As Kubernetes adoption continues to soar, there is a greater emphasis on securing the Kubernetes environments with more robust measures. One of the core elements of Kubernetes is the Ingress and securing it is crucial to preventing cyberattacks and breaches. This blog dives into the basics of Kubernetes Ingress – what it is, why it is used, and, more importantly, how to best secure it.
What is Kubernetes Ingress?
In a Kubernetes environment, pods and services running inside a cluster are not made accessible to users, applications, or workloads outside the cluster by default. They are exposed to external clients using an API-based resource object called the Kubernetes Ingress.
The Ingress defines the rules for routing external traffic to services within the cluster. It includes details such as host names, paths, and backend services that govern how external clients access cluster services. In other words, Ingress serves as an entry point or a gateway into the cluster, managing incoming traffic and routing requests to the appropriate cluster services, providing better access control.
Implementing the routing rules defined in the Ingress resource requires an edge proxy, often called the Ingress Controller. This controller reads the Ingress resource information and configures the underlying infrastructure accordingly to route the traffic to the pods while load balancing it. Some of the popular Ingress controllers are NGINX, GKE Ingress, Traefik, Kong, and Rancher.
How It Works
Typically, the load balancer located outside the cluster guides the internet traffic to the edge proxy (Ingress controller) active within the cluster. The edge proxy accepts the traffic, reads the information in the Ingress resource and directs traffic to appropriate services and pods based on the requests. The edge proxy also continuously monitors pods to automatically update load balancing rules, whenever pods are added or removed.
Benefits of Using Kubernetes Ingress
- Centralized Routing: Ingress provides a single, central way to manage routing rules and configurations for handling incoming traffic to different services. This also makes it easier to update routing configurations without affecting other active services.
- Load Balancing: Ingress controllers help manage applications better by distributing incoming traffic across multiple backend service instances. This eliminates the need to create and manage individual load balancers for each application.
- Resource Efficiency: When multiple services on a single cluster need to be accessible from outside, you can use Ingress to define rules for routing traffic to different services based on their URL paths and domain names. This approach eliminates the need for multiple IP addresses for a single cluster and improves resource efficiency.
With the above benefits and more, Ingress not only simplifies application traffic management but also hardens cluster security by significantly limiting the attack surface. While there are other ways of exposing cluster services to outside networks, Ingress is considered a better approach as it eliminates the need to expose services separately and enables centralized traffic management.
Given how indispensable Ingress is to Kubernetes, it is essential to strongly secure it to ensure that only authorized traffic reaches the applications and cluster communications remain secure from attacks and breaches.
Generally, network policies are applied to pods to protect the services within. However, this approach does not fully address security risks as it is more application-centric. Network policies only help pods determine if they must accept or deny a connection based on the list of approved connections specified in the policy. They do not help authenticate connections or secure communications between two pods or with external clients. This is where SSL/TLS helps.
How SSL/TLS Helps Secure Kubernetes Ingress
Configuring the Ingress with SSL/TLS is one of the highly recommended ways of securing the web traffic entering your Kubernetes cluster. SSL/TLS is a public key infrastructure (PKI) based security protocol used to identify and authenticate machines (device, application, workload) and encrypt machine-to-machine communications to ensure secure internet connections and transactions. SSL/TLS certificates are proof of identity issued by trusted Certificate Authorities that facilitate authentication and encryption during machine to machine communications.
(Note: TLS is the latest version of the protocol although many continue to refer to TLS as SSL, its predecessor.)
TLS helps protect Ingress points in two ways – authentication and encryption.
1. Secure Authentication:
When a TLS certificate is added to the Ingress, any client requesting cluster access can first verify the identity of the Ingress by validating the TLS certificate presented by the Ingress controller (or server) during the TLS handshake process. Authenticating the Ingress helps ensure clients connect to a legitimate Ingress point and not an imposter, establishing a secure network connection and preventing attacks, such as man-in-the-middle.
- Client Authentication (mTLS Authentication)
In addition to server authentication, TLS can also be used to authenticate clients connecting to an Ingress point. When both the server and client are set up to authenticate each other, this is referred to as mutual TLS (mTLS) authentication. By definition, mutual TLS is a two-way authentication process where the identities of both the communicating parties are validated to establish a secure connection.
In Kubernetes, when mTLS is applied to the Ingress, the clients are required to present their TLS certificates to the Ingress controller (server) and the Ingress will present its certificate to the client during the TLS handshake. The Ingress controller and the client will then verify each other’s identities and decide whether to allow the connection based on predetermined access control policies. With respect to the client, only if it is trusted and authorized to access the resource in question, will it be permitted access.
As multiple users and teams use the Ingress controller for various purposes, authenticating every access request with mTLS provides an additional layer of security, ensuring no malicious actors can impersonate and access the services within the cluster.
2. Securing the North-South Communication
Encryption is a must for web traffic entering the cluster through the Ingress as the communication is in plain text. When a client sends a request to an Ingress point, TLS ensures that the data transmitted over the network is encrypted, eliminating the possibility of attackers intercepting or tampering with the information. This protects sensitive data, such as login credentials, personal information, and other confidential data, from being exposed.
Implementing TLS for Ingress points also helps ensure compliance. Many security standards and regulations require TLS encryption to protect sensitive data. For example, the Payment Card Industry Data Security Standard (PCI DSS) mandates using TLS to transmit cardholder data over public networks.
Ingress is a vital part of Kubernetes, and securing it allows you to make the most of it while fortifying your application security. Implementing TLS at the Ingress helps enable secure access and establish trusted communication channels for Kubernetes services, ensuring their availability, confidentiality, and integrity at all times. TLS also helps align with the principles of Zero Trust by considering all external traffic as untrusted and authenticating all requests before providing cluster access.
How AppViewX Helps Simplify Certificate Lifecycle Management for Kubernetes
Most organizations today use manual processes and open source tools to manage certificates in Kubernetes environments. Lack of visibility and integrations coupled with extensive manual effort make certificate processes a significant challenge for DevOps and security teams, impacting both productivity and security.
AppViewX effectively addresses this problem with an enterprise certificate lifecycle management solution built for Kubernetes environments. It provides a central solution to discover, manage, automate, and govern certificates across containerized workloads for simple, fast, and effective certificate lifecycle management. AppViewX brings together visibility, automation, and policy-driven control – all in one place – to make certificate processes streamlined for DevOps and reliable for security teams.