NI
Uploaded byNGINX, Inc.
253 views

Get the Most Out of Kubernetes with NGINX

The document discusses optimizing Kubernetes with NGINX for effective application delivery, highlighting the increasing adoption of containerized apps and the associated security challenges. It outlines the architecture and functionalities of the NGINX Ingress Controller, emphasizing services like load balancing, security, and application monitoring. Additionally, it details various deployment strategies for Web Application Firewalls (WAF) in different environments, focusing on the need for governance and speed in modern dev operations.

Embed presentation

Downloaded 41 times
Get the most out of Kubernetes with NGINX PRODUCTION-GRADE APPLICATION DELIVERY
| ©2020 F52 Jenn Gile Product Marketing Manager NGINX Solutions NGINX, PART OF F5 Meet the speakers Owen Garrett Sr. Director Product Management
| ©2020 F53 Trends and Challenges in Kubernetes AGILITY VS SECURITY 70% Will run containerized apps in production by 2023
| ©2020 F54 94% Experienced a security incident Kubernetes/container environments during the last year Trends and Challenges in Kubernetes AGILITY VS SECURITY 70% Will run containerized apps in production by 2023
| ©2020 F55 94% Experienced a security incident Kubernetes/container environments during the last year Trends and Challenges in Kubernetes AGILITY VS SECURITY 44% Delayed or halted containerized app deployment into production 70% Will run containerized apps in production by 2023
| ©2020 F56 You rely on a rich set of services to deliver an application Code Ingress Controller App / web server DNS DDoS CDNLoad balancer API gateway App Security Customer DEVOPS / APPLICATIONS NETOPS / OPERATIONS
| ©2020 F57 You rely on a rich set of services to deliver an application Code DNS DDoS CDNLoad balancer API gateway App Security Customer DEVOPS / APPLICATIONS NETOPS / OPERATIONS Ingress Controller pod pod pod pod pod Per-Pod proxy Per-Service proxy Service Mesh network
| ©2020 F58 You rely on a rich set of services to deliver an application Code Edge Multiple locations to deploy Application Services: • Edge: External load balancers and proxies • Ingress Controller: Entry- point into Kubernetes • Per-Service Proxy: Interior service proxy tier • Per-Pod Proxy: Proxy embedded in pod • Service Mesh network: L7 traffic processing Ingress Controller pod pod pod pod pod Per-Pod proxy Per-Service proxy Service Mesh network
| ©2020 F59 NGINX is a perfect fit for a Container Platform Source: Sysdig Container Usage Report 2019 The top 10 open source solutions running in containers Source: CNCF Survey 2019 Top Ingress Providers CNCF Survey
| ©2020 F510 We’re building bicycles on-demand Orders are checked, then come in through the factory gates They are handled by a fulfillment team: • Assembly: − Frame, Wheelset, Gears • Finishing • Packaging − QA CONFIDENTIAL An Analogy: A Microservices App is like a Factory
| ©2020 F511 CONFIDENTIAL An Analogy: A Microservices App is like a Factory Edge Ingress Edge Ingress Fulfillment Assembly Frame Wheels Rims Tires Gears Packing QA Finishing Assembly Fulfillment Finishing Packing QA Gears Wheels Frame Rims Tires
| ©2020 F512 Edge Ingress Assembly Fulfillment Finishing Packing QA Gears Wheels Frame Rims Tires CONFIDENTIAL What do we mean by ‘Application Delivery services’? Application Delivery in our Factory: • A ‘pod’ is a production room • A ‘service’ is a group of pods We might need additional App Delivery services: • Security and authentication • Load-balancing • Health checks • Traffic management (redirects, routing, canary, B|G, rate limiting, etc, etc) • Monitoring – L7 metrics • Tracing Per-Service Per-Pod
| ©2020 F513 How do we do it?
| ©2020 F514 • Single pod deployment, running in K8s as nodeport • Rich, app-oriented configuration using both Kubernetes and NGINX Ingress Resources • Supports DevOps use cases: routing, B/G, circuit breaker • Multi-tenant, secure RBAC NGINX Ingress Controller NGINX Ingress Controller Container Environments Visibility and Analytics Orchestration Dotted line = integration control plane Solid line = traffic data plane AppServicesAcrossNetwork Node 2Node 1 Openshift Tracing
| ©2020 F515 NGINX Ingress Controller Manage Complexity in Production WITH KUBERNETES & NGINX INGRESS CONTROLLER Apps Teams Basic Ingress Solutions 1 Many Many 1 Many Apps and Many Teams: • Multi-tenant Configuration • Supports both Kubernetes and NGINX Ingress Resources Native protocol support: • HTTP, HTTPS, HTTP/2, gRPC, • TLS passthrough, TCP and UDP Advanced Load Balancing: • Content-Based Routing • Rate Limiting • JWT Authentication Security: • Mutual TLS • App Protect WAF Operations: • Canary and Blue-Green Releases • A|B Testing • Health Checks • App-Specific Metrics
| ©2020 F516 NGINX Ingress Controller - Architecture apiVersion: extensions/v1beta1 kind: Ingress metadata: name: hello-ingress spec: tls: - hosts: - hello.example.com secretName: hello-secret rules: - host: hello.example.com http: paths: - path: / backend: serviceName: hello-svc servicePort: 80 Ingress Controller daemon Kubernetes API NGINX conf Rewrite nginx.conf NGINX Plus API NGINX or NGINX PlusExternal IP Kubernetes Ingress Resources Service information hello-svc NGINX Ingress Resources pod pod pod pod
| ©2020 F517 Kubernetes Ingress Resources apiVersion: extensions/v1beta1 kind: Ingress metadata: name: hello-ingress spec: tls: - hosts: - hello.example.com secretName: hello-secret rules: - host: hello.example.com http: paths: - path: / backend: serviceName: hello-svc servicePort: 80 annotations: kubernetes.io/ingress.class: "nginx" appprotect.f5.com/app-protect-policy: "default/dataguard-alarm" appprotect.f5.com/app-protect-enable: "True" appprotect.f5.com/app-protect-security-log-enable: "True" appprotect.f5.com/app-protect-security-log: "default/logconf" appprotect.f5.com/app-protect-security-log-destination: "syslog:server=10.27.2.34:514" App Protect security policy App Protect Log Configuration
| ©2020 F518 Host TLS Upstreams Routes - Path Action Split Match Route ErrorPage pass redirect return proxy delegation optional Host TLS Upstreams Routes - Path Action Split Match Route ErrorPage pass redirect return proxy delegation optional NGINX Ingress Resources Host TLS Policies Upstreams Routes - Path Policies Action Split Match Route ErrorPage pass redirect return proxy delegation VirtualServer Host Upstreams Subroutes - Path Action Split Match ErrorPage pass redirect return proxy Host Upstreams Subroutes - Path Action Split Match ErrorPage pass redirect return proxy Host Upstreams Subroutes - Path Policies Action Split Match ErrorPage pass redirect return proxy VirtualServerRoute Policies Access Control Rate Limiting Authentication (JWT) Ingress mTLS Egress mTLS Access Control Rate Limiting Authentication (JWT) Ingress mTLS Egress mTLS Access Control Rate Limiting Authentication (JWT) Ingress mTLS Egress mTLS NGINX server configuration NGINX http configuration Server and HTTP snippets NGINX location configuration Location snippets
Take Security as a case in point
| ©2020 F520 NetOps/SecOps: • Centralized Ops team • Set of stable applications • Top concern: governance, stability and predictability DevSecOps/DevOps: • Democratized, distributed teams • Multiple applications, many actively developed • Top concern: time-to-market, speed to innovate Consider two different WAF user profiles Edge Customer DEVOPS / APPLICATIONS NETOPS / OPERATIONS Ingress Controller pod pod pod pod pod Per-Pod proxy Per-Service proxy Service Mesh network
| ©2020 F521 CONFIDENTIAL Summary At Edge Ingress Controller Per-Service Proxy Per-Pod Proxy Within Mesh Audience SecOps SecOps/DevSecOps DevSecOps DevOps DevOps Scope Global Per service / URI Per service Per endpoint Fine-Grained Cost/Efficiency Good/Excellent (consolidation) Excellent (consolidation) Good Poor Unclear Configuration nginx.conf K8s API nginx.conf nginx.conf Mesh Control Plane User Demand High High Medium Low Unclear Edge Ingress Controller pod pod pod pod pod Per-Pod proxy Per-Service proxy Service Mesh network Future
| ©2020 F522 WAF Deployment at the Edge DEPLOY WAF POLICIES OUTSIDE KUBERNETES, ON LOCAL BIG-IP OR CLOUD-BASED WAF NetOps/SecOps-Centric Approach This is a prime use case for Edge load balancer i.e. outside K8s. NetOps/SecOps empower their App/DevOps brethren to consume F5 application services in an automated manner. Can also be provided using F5 aWAF. Appropriate for NetOps/SecOps-managed WAF Edge Ingress Controllerpod pod pod pod pod Per-Pod proxy Per-Service proxy Service Mesh network
| ©2020 F523 WAF Deployment on the Ingress Controller DEPLOY WAF POLICIES ON THE INGRESS CONTROLLER, CONFIGURED USING KUBERNETES API K8s SecOps/DevSecOps-Centric Approach Appropriate solution when WAF policies are under direction of NetOps or DevOps teams. Policies are defined and associated with services using Kubernetes API. NGINX Ingress Controller RBAC allows: • Admin users to enforce policies per listener • DevOps users to select policy per Ingress Resource Leverage Container Ingress Services to scale NGINX Ingress Controller and add other application services (LB, DNS, DDoS, IAM). Appropriate for Kubernetes-native SecOps or DevSecOps Edge Ingress Controllerpod pod pod pod pod Per-Pod proxy Per-Service proxy Service Mesh network
| ©2020 F524 WAF Deployment within Kubernetes, for a specific service DEPLOY WAF POLICIES FOR A SPECIFIC SERVICE USING A PROXY TIER IN FRONT OF THE SERVICE DevSecOps-Centric Approach Appropriate solution when WAF policies are under direction of the DevSecOps team, and specific to a small number of services. WAF is implemented using a front-end proxy service for the protected service(s). • Easy to deploy securely • WAF updates require re-deployment of per-service proxy tier Allows for greater resource control and reduces complexity of IC configuration. Appropriate for DevSecOps-managed WAF for specific service Edge Ingress Controllerpod pod pod pod pod Per-Pod proxy Per-Service proxy Service Mesh network
| ©2020 F525 WAF Deployment within Kubernetes, for a specific pod DEPLOY WAF POLICIES FOR A SPECIFIC POD/INSTANCE, EMBEDDING NGINX PLUS WITHIN THE POD AppOwner-Centric Approach Appropriate solution when App Owner has full control of WAF for their application. WAF is implemented using an embedded proxy for each application pod. • Implemented, tested and deployed using CI/CD pipeline • WAF updates require re-deployment of application pods Suitable for services that require very close control and testing of WAF configuration. Appropriate when AppOwner has full control over WAF policies Good use case: I have a large legacy application that I have packaged as a container. This application has vulnerabilities Edge Ingress Controllerpod pod pod pod pod Per-Pod proxy Per-Service proxy Service Mesh network
| ©2020 F526 DEMO
| ©2020 F527 ENTERPRISE-GRADE APPLICATION DELIVERY NGINX + Kubernetes Secure your apps • NGINX Ingress Controller Drive application traffic at scale • JWT Authentication: Validate authorized users via JWT Token verification • NGINX App Protect: Modern app-security solution built on F5’s market-leading WAF Customer DEVOPS / APPLICATIONS NETOPS / OPERATIONS Code Edge Ingress Controller pod pod pod pod pod Per-Pod proxy Per-Service proxy Service Mesh network
| ©2020 F528 Q&A
| ©2020 F529 CONFIDENTIAL Request your free trial today! Read Owen’s blogs to learn more bit.ly/2I7Hg1J

More Related Content

PDF
Secured APIM-as-a-Service
byNGINX, Inc.
 
PPTX
NGINX Basics and Best Practices Workshop
byNGINX, Inc.
 
PDF
Application Security with NGINX
byNGINX, Inc.
 
PPTX
Control Kubernetes Ingress and Egress Together with NGINX
byNGINX, Inc.
 
PDF
Securing Your Apps & APIs in the Cloud
byOlivia LaMar
 
PDF
How to Get Started With NGINX
byNGINX, Inc.
 
PDF
NGINX DevSecOps Workshop
byNGINX, Inc.
 
PPTX
NGINX: Back to Basics – APCJ
byNGINX, Inc.
 
Secured APIM-as-a-Service
byNGINX, Inc.
 
NGINX Basics and Best Practices Workshop
byNGINX, Inc.
 
Application Security with NGINX
byNGINX, Inc.
 
Control Kubernetes Ingress and Egress Together with NGINX
byNGINX, Inc.
 
Securing Your Apps & APIs in the Cloud
byOlivia LaMar
 
How to Get Started With NGINX
byNGINX, Inc.
 
NGINX DevSecOps Workshop
byNGINX, Inc.
 
NGINX: Back to Basics – APCJ
byNGINX, Inc.
 

What's hot

PPTX
Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAP
byOlivia LaMar
 
PDF
NGINX 101: Web Traffic Encryption with SSL/TLS and NGINX
byNGINX, Inc.
 
PPTX
Migrating from BIG-IP Deployment to NGINX ADC
byNGINX, Inc.
 
PDF
Data Plane Matters! A Deep Dive and Demo on NGINX Service Mesh
byNGINX, Inc.
 
PDF
From Code to Customer with F5 and NGNX London Nov 19
byNGINX, Inc.
 
PDF
Nim tames sprawl
byNGINX, Inc.
 
PDF
Relevez les défis Kubernetes avec NGINX
byNGINX, Inc.
 
PPTX
Session: A Reference Architecture for Running Modern APIs with NGINX Unit and...
byNGINX, Inc.
 
PDF
Kubernetes Networking
byNGINX, Inc.
 
PPTX
API Workloads on Kubernetes | Show Code Part 4
byNGINX, Inc.
 
PDF
Securing k8s With Kubernetes Goat
byMuhammad Yuga Nugraha
 
PDF
Découvrez NGINX AppProtect
byNGINX, Inc.
 
PDF
Replacing and Augmenting F5 BIG-IP with NGINX Plus - EMEA
byNGINX, Inc.
 
PDF
Deep Dive: Automating the Application and Security Pipeline with NGINX and An...
byNGINX, Inc.
 
PDF
Architecting for now & the future with NGINX London April 19
byNGINX, Inc.
 
PDF
Kubernetes and the NGINX Plus Ingress Controller
byKatherine Bagood
 
PPTX
Accélérez vos déploiements applicatifs avec NGINX Controller
byNGINX, Inc.
 
PDF
Secure, Strengthen, Automate, and Scale Modern Workloads with Red Hat & NGINX
byNGINX, Inc.
 
PPTX
NGINX Lunch and Learn Event: Kubernetes and the NGINX Plus Ingress controller
byKatherine Bagood
 
PDF
Control Kubernetes Ingress and Egress Together with NGINX
byNGINX, Inc.
 
Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAP
byOlivia LaMar
 
NGINX 101: Web Traffic Encryption with SSL/TLS and NGINX
byNGINX, Inc.
 
Migrating from BIG-IP Deployment to NGINX ADC
byNGINX, Inc.
 
Data Plane Matters! A Deep Dive and Demo on NGINX Service Mesh
byNGINX, Inc.
 
From Code to Customer with F5 and NGNX London Nov 19
byNGINX, Inc.
 
Nim tames sprawl
byNGINX, Inc.
 
Relevez les défis Kubernetes avec NGINX
byNGINX, Inc.
 
Session: A Reference Architecture for Running Modern APIs with NGINX Unit and...
byNGINX, Inc.
 
Kubernetes Networking
byNGINX, Inc.
 
API Workloads on Kubernetes | Show Code Part 4
byNGINX, Inc.
 
Securing k8s With Kubernetes Goat
byMuhammad Yuga Nugraha
 
Découvrez NGINX AppProtect
byNGINX, Inc.
 
Replacing and Augmenting F5 BIG-IP with NGINX Plus - EMEA
byNGINX, Inc.
 
Deep Dive: Automating the Application and Security Pipeline with NGINX and An...
byNGINX, Inc.
 
Architecting for now & the future with NGINX London April 19
byNGINX, Inc.
 
Kubernetes and the NGINX Plus Ingress Controller
byKatherine Bagood
 
Accélérez vos déploiements applicatifs avec NGINX Controller
byNGINX, Inc.
 
Secure, Strengthen, Automate, and Scale Modern Workloads with Red Hat & NGINX
byNGINX, Inc.
 
NGINX Lunch and Learn Event: Kubernetes and the NGINX Plus Ingress controller
byKatherine Bagood
 
Control Kubernetes Ingress and Egress Together with NGINX
byNGINX, Inc.
 

Similar to Get the Most Out of Kubernetes with NGINX

PPTX
NGINX Kubernetes Ingress Controller: Getting Started – EMEA
byAine Long
 
PDF
Load Balancing Applications on Kubernetes with NGINX
byAine Long
 
PDF
Deploying NGINX in Cloud Native Kubernetes
byKangaroot
 
PDF
Movavi Screen Recorder Studio 22.5.2 Crack
byaladdinkhana47
 
PDF
IDM Crack 2025 Internet Download Manger Patch
bywistrendugftr
 
PDF
IObit Uninstaller Pro Crack 13.2.0.5 + Key Download 2025
bymaharajput103
 
PDF
What's New with NGINX Application Security Solutions
byNGINX, Inc.
 
PDF
Using NGINX and NGINX Plus as a Kubernetes Ingress
byKevin Jones
 
PPTX
Production-Grade Kubernetes With NGINX Ingress Controller
byNGINX, Inc.
 
PDF
Application Security with NGINX | APAC
byNGINX, Inc.
 
PDF
InfoQ_NGINX_Fundamentals_of_Microservices.pptx.pdf
byusmanpk
 
PDF
Nginx app protect-for-meetup-v1.0-202006_lk
byJuraj Hantak
 
PDF
Fundamentals of microservices
byNGINX, Inc.
 
PDF
Cncf k8s_network_03 (Ingress introduction)
byErhwen Kuo
 
PPTX
MRA AMA Part 10: Kubernetes and the Microservices Reference Architecture
byNGINX, Inc.
 
PDF
Meetup 2023 - Gateway API.pdf
byRed Hat
 
PDF
Publishing Microservices Applications
byFrancisco Javier Ramírez Urea
 
PDF
MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2
byAlfonso Martino
 
PPTX
Introduction to Kubernetes
byPaul Czarkowski
 
PDF
Ingress controller present, past and future
byJuraj Hantak
 
NGINX Kubernetes Ingress Controller: Getting Started – EMEA
byAine Long
 
Load Balancing Applications on Kubernetes with NGINX
byAine Long
 
Deploying NGINX in Cloud Native Kubernetes
byKangaroot
 
Movavi Screen Recorder Studio 22.5.2 Crack
byaladdinkhana47
 
IDM Crack 2025 Internet Download Manger Patch
bywistrendugftr
 
IObit Uninstaller Pro Crack 13.2.0.5 + Key Download 2025
bymaharajput103
 
What's New with NGINX Application Security Solutions
byNGINX, Inc.
 
Using NGINX and NGINX Plus as a Kubernetes Ingress
byKevin Jones
 
Production-Grade Kubernetes With NGINX Ingress Controller
byNGINX, Inc.
 
Application Security with NGINX | APAC
byNGINX, Inc.
 
InfoQ_NGINX_Fundamentals_of_Microservices.pptx.pdf
byusmanpk
 
Nginx app protect-for-meetup-v1.0-202006_lk
byJuraj Hantak
 
Fundamentals of microservices
byNGINX, Inc.
 
Cncf k8s_network_03 (Ingress introduction)
byErhwen Kuo
 
MRA AMA Part 10: Kubernetes and the Microservices Reference Architecture
byNGINX, Inc.
 
Meetup 2023 - Gateway API.pdf
byRed Hat
 
Publishing Microservices Applications
byFrancisco Javier Ramírez Urea
 
MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2
byAlfonso Martino
 
Introduction to Kubernetes
byPaul Czarkowski
 
Ingress controller present, past and future
byJuraj Hantak
 

More from NGINX, Inc.

PDF
【NGINXセミナー】 Ingressを使ってマイクロサービスの運用を楽にする方法
byNGINX, Inc.
 
PDF
【NGINXセミナー】 NGINXのWAFとは?その使い方と設定方法 解説セミナー
byNGINX, Inc.
 
PDF
【NGINXセミナー】API ゲートウェイとしてのNGINX Plus活用方法
byNGINX, Inc.
 
PPTX
Get Hands-On with NGINX and QUIC+HTTP/3
byNGINX, Inc.
 
PPTX
Managing Kubernetes Cost and Performance with NGINX & Kubecost
byNGINX, Inc.
 
PDF
Manage Microservices Chaos and Complexity with Observability
byNGINX, Inc.
 
PDF
Accelerate Microservices Deployments with Automation
byNGINX, Inc.
 
PDF
Unit 2: Microservices Secrets Management 101
byNGINX, Inc.
 
PDF
Unit 1: Apply the Twelve-Factor App to Microservices Architectures
byNGINX, Inc.
 
PDF
NGINX基本セミナー(セキュリティ編)~NGINXでセキュアなプラットフォームを実現する方法!
byNGINX, Inc.
 
PDF
Easily View, Manage, and Scale Your App Security with F5 NGINX
byNGINX, Inc.
 
PDF
NGINXセミナー(基本編)~いまさら聞けないNGINXコンフィグなど基本がわかる!
byNGINX, Inc.
 
PDF
Keep Ahead of Evolving Cyberattacks with OPSWAT and F5 NGINX
byNGINX, Inc.
 
PPTX
Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...
byNGINX, Inc.
 
PPTX
Protecting Apps from Hacks in Kubernetes with NGINX
byNGINX, Inc.
 
PPTX
NGINX Kubernetes API
byNGINX, Inc.
 
PPTX
Successfully Implement Your API Strategy with NGINX
byNGINX, Inc.
 
PPTX
Installing and Configuring NGINX Open Source
byNGINX, Inc.
 
PPTX
Shift Left for More Secure Apps with F5 NGINX
byNGINX, Inc.
 
PPTX
How to Avoid the Top 5 NGINX Configuration Mistakes.pptx
byNGINX, Inc.
 
【NGINXセミナー】 Ingressを使ってマイクロサービスの運用を楽にする方法
byNGINX, Inc.
 
【NGINXセミナー】 NGINXのWAFとは?その使い方と設定方法 解説セミナー
byNGINX, Inc.
 
【NGINXセミナー】API ゲートウェイとしてのNGINX Plus活用方法
byNGINX, Inc.
 
Get Hands-On with NGINX and QUIC+HTTP/3
byNGINX, Inc.
 
Managing Kubernetes Cost and Performance with NGINX & Kubecost
byNGINX, Inc.
 
Manage Microservices Chaos and Complexity with Observability
byNGINX, Inc.
 
Accelerate Microservices Deployments with Automation
byNGINX, Inc.
 
Unit 2: Microservices Secrets Management 101
byNGINX, Inc.
 
Unit 1: Apply the Twelve-Factor App to Microservices Architectures
byNGINX, Inc.
 
NGINX基本セミナー(セキュリティ編)~NGINXでセキュアなプラットフォームを実現する方法!
byNGINX, Inc.
 
Easily View, Manage, and Scale Your App Security with F5 NGINX
byNGINX, Inc.
 
NGINXセミナー(基本編)~いまさら聞けないNGINXコンフィグなど基本がわかる!
byNGINX, Inc.
 
Keep Ahead of Evolving Cyberattacks with OPSWAT and F5 NGINX
byNGINX, Inc.
 
Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...
byNGINX, Inc.
 
Protecting Apps from Hacks in Kubernetes with NGINX
byNGINX, Inc.
 
NGINX Kubernetes API
byNGINX, Inc.
 
Successfully Implement Your API Strategy with NGINX
byNGINX, Inc.
 
Installing and Configuring NGINX Open Source
byNGINX, Inc.
 
Shift Left for More Secure Apps with F5 NGINX
byNGINX, Inc.
 
How to Avoid the Top 5 NGINX Configuration Mistakes.pptx
byNGINX, Inc.
 

Recently uploaded

PDF
SiyanoAV 20GB Cloud Backup & Antivirus Protection
bysunilsiyanoav
 
PDF
DSD-INT 2025 Modernizing Hydrodynamics in Large Flood Forecasting System - Mi...
byDeltares
 
PDF
BCA 1st Semester Fundamentals Solved Question Paper 44121
byKuvempu University
 
PDF
IAAM Meetup #7 chez Onepoint - Construire un Rag-as-a-service en production. ...
byiaaixmarseille
 
PDF
Presentation Empowerment Technology in ICT
byoryoseiii
 
PDF
DSD-INT 2025 UK Coastal Flooding Incident Guide - Dam
byDeltares
 
PPTX
Building a RAG System for Customer Support - L1
byBogdan Mustata
 
PDF
DSD-INT 2025 Coupling SFINCS to a flood risk model to evaluate the effects of...
byDeltares
 
PDF
DevOps Monitoring Tools: The 2025 Guide to Performance & Observability
byalexendrascott01
 
PDF
Internship Project Training Report-3.pdf
byPawank36
 
PDF
DSD-INT 2025 MeshKernel and D-Grid Editor - Stout
byDeltares
 
PDF
Microservices Architecture Benefits For Mobile Development.pdf
bydavidjohansen1597
 
PPTX
CRM Development Company | Custom CRM Development Services
byyugababu033
 
PPTX
operating sys about shells and terminals commands .pptx
byYazeedAbdullah6
 
PPTX
wAIred_LearnwithoutAI_KotlinDevDay_27112025.pptx
bySimonedeGijt
 
PPTX
Revolutionizing Application Modernization with AI
byKrzysztofKkol1
 
PDF
DSD-INT 2025 Delft3D-GeoTool - an interface for long-term numerical modelling...
byDeltares
 
PPTX
Zotero Software Demonstration. Biomedical Perspective
byDr Snehashis Singha
 
PDF
inSis suite - Laboratory Information Management System
byKondapi V Siva Rama Brahmam
 
PDF
Breaking the Vulnerability Management Cycle with Anchore and Echo
byAnchore
 
SiyanoAV 20GB Cloud Backup & Antivirus Protection
bysunilsiyanoav
 
DSD-INT 2025 Modernizing Hydrodynamics in Large Flood Forecasting System - Mi...
byDeltares
 
BCA 1st Semester Fundamentals Solved Question Paper 44121
byKuvempu University
 
IAAM Meetup #7 chez Onepoint - Construire un Rag-as-a-service en production. ...
byiaaixmarseille
 
Presentation Empowerment Technology in ICT
byoryoseiii
 
DSD-INT 2025 UK Coastal Flooding Incident Guide - Dam
byDeltares
 
Building a RAG System for Customer Support - L1
byBogdan Mustata
 
DSD-INT 2025 Coupling SFINCS to a flood risk model to evaluate the effects of...
byDeltares
 
DevOps Monitoring Tools: The 2025 Guide to Performance & Observability
byalexendrascott01
 
Internship Project Training Report-3.pdf
byPawank36
 
DSD-INT 2025 MeshKernel and D-Grid Editor - Stout
byDeltares
 
Microservices Architecture Benefits For Mobile Development.pdf
bydavidjohansen1597
 
CRM Development Company | Custom CRM Development Services
byyugababu033
 
operating sys about shells and terminals commands .pptx
byYazeedAbdullah6
 
wAIred_LearnwithoutAI_KotlinDevDay_27112025.pptx
bySimonedeGijt
 
Revolutionizing Application Modernization with AI
byKrzysztofKkol1
 
DSD-INT 2025 Delft3D-GeoTool - an interface for long-term numerical modelling...
byDeltares
 
Zotero Software Demonstration. Biomedical Perspective
byDr Snehashis Singha
 
inSis suite - Laboratory Information Management System
byKondapi V Siva Rama Brahmam
 
Breaking the Vulnerability Management Cycle with Anchore and Echo
byAnchore
 

Get the Most Out of Kubernetes with NGINX

  • 1.
    Get the mostout of Kubernetes with NGINX PRODUCTION-GRADE APPLICATION DELIVERY
  • 2.
    | ©2020 F52 JennGile Product Marketing Manager NGINX Solutions NGINX, PART OF F5 Meet the speakers Owen Garrett Sr. Director Product Management
  • 3.
    | ©2020 F53 Trendsand Challenges in Kubernetes AGILITY VS SECURITY 70% Will run containerized apps in production by 2023
  • 4.
    | ©2020 F54 94% Experienceda security incident Kubernetes/container environments during the last year Trends and Challenges in Kubernetes AGILITY VS SECURITY 70% Will run containerized apps in production by 2023
  • 5.
    | ©2020 F55 94% Experienceda security incident Kubernetes/container environments during the last year Trends and Challenges in Kubernetes AGILITY VS SECURITY 44% Delayed or halted containerized app deployment into production 70% Will run containerized apps in production by 2023
  • 6.
    | ©2020 F56 Yourely on a rich set of services to deliver an application Code Ingress Controller App / web server DNS DDoS CDNLoad balancer API gateway App Security Customer DEVOPS / APPLICATIONS NETOPS / OPERATIONS
  • 7.
    | ©2020 F57 Yourely on a rich set of services to deliver an application Code DNS DDoS CDNLoad balancer API gateway App Security Customer DEVOPS / APPLICATIONS NETOPS / OPERATIONS Ingress Controller pod pod pod pod pod Per-Pod proxy Per-Service proxy Service Mesh network
  • 8.
    | ©2020 F58 Yourely on a rich set of services to deliver an application Code Edge Multiple locations to deploy Application Services: • Edge: External load balancers and proxies • Ingress Controller: Entry- point into Kubernetes • Per-Service Proxy: Interior service proxy tier • Per-Pod Proxy: Proxy embedded in pod • Service Mesh network: L7 traffic processing Ingress Controller pod pod pod pod pod Per-Pod proxy Per-Service proxy Service Mesh network
  • 9.
    | ©2020 F59 NGINXis a perfect fit for a Container Platform Source: Sysdig Container Usage Report 2019 The top 10 open source solutions running in containers Source: CNCF Survey 2019 Top Ingress Providers CNCF Survey
  • 10.
    | ©2020 F510 We’rebuilding bicycles on-demand Orders are checked, then come in through the factory gates They are handled by a fulfillment team: • Assembly: − Frame, Wheelset, Gears • Finishing • Packaging − QA CONFIDENTIAL An Analogy: A Microservices App is like a Factory
  • 11.
    | ©2020 F511CONFIDENTIAL An Analogy: A Microservices App is like a Factory Edge Ingress Edge Ingress Fulfillment Assembly Frame Wheels Rims Tires Gears Packing QA Finishing Assembly Fulfillment Finishing Packing QA Gears Wheels Frame Rims Tires
  • 12.
    | ©2020 F512 EdgeIngress Assembly Fulfillment Finishing Packing QA Gears Wheels Frame Rims Tires CONFIDENTIAL What do we mean by ‘Application Delivery services’? Application Delivery in our Factory: • A ‘pod’ is a production room • A ‘service’ is a group of pods We might need additional App Delivery services: • Security and authentication • Load-balancing • Health checks • Traffic management (redirects, routing, canary, B|G, rate limiting, etc, etc) • Monitoring – L7 metrics • Tracing Per-Service Per-Pod
  • 13.
    | ©2020 F513 Howdo we do it?
  • 14.
    | ©2020 F514 •Single pod deployment, running in K8s as nodeport • Rich, app-oriented configuration using both Kubernetes and NGINX Ingress Resources • Supports DevOps use cases: routing, B/G, circuit breaker • Multi-tenant, secure RBAC NGINX Ingress Controller NGINX Ingress Controller Container Environments Visibility and Analytics Orchestration Dotted line = integration control plane Solid line = traffic data plane AppServicesAcrossNetwork Node 2Node 1 Openshift Tracing
  • 15.
    | ©2020 F515 NGINX IngressController Manage Complexity in Production WITH KUBERNETES & NGINX INGRESS CONTROLLER Apps Teams Basic Ingress Solutions 1 Many Many 1 Many Apps and Many Teams: • Multi-tenant Configuration • Supports both Kubernetes and NGINX Ingress Resources Native protocol support: • HTTP, HTTPS, HTTP/2, gRPC, • TLS passthrough, TCP and UDP Advanced Load Balancing: • Content-Based Routing • Rate Limiting • JWT Authentication Security: • Mutual TLS • App Protect WAF Operations: • Canary and Blue-Green Releases • A|B Testing • Health Checks • App-Specific Metrics
  • 16.
    | ©2020 F516 NGINXIngress Controller - Architecture apiVersion: extensions/v1beta1 kind: Ingress metadata: name: hello-ingress spec: tls: - hosts: - hello.example.com secretName: hello-secret rules: - host: hello.example.com http: paths: - path: / backend: serviceName: hello-svc servicePort: 80 Ingress Controller daemon Kubernetes API NGINX conf Rewrite nginx.conf NGINX Plus API NGINX or NGINX PlusExternal IP Kubernetes Ingress Resources Service information hello-svc NGINX Ingress Resources pod pod pod pod
  • 17.
    | ©2020 F517 KubernetesIngress Resources apiVersion: extensions/v1beta1 kind: Ingress metadata: name: hello-ingress spec: tls: - hosts: - hello.example.com secretName: hello-secret rules: - host: hello.example.com http: paths: - path: / backend: serviceName: hello-svc servicePort: 80 annotations: kubernetes.io/ingress.class: "nginx" appprotect.f5.com/app-protect-policy: "default/dataguard-alarm" appprotect.f5.com/app-protect-enable: "True" appprotect.f5.com/app-protect-security-log-enable: "True" appprotect.f5.com/app-protect-security-log: "default/logconf" appprotect.f5.com/app-protect-security-log-destination: "syslog:server=10.27.2.34:514" App Protect security policy App Protect Log Configuration
  • 18.
    | ©2020 F518 Host TLS Upstreams Routes -Path Action Split Match Route ErrorPage pass redirect return proxy delegation optional Host TLS Upstreams Routes - Path Action Split Match Route ErrorPage pass redirect return proxy delegation optional NGINX Ingress Resources Host TLS Policies Upstreams Routes - Path Policies Action Split Match Route ErrorPage pass redirect return proxy delegation VirtualServer Host Upstreams Subroutes - Path Action Split Match ErrorPage pass redirect return proxy Host Upstreams Subroutes - Path Action Split Match ErrorPage pass redirect return proxy Host Upstreams Subroutes - Path Policies Action Split Match ErrorPage pass redirect return proxy VirtualServerRoute Policies Access Control Rate Limiting Authentication (JWT) Ingress mTLS Egress mTLS Access Control Rate Limiting Authentication (JWT) Ingress mTLS Egress mTLS Access Control Rate Limiting Authentication (JWT) Ingress mTLS Egress mTLS NGINX server configuration NGINX http configuration Server and HTTP snippets NGINX location configuration Location snippets
  • 19.
    Take Security asa case in point
  • 20.
    | ©2020 F520 NetOps/SecOps: •Centralized Ops team • Set of stable applications • Top concern: governance, stability and predictability DevSecOps/DevOps: • Democratized, distributed teams • Multiple applications, many actively developed • Top concern: time-to-market, speed to innovate Consider two different WAF user profiles Edge Customer DEVOPS / APPLICATIONS NETOPS / OPERATIONS Ingress Controller pod pod pod pod pod Per-Pod proxy Per-Service proxy Service Mesh network
  • 21.
    | ©2020 F521CONFIDENTIAL Summary At Edge Ingress Controller Per-Service Proxy Per-Pod Proxy Within Mesh Audience SecOps SecOps/DevSecOps DevSecOps DevOps DevOps Scope Global Per service / URI Per service Per endpoint Fine-Grained Cost/Efficiency Good/Excellent (consolidation) Excellent (consolidation) Good Poor Unclear Configuration nginx.conf K8s API nginx.conf nginx.conf Mesh Control Plane User Demand High High Medium Low Unclear Edge Ingress Controller pod pod pod pod pod Per-Pod proxy Per-Service proxy Service Mesh network Future
  • 22.
    | ©2020 F522 WAFDeployment at the Edge DEPLOY WAF POLICIES OUTSIDE KUBERNETES, ON LOCAL BIG-IP OR CLOUD-BASED WAF NetOps/SecOps-Centric Approach This is a prime use case for Edge load balancer i.e. outside K8s. NetOps/SecOps empower their App/DevOps brethren to consume F5 application services in an automated manner. Can also be provided using F5 aWAF. Appropriate for NetOps/SecOps-managed WAF Edge Ingress Controllerpod pod pod pod pod Per-Pod proxy Per-Service proxy Service Mesh network
  • 23.
    | ©2020 F523 WAFDeployment on the Ingress Controller DEPLOY WAF POLICIES ON THE INGRESS CONTROLLER, CONFIGURED USING KUBERNETES API K8s SecOps/DevSecOps-Centric Approach Appropriate solution when WAF policies are under direction of NetOps or DevOps teams. Policies are defined and associated with services using Kubernetes API. NGINX Ingress Controller RBAC allows: • Admin users to enforce policies per listener • DevOps users to select policy per Ingress Resource Leverage Container Ingress Services to scale NGINX Ingress Controller and add other application services (LB, DNS, DDoS, IAM). Appropriate for Kubernetes-native SecOps or DevSecOps Edge Ingress Controllerpod pod pod pod pod Per-Pod proxy Per-Service proxy Service Mesh network
  • 24.
    | ©2020 F524 WAFDeployment within Kubernetes, for a specific service DEPLOY WAF POLICIES FOR A SPECIFIC SERVICE USING A PROXY TIER IN FRONT OF THE SERVICE DevSecOps-Centric Approach Appropriate solution when WAF policies are under direction of the DevSecOps team, and specific to a small number of services. WAF is implemented using a front-end proxy service for the protected service(s). • Easy to deploy securely • WAF updates require re-deployment of per-service proxy tier Allows for greater resource control and reduces complexity of IC configuration. Appropriate for DevSecOps-managed WAF for specific service Edge Ingress Controllerpod pod pod pod pod Per-Pod proxy Per-Service proxy Service Mesh network
  • 25.
    | ©2020 F525 WAFDeployment within Kubernetes, for a specific pod DEPLOY WAF POLICIES FOR A SPECIFIC POD/INSTANCE, EMBEDDING NGINX PLUS WITHIN THE POD AppOwner-Centric Approach Appropriate solution when App Owner has full control of WAF for their application. WAF is implemented using an embedded proxy for each application pod. • Implemented, tested and deployed using CI/CD pipeline • WAF updates require re-deployment of application pods Suitable for services that require very close control and testing of WAF configuration. Appropriate when AppOwner has full control over WAF policies Good use case: I have a large legacy application that I have packaged as a container. This application has vulnerabilities Edge Ingress Controllerpod pod pod pod pod Per-Pod proxy Per-Service proxy Service Mesh network
  • 26.
  • 27.
    | ©2020 F527 ENTERPRISE-GRADEAPPLICATION DELIVERY NGINX + Kubernetes Secure your apps • NGINX Ingress Controller Drive application traffic at scale • JWT Authentication: Validate authorized users via JWT Token verification • NGINX App Protect: Modern app-security solution built on F5’s market-leading WAF Customer DEVOPS / APPLICATIONS NETOPS / OPERATIONS Code Edge Ingress Controller pod pod pod pod pod Per-Pod proxy Per-Service proxy Service Mesh network
  • 28.
  • 29.
    | ©2020 F529CONFIDENTIAL Request your free trial today! Read Owen’s blogs to learn more bit.ly/2I7Hg1J