Announcing Built On Envoy: Making Envoy Extensions Accessible to Everyone

Learn more

Is Your Kubernetes Ingress at Risk? Here’s How to Keep Your Ingress Secure

As you manage your technology platform, you balance multiple, sometimes competing factors to keep your digital infrastructure safe every day. You are

Erica Hughberg
Is%20Your%20Kubernetes%20Ingress%20at%20Risk%3F%20Here%E2%80%99s%20How%20to%20Keep%20Your%20Ingress%20Secure

As you manage your technology platform, you balance multiple, sometimes competing factors to keep your digital infrastructure safe every day. You are protecting not just the perimeter but everything inside, too, and along with it; your company’s reputation. 

One critical point to protect is the Kubernetes cluster ingress. Encryption, authorization, and Web Application Firewalls (WAF) can make a big difference. Investing in common, easy-to-adopt security for our entry points reduces risks and allows teams to be more creative and adaptable. 

Envoy Gateway for your Kubernetes Gateway, its security policies, and Coraza WAF are great ways to use the power of Envoy Proxy to strengthen our Kubernetes ingress security.

Tetrate offers an enterprise-ready, 100% upstream distribution of Istio, Tetrate Istio Subscription (TIS). TIS is the easiest way to get started with Istio for production use cases. TIS+, a hosted Day 2 operations solution for Istio, adds a global service registry, unified Istio metrics dashboard, and self-service troubleshooting.

Learn more

Beware: Attackers Inside the Network Edge

Cyber attackers often find ways to get in and move around undetected, so it’s critical to have strong security measures in place at every level of your system. Don’t just lock the front door; lock every door in your house.

By implementing encryption, authorization, and WAF at the point of Kubernetes ingress, you can provide protection even if the attacker has bypassed your edge WAF. This approach means that even if attackers get past the outside defenses, they’ll face barriers at every stage, making it much harder for them to succeed.

Start by focusing on three areas:

  1. Encryption of data in flight
  2. Control access to resources
  3. A WAF to protect against common attacks

Protect Data in Flight with Encryption

Encrypting data into and from the Kubernetes Gateway prevents hackers from intercepting or changing information. Strong encryption builds trust with your users and ensures that you follow necessary data security standards.

Encrypt traffic from client to gateway

With Envoy Gateway and cert-manager, you have a solution for handling TLS connections to your gateway. If you need mTLS, you can also establish that between your calling clients and the gateway. 

In Envoy Gateway 1.1, you can now gradually roll out mTLS for your routes, safely migrating and calling clients to mTLS without disrupting service.

Encrypt data from the Gateway to the target server

The Backend TLS Policy allows you to define trust chains and certificates for connections between the Gateway and target servers, ensuring you have encryption of all data in flight.

You can read more about Kubernetes and mTLS in this previous article ›

Control Access, Minimize Risk

The gateway is located at the edge of the Kubernetes cluster, making it a perfect spot to interrogate and enforce authorization for the requested resource.

If you use Envoy Gateway, you have a few tools available to help enforce access control:

  • IP Allow/Deny Listing 
  • Validating JWT access tokens
  • Caller identity-based access control through Basic Auth, mTLS, or end-user ID from a token
  • Call out to custom external authorization processes

These approaches are not a question of which to use, but most likely a combination of them is what will help appropriately protect your system.

Web Application Firewall: Your Shield Against Exploits

A Web Application Firewall (WAF) protects your resources from common web attacks like SQL injection and cross-site scripting. It filters out bad traffic before it reaches your services, and as new attack threats appear, you can add protection rules to the WAF.

You can use Envoy Gateway and Coraza WAF to get WAG capabilities at your Kubernetes ingress point. As a Tetrate client, you get both support and deployment enablement for using Envoy Gateway and Coraza WAF together.

Conclusion

In conclusion, prioritizing security at the Kubernetes ingress point is vital for technical leaders to safeguard their organizations and pave the way for success. 

Remember, a resilient infrastructure starts with security at every stack layer.

Erica Hughberg
Product background Product background for tablets
Building AI agents

Agent Router Enterprise provides managed LLM & MCP Gateways plus AI Guardrails in your dedicated instance. Graduate agents from prototype to production with consistent model access, governed tool use, and runtime supervision — built on Envoy AI Gateway by its creators.

  • LLM Gateway – Unified model catalog with automatic fallback across providers
  • MCP Gateway – Curated tool access with per-profile authentication and filtering
  • AI Guardrails – Enforce policies, prevent data loss, and supervise agent behavior
    • Learn more
    Replacing NGINX Ingress

    Tetrate Enterprise Gateway for Envoy (TEG) is the enterprise-ready replacement for NGINX Ingress Controller. Built on Envoy Gateway and the Kubernetes Gateway API, TEG delivers advanced traffic management, security, and observability without vendor lock-in.

  • 100% upstream Envoy Gateway – CVE-protected builds
  • Kubernetes Gateway API native – Modern, portable, and extensible ingress
  • Enterprise-grade support – 24/7 production support from Envoy experts
    • Learn more
    Decorative CTA background pattern background background
    Tetrate logo in the CTA section Tetrate logo in the CTA section for mobile

    Ready to enhance your
    network
    with more
    intelligence?