As you manage your technology platform, you balance multiple, sometimes competing factors to keep your digital infrastructure safe every day. You are protecting not just the perimeter but everything inside, too, and along with it; your company’s reputation.
One critical point to protect is the Kubernetes cluster ingress. Encryption, authorization, and Web Application Firewalls (WAF) can make a big difference. Investing in common, easy-to-adopt security for our entry points reduces risks and allows teams to be more creative and adaptable.
Envoy Gateway for your Kubernetes Gateway, its security policies, and Coraza WAF are great ways to use the power of Envoy Proxy to strengthen our Kubernetes ingress security.
Tetrate offers an enterprise-ready, 100% upstream distribution of Envoy Gateway, Tetrate Enterprise Gateway for Envoy (TEG). TEG is the easiest way to get started with Envoy, the de facto standard cloud-native data plane, for Kubernetes ingress. Get access now ›
Beware: Attackers Inside the Network Edge
Cyber attackers often find ways to get in and move around undetected, so it’s critical to have strong security measures in place at every level of your system. Don’t just lock the front door; lock every door in your house.
By implementing encryption, authorization, and WAF at the point of Kubernetes ingress, you can provide protection even if the attacker has bypassed your edge WAF. This approach means that even if attackers get past the outside defenses, they’ll face barriers at every stage, making it much harder for them to succeed.
Start by focusing on three areas:
- Encryption of data in flight
- Control access to resources
- A WAF to protect against common attacks
Protect Data in Flight with Encryption
Encrypting data into and from the Kubernetes Gateway prevents hackers from intercepting or changing information. Strong encryption builds trust with your users and ensures that you follow necessary data security standards.
Encrypt traffic from client to gateway
With Envoy Gateway and cert-manager, you have a solution for handling TLS connections to your gateway. If you need mTLS, you can also establish that between your calling clients and the gateway.
In Envoy Gateway 1.1, you can now gradually roll out mTLS for your routes, safely migrating and calling clients to mTLS without disrupting service.
Encrypt data from the Gateway to the target server
The Backend TLS Policy allows you to define trust chains and certificates for connections between the Gateway and target servers, ensuring you have encryption of all data in flight.
You can read more about Kubernetes and mTLS in this previous article ›
Control Access, Minimize Risk
The gateway is located at the edge of the Kubernetes cluster, making it a perfect spot to interrogate and enforce authorization for the requested resource.
If you use Envoy Gateway, you have a few tools available to help enforce access control:
- IP Allow/Deny Listing
- Validating JWT access tokens
- Caller identity-based access control through Basic Auth, mTLS, or end-user ID from a token
- Call out to custom external authorization processes
These approaches are not a question of which to use, but most likely a combination of them is what will help appropriately protect your system.
Web Application Firewall: Your Shield Against Exploits
A Web Application Firewall (WAF) protects your resources from common web attacks like SQL injection and cross-site scripting. It filters out bad traffic before it reaches your services, and as new attack threats appear, you can add protection rules to the WAF.
You can use Envoy Gateway and Coraza WAF to get WAG capabilities at your Kubernetes ingress point. As a Tetrate client, you get both support and deployment enablement for using Envoy Gateway and Coraza WAF together.
Conclusion
In conclusion, prioritizing security at the Kubernetes ingress point is vital for technical leaders to safeguard their organizations and pave the way for success.
Remember, a resilient infrastructure starts with security at every stack layer.
###
If you’re new to service mesh, Tetrate has a bunch of free online courses available at Tetrate Academy that will quickly get you up to speed with Istio and Envoy.
Are you using Kubernetes? Tetrate Enterprise Gateway for Envoy (TEG) is the easiest way to get started with Envoy Gateway for production use cases. Get the power of Envoy Proxy in an easy-to-consume package managed by the Kubernetes Gateway API. Learn more ›
Getting started with Istio? If you’re looking for the surest way to get to production with Istio, check out Tetrate Istio Subscription. Tetrate Istio Subscription has everything you need to run Istio and Envoy in highly regulated and mission-critical production environments. It includes Tetrate Istio Distro, a 100% upstream distribution of Istio and Envoy that is FIPS-verified and FedRAMP ready. For teams requiring open source Istio and Envoy without proprietary vendor dependencies, Tetrate offers the ONLY 100% upstream Istio enterprise support offering.
Need global visibility for Istio? TIS+ is a hosted Day 2 operations solution for Istio designed to simplify and enhance the workflows of platform and support teams. Key features include: a global service dashboard, multi-cluster visibility, service topology visualization, and workspace-based access control.
Get a Demo