF
The Future of Microsoft Project Management Tools - Connecting Teams, Work, an...
byOnePlan Solutions
 
PPTX
wAIred_RabobankWRProducts__22012026.pptx
bySimonedeGijt
 
PDF
Gojek Clone Business Strategy: From Launch to Scale
byV3CUBE TECHNOLABS
 
PDF
Postmates Clone App Delivery Service Business Solution.pdf
byV3CUBE TECHNOLABS
 
PDF
Cybernetic Global Intelligence Securing Businesses in a Digital-First World.pdf
byCybernetic Global Intelligence
 
PDF
What-Every-Tech-Leader-Needs-to-Know-About-AI-in-2025.pdf
byrishabhxbohra
 
PPTX
apidays Australia 2025 | Hey man, which one will deploy much faster, API or kid?
byapidays
 
Cloud Automotive Software: Cost, Speed & Scalability
byShiv Technolabs Pvt. Ltd.
 
NetworkMediaWireless (1).pptxunsnsndjdjdjjdnd
byre7022
 
Edge AI vs Cloud AI: Why Frontend Developers Must Master On-Device Machine Le...
byWorkfall hire developers
 
Princeton RSE: What's new in Python π (3.14)
byHenry Schreiner
 
A Complete Guide to Progressive Web App and Their Development
byMaxtra Technologies
 
Salesforce Data Migration Services.pdf
byRobert Mark
 
Princeton RSE: Python Histograms as objects
byHenry Schreiner
 
Shaping Your 2026 Testing Strategy | Applitools Product Pulse - January 2026
byApplitools
 
How Fireworks AI Achieves 1TB_s+ Throughput for Model Deployment Across Multi...
byAlluxio, Inc.
 
Princeton 2026: Tools That Help You
 Write Better Code
byHenry Schreiner
 
Salesforce Careers in 2026_ Trends, Certifications, and Must-Have Skills
byDele Amefo
 
Projectlify: Everything You Need to Get Things Done
byRafal Ksiazek
 
The Future of Microsoft Project Management Tools - Connecting Teams, Work, an...
byOnePlan Solutions
 
wAIred_RabobankWRProducts__22012026.pptx
bySimonedeGijt
 
Gojek Clone Business Strategy: From Launch to Scale
byV3CUBE TECHNOLABS
 
Postmates Clone App Delivery Service Business Solution.pdf
byV3CUBE TECHNOLABS
 
Cybernetic Global Intelligence Securing Businesses in a Digital-First World.pdf
byCybernetic Global Intelligence
 
What-Every-Tech-Leader-Needs-to-Know-About-AI-in-2025.pdf
byrishabhxbohra
 
apidays Australia 2025 | Hey man, which one will deploy much faster, API or kid?
byapidays
 

Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAP

  • 1.
    Securing Your Apps& APIs in Kubernetes VIRTUAL EVENT Aug 27th, 2020
  • 2.
    | Š2020 F5NETWORKS - CONFIDENTIAL2
  • 3.
    | Š2020 F5NETWORKS - CONFIDENTIAL3
  • 4.
    | Š2020 F5NETWORKS - CONFIDENTIAL4
  • 5.
    | ©2020 F5NETWORKS - CONFIDENTIAL5 There’s two types of apps in this world…. Greenfield Brownfield
  • 6.
    | ©2020 F5NETWORKS - CONFIDENTIAL6 Ok, so maybe that’s an oversimplification…. Brownfield Greenfield
  • 7.
    | Š2020 F5NETWORKS - CONFIDENTIAL7 And they often are mixed together 7 Monolithic Hybrid Microservices Modernization >60% Core, legacy business apps ~30% Legacy with micro- services add-ons ~10% Modern apps optimized for digital Statistics from 2018 NGINX Brand Survey Where most enterprises will be for years to come
  • 8.
    | Š2020 F5NETWORKS - CONFIDENTIAL8 Current CNCF Landscape
  • 9.
    | ©2020 F5NETWORKS - CONFIDENTIAL9 Ok, that’s a lot. What do I need to think about to start ramping towards actually getting to production? What flavor of Kubernetes am I going to leverage? Cloud Services Cloud Services Hybrids Vanilla Agnostic
  • 10.
    | ©2020 F5NETWORKS - CONFIDENTIAL10 Ok, that’s still a little more complicated than expected Is there anything I can do regardless of my platform choice? Sure, and we’re about to focus on a couple of them. Figure out your application routing, monitoring, and security strategy Platform agnostic tool chain = solve the problem once, solve it for good
  • 11.
    | ©2020 F5NETWORKS - CONFIDENTIAL11 Ingress Controller pod pod pod pod pod Per-Pod proxy Per-Service proxy Kubernetes adds several more locations to deploy Application Services API Gateway Load Balancer App Security Four locations to deploy Application Services: • Edge: External load balancers and proxies • Ingress Controller: Entry-point into Kubernetes • Per-Service Proxy: Interior service proxy tier • Per-Pod Proxy: Sidecar-style proxy per pod Edge
  • 12.
    | ©2020 F5NETWORKS - CONFIDENTIAL12 Three criteria to determine where to deploy a service 1. Is the service specific to an application, or general, for all applications? Close to the Application Close to the Edge 3. The Technical Fit – what components offer the necessary functionality and APIs? 2. Is the service configuration owned by DevOps/DevSecOps, or by NetOps/SecOps? Owned by Dev(Sec)Ops Owned by NetOps/SecOps Not app components are equal, and different configuration and APIs meet needs of different users
  • 13.
    | ©2020 F5NETWORKS - CONFIDENTIAL13 • Native open-source integration in container environments for F5 BIG-IP Ingress control • Enable self-service selection in orchestration for app services • Scale and secure apps through automated event discovery and service insertion • Scale and secure NGINX Ingress controller F5 Container Ingress Services (CIS) F5 Container Ingress Services Container Environments Visibility and Analytics F5 BIG-IP App Performance and Security Services F5 Container Ingress Services Orchestration Dotted line = integration control plane Solid line = traffic data plane AppServicesAcrossNetwork Node 2Node 1 Kubernetes Openshift
  • 14.
    | ©2020 F5NETWORKS - CONFIDENTIAL14 • Single pod deployment, running in Kubernetes as nodeport • Rich, app-oriented configuration using both Kubernetes and NGINX Ingress Resources • Supports DevOps use cases: routing, B/G, circuit breaker • Multi-tenant, secure RBAC • Typically requires external LB NGINX Ingress Controller NGINX Ingress Controller Container Environments Visibility and Analytics Orchestration Dotted line = integration control plane Solid line = traffic data plane AppServicesAcrossNetwork Node 2Node 1 Kubernetes Openshift Tracing
  • 15.
    | Š2020 F5NETWORKS - CONFIDENTIAL15 Ingress Controller as point of control for App Protect Ingress Controller Edge Services pod pod pod pod pod Customer DevOps requests additional capabilities using Ingress Resource extensions Kubernetes Control Plane NGINX Ingress Resource WAF policy DNS policy IPAM policy Ingress Controller automates downstream services, within boundaries controlled by NetOps Automated discovery and High-Performance Load Balancing
  • 16.
    | ©2020 F5NETWORKS - CONFIDENTIAL16 WAF Deployment on the Ingress Controller DEPLOY WAF POLICIES ON THE INGRESS CONTROLLER, CONFIGURED USING KUBERNETES API Ingress Controller pod pod pod pod pod Per-Pod proxy Per-Service proxy Edge K8s NetOps/DevOps-Centric Approach Appropriate solution when WAF policies are under direction of NetOps or DevOps teams. Policies are defined and associated with services using Kubernetes API. NGINX Ingress Controller RBAC allows: • Admin users to enforce policies per listener • DevOps users to select policy per Ingress Resource Leverage Container Ingress Services to scale NGINX Ingress Controller and add other application services (LB, DNS, DDoS, IAM). Appropriate for Kubernetes-native NetOps or DevOps WAF
  • 17.
    NGINX App Protect CHRISAKKER TECHNICAL SOLUTIONS ARCHITECT NGINX BU / F5
  • 18.
    | Š2020 F5NETWORKS - CONFIDENTIAL18 0 2000 4000 6000 8000 10000 12000 14000 16000 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 YoY Increase in CVEs Note: Excludes any rejections or disputes. New vulnerabilities are discovered in all manner of software all the time They are exploited by both malicious bots and human attackers Do you know how many affect your application stack(s)? Can you keep up with the pace of published vulnerabilities? Do you want to?
  • 19.
    | Š2020 F5NETWORKS - CONFIDENTIAL19 Strong App Security Built for Modern Apps CI/CD Friendly NGINX App Protect
  • 20.
    | Š2020 F5NETWORKS - CONFIDENTIAL20 Strong App Security App security and controls built using F5 Advanced WAF technology. Blocks attacks and helps prevent downtime. Easy Install & Updates OWASP Top 10 And More Regulatory Compliance IP Blocking Prevent sensitive data loss F5-based Layer 7 Attack Protection API Security
  • 21.
    | ©2020 F5NETWORKS - CONFIDENTIAL21 Built for Modern Apps High performance security with performance and scale Small Footprint, less than 2MB on disk – ideal for Container workloads Seamless integration into the #1 web application platform High performance Deployment options Minimizes tool sprawl Lightweight footprint Seamless NGINX Integration 20X+ faster than alternative OSS
  • 22.
    | ©2020 F5NETWORKS - CONFIDENTIAL22 CI/CD Friendly Enable security to keep pace with DevOps and Support “shift left” initiatives Declarative policies Speed Time to Market Reduced cost Enable AppDev Feedback loops Automate security in CI/CD cycle
  • 23.
    | Š2020 F5NETWORKS - CONFIDENTIAL23 CONFIDENTIAL Signature Differences Attack Signature Threat Campaign Generic form of attack Instance of a specific attack Many false positives Near 100% accurate Difficult to evade Sensitive to attack variations Updated once in couple of weeks Multiple updates per week No information if ever exploited Based on real observations Generic attack information Provides Context (Intent/Risk) Local attack indicator Global threat visibility ~4,000 ~200
  • 24.
    | Š2020 F5NETWORKS - CONFIDENTIAL24 Deployment options / Use Cases  Edge SW WAF  API WAF  Kubernetes IC WAF  Pod WAF  Microservice WAF
  • 25.
    | ©2020 F5NETWORKS - CONFIDENTIAL25 Ingress Controller pod pod pod pod pod Per-Pod proxy Per-Service proxy Kubernetes adds several more locations to deploy Application Security API Gateway Load Balancer App Security Four locations to deploy Application Services: • Edge: External load balancers and proxies • Ingress Controller: Entry-point into Kubernetes • Per-Service Proxy: Interior service proxy tier • Per-Pod Proxy: Proxy embedded in pod Edge Standard App Protect NGINX-Proxy deployment
  • 26.
    | Š2020 F5NETWORKS - CONFIDENTIAL26 Declarative Policy Helps CI/CD Motion INFRASTRUCTURE AND SECURITY AS CODE Source Code Repository CI/CD Pipeline Tool IT Automation Application code/config for App X security policy/config for App X Pipeline for build/test/deploy of App X Ansible playbook for deployment of App X with its app services Owned by SecOps Operated by DevOps { "entityChanges": { "type": "explicit" }, "entity": { "name": "bak" }, "entityKind": "tm:asm:policies:filetypes:filetypestate", "action": "delete", "description": "Delete Disallowed File Type" }
  • 27.
    Demo Highlights ENVIRONMENT OVERVIEW NGINXPLUS WITH APP PROTECT - EDGE NGINX PLUS KUBERNETES INGRESS WITH APP PROTECT ELK – KIBANA DASHBOARDS EXAMPLE
  • 28.
    357 Demo 3 INSTALLCOMMANDS 5 LINES OF CONFIGURATION 7 MINUTES TO RUNNING APP PROTECT
  • 29.
  • 30.
    | ©2020 F5NETWORKS - CONFIDENTIAL30 Centos# yum install –y app-protect Centos# yum install –y app-protect-attack-signatures Centos# yum install –y app-protect-threat-campaigns 3 - Install AppProtect on Centos 7 Pre-Reqs 1. Need your NginxPlus Repo SSL nginx.crt and nginx.key 2. Add the App-Protect Signatures yum repo Centos# wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-signatures-7.repo
  • 31.
    | ©2020 F5NETWORKS - CONFIDENTIAL31 user nginx; worker_processes auto; error_log /var/log/nginx/error.log notice; pid /var/run/nginx.pid; load_module modules/ngx_http_app_protect_module.so; #Dynamic Module … server { listen 80; server_name localhost; proxy_http_version 1.1; app_protect_enable on; #Enable AppProtect app_protect_policy_file "/etc/nginx/NginxDefaultPolicy.json"; #Policy Definition app_protect_security_log_enable on; #Enable logging app_protect_security_log "/etc/nginx/log-default.json” syslog:server=10.1.20.6:5144; #Syslog IP:port location / { … proxy_pass http://k8s.arcadia-finance.io:30274$request_uri; } } 5 – Configure Nginx.conf with AppProtect
  • 32.
    | ©2020 F5NETWORKS - CONFIDENTIAL32 Centos# systemctl restart nginx Centos# cat /var/log/nginx/error.log Centos# curl –k http://localhost Centos# curl –k “http://localhost/?<script>” 7 – Running NginxPlus with AppProtect
  • 33.
    | Š2020 F5NETWORKS - CONFIDENTIAL33 Demo Ingress YAML with App Protect
  • 34.
    NGINX App Protect WRAPUP SIZE ? PERFORMANCE ? RESOURCES
  • 35.
    | Š2020 F5NETWORKS - CONFIDENTIAL35 Yum info app-protect Name : app-protect Arch : x86_64 Version : 22+3.90.2 Release : 1.el7.ngx Size : 172 k Repo : installed From repo : nginx-plus App Protect Repo
  • 36.
    | Š2020 F5NETWORKS - CONFIDENTIAL36 Yum info app-protect-attack-signatures Name : app-protect-attack-signatures Arch : x86_64 Version : 2020.08.19 Release : 1.el7.ngx Size : 1.3 M Repo : installed From repo : app-protect-signatures Summary : app-protect-attack-signatures-rpm License : Commercial App Protect Signatures Repo
  • 37.
    | Š2020 F5NETWORKS - CONFIDENTIAL37 Yum info app-protect-threat-campaigns Name : app-protect-threat-campaigns Arch : x86_64 Version : 2020.08.24 Release : 1.el7.ngx Size : 113 k Repo : installed From repo : app-protect-signatures Summary : app-protect-threat-campaigns-rpm License : Commercial Threat Campaign Repo
  • 38.
    | ©2020 F5NETWORKS - CONFIDENTIAL38 NGINX App Protect Performance 0 0.5 1 1.5 2 2.5 Throughput (MB/sec) No Protection NGINX App Protect ModSec 0 2000 4000 6000 8000 10000 12000 14000 Requests/sec No Protection NGINX App Protect ModSec 0 100 200 300 400 500 600 700 800 Latency (ms) No Protection NGINX App Protect ModSec Comprehensive security policy has no impact on latency, and offers better throughput and requests/second when compared to ModSec • ModSec Configuration: OWASP Top 10 (enable all CRS v3 rules) • NGINX App Protect Configuration: OWASP Top 10 (Enable signatures), Evasion technique, Data Guard, Disallowed file types, HTTP protocol compliance​
  • 39.
    | ©2020 F5NETWORKS - CONFIDENTIAL39 Nginx App Protect Resources ● https://www.nginx.com/products/nginx-app-protect/ ● https://docs.nginx.com/nginx-app-protect/admin-guide/# ● https://www.nginx.com/blog/nginx-app-protect-1-0-released/ Nginx Threat Campaigns ● https://www.f5.com/pdf/products/f5_threat_campaigns_waf.pdf NGINX Ingress Controller with App Protect ● https://www.nginx.com/blog/securing-apps-in-kubernetes-nginx-app-protect/ ● https://github.com/nginxinc/kubernetes-ingress/tree/master/examples/appprotect ● https://github.com/nginxinc/ansible-role-nginx-app-protect Resources
  • 40.
    | Š2020 F5NETWORKS - CONFIDENTIAL40 Questions?
  • 41.
    | ©2020 F541 September15-17, 2020 VIRTUAL EVENT Sprint is a three-day virtual event designed to inspire and engage developers, architects, and operators looking to use NGINX technologies to develop and deliver modern applications at scale. www.nginx.com/events/nginx-sprint-2020 GOALS • Introduce solutions and evolution of NGINX. • Engage with the NGINX community and users. • Attract 1,500 live attendees/day.
  • 42.
    | ©2020 F542 DayOne: Keynotes SEPTEMBER 15 Duration: 2 hours Pre-recorded and streamed “live” • Provide thought leadership, roadmap review, and announce new solutions • Invite external influencers and maybe customers to present • Engage audience with post-keynote analysis from Tech Field Day Day Two: Demos SEPTEMBER 16 Duration: 1.5 hours Live, interactive session • Provide 6-7 short demos showing of NGINX and F5 products • Have demos build on each other, creating a single app by the end • Use delegates from Tech Field Day as audience proxy Day Three: Hackathon SEPTEMBER 17 Duration: 2-3 hours Live streamed session • Have teams present ideas and prototypes • Judge and award winners
  • 43.
    | Š2020 F5NETWORKS - CONFIDENTIAL43 Thank You!
  • 44.
  • 45.
    | Š2020 F5NETWORKS - CONFIDENTIAL45
  • 46.
    | Š2020 F5NETWORKS - CONFIDENTIAL46 Kibana Overview page
  • 47.
    | Š2020 F5NETWORKS - CONFIDENTIAL47 Kibana Log Entry details
  • 48.
    | Š2020 F5NETWORKS - CONFIDENTIAL48
  • 49.
    | Š2020 F5NETWORKS - CONFIDENTIAL49
  • 50.
    | Š2020 F5NETWORKS - CONFIDENTIAL50 Arcadia Ingress