Bloomberg and Tetrate partner on Envoy-powered AI Gateway.

Learn more about the collaboration › close
Tetrate Enterprise ready service mesh
Get Demo
Pricing
Home

|

Blog

|

Is Your Kubernetes Ingress at Risk? Here’s How to Keep Your Ingress Secure

Is Your Kubernetes Ingress at Risk? Here’s How to Keep Your Ingress Secure

| Author: Erica Hughberg

Service Mesh Architecture

Article content

As you manage your technology platform, you balance multiple, sometimes competing factors to keep your digital infrastructure safe every day. You are protecting not just the perimeter but everything inside, too, and along with it; your company’s reputation. 

One critical point to protect is the Kubernetes cluster ingress. Encryption, authorization, and Web Application Firewalls (WAF) can make a big difference. Investing in common, easy-to-adopt security for our entry points reduces risks and allows teams to be more creative and adaptable. 

Envoy Gateway for your Kubernetes Gateway, its security policies, and Coraza WAF are great ways to use the power of Envoy Proxy to strengthen our Kubernetes ingress security.

Tetrate offers an enterprise-ready, 100% upstream distribution of Envoy Gateway, Tetrate Enterprise Gateway for Envoy (TEG). TEG is the easiest way to get started with Envoy, the de facto standard cloud-native data plane, for Kubernetes ingress. Get access now ›

Beware: Attackers Inside the Network Edge

Cyber attackers often find ways to get in and move around undetected, so it’s critical to have strong security measures in place at every level of your system. Don’t just lock the front door; lock every door in your house.

By implementing encryption, authorization, and WAF at the point of Kubernetes ingress, you can provide protection even if the attacker has bypassed your edge WAF. This approach means that even if attackers get past the outside defenses, they’ll face barriers at every stage, making it much harder for them to succeed.

Start by focusing on three areas:

  1. Encryption of data in flight
  2. Control access to resources
  3. A WAF to protect against common attacks

Protect Data in Flight with Encryption

Encrypting data into and from the Kubernetes Gateway prevents hackers from intercepting or changing information. Strong encryption builds trust with your users and ensures that you follow necessary data security standards.

Encrypt traffic from client to gateway

With Envoy Gateway and cert-manager, you have a solution for handling TLS connections to your gateway. If you need mTLS, you can also establish that between your calling clients and the gateway. 

In Envoy Gateway 1.1, you can now gradually roll out mTLS for your routes, safely migrating and calling clients to mTLS without disrupting service.

Encrypt data from the Gateway to the target server

The Backend TLS Policy allows you to define trust chains and certificates for connections between the Gateway and target servers, ensuring you have encryption of all data in flight.

You can read more about mTLS in this previous article ›

Control Access, Minimize Risk

The gateway is located at the edge of the Kubernetes cluster, making it a perfect spot to interrogate and enforce authorization for the requested resource.

If you use Envoy Gateway, you have a few tools available to help enforce access control:

  • IP Allow/Deny Listing 
  • Validating JWT access tokens
  • Caller identity-based access control through Basic Auth, mTLS, or end-user ID from a token
  • Call out to custom external authorization processes

These approaches are not a question of which to use, but most likely a combination of them is what will help appropriately protect your system.

Web Application Firewall: Your Shield Against Exploits

A Web Application Firewall (WAF) protects your resources from common web attacks like SQL injection and cross-site scripting. It filters out bad traffic before it reaches your services, and as new attack threats appear, you can add protection rules to the WAF.

You can use Envoy Gateway and Coraza WAF to get WAG capabilities at your Kubernetes ingress point. As a Tetrate client, you get both support and deployment enablement for using Envoy Gateway and Coraza WAF together.

Conclusion

In conclusion, prioritizing security at the Kubernetes ingress point is vital for technical leaders to safeguard their organizations and pave the way for success. 

Remember, a resilient infrastructure starts with security at every stack layer.

###

If you’re new to service mesh, Tetrate has a bunch of free online courses available at Tetrate Academy that will quickly get you up to speed with Istio and Envoy.

Are you using Kubernetes? Tetrate Enterprise Gateway for Envoy (TEG) is the easiest way to get started with Envoy Gateway for production use cases. Get the power of Envoy Proxy in an easy-to-consume package managed by the Kubernetes Gateway API. Learn more ›

Getting started with Istio? If you’re looking for the surest way to get to production with Istio, check out Tetrate Istio Subscription. Tetrate Istio Subscription has everything you need to run Istio and Envoy in highly regulated and mission-critical production environments. It includes Tetrate Istio Distro, a 100% upstream distribution of Istio and Envoy that is FIPS-verified and FedRAMP ready. For teams requiring open source Istio and Envoy without proprietary vendor dependencies, Tetrate offers the ONLY 100% upstream Istio enterprise support offering.

Get a Demo

Let's Get In Touch

For more information or a demo request, just drop us a message.

Contact Us