COMMENTARY: Today, organizations struggle managing disparate technologies for their Kubernetes and network security needs. Leveraging multiple technologies for networking and security for in-cluster, ingress, egress, and traffic across clusters creates challenges, including operational complexities and increased costs.For example, to manage ingress traffic for Kubernetes clusters, users cobble together multiple products from different providers, such as ingress controllers or gateways and load balancers for routing traffic, as well as web application firewalls (WAFs) for enhanced security. [SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]Despite the challenges it brings, deploying disparate technologies has been a “necessary evil” for organizations to get all the capabilities needed for a holistic Kubernetes operation. Let’s explore the challenges this proliferation of tooling introduces, and offer actionable tips for today’s platform and security teams to overcome these issues.Take managing ingress traffic, and everything that goes with it. It’s typical in a Kubernetes environment, that a user might need to manage multiple tools and services, such as cloud provider load balancers, application gateways, and ingress controllers like NGINX or others, to manage traffic flow and security.This can lead to complexity and fragmentation when integrating these components across a cloud infrastructure and Kubernetes clusters. The user must then learn about these individual tools, how they work, what their API is, how to manage them, deploy them, and troubleshoot them. And when it comes to troubleshooting, different sources for logging leads to issues identifying the source of an issue—and, in turn, challenges remediating that issue. When weighing which offering may work best for your unique needs, selecting a provider with an Ingress Gateway that leverages the Kubernetes Gateway API offers several advantages over traditional ingress controllers. The Kubernetes Gateway API has been designed to improve and standardize service networking in Kubernetes. This project represents the next generation of Kubernetes Ingress, Load Balancing, and Service Mesh APIs. In 2019, Kubernetes introduced the Gateway API to solve some of the issues with its predecessor, Kubernetes Ingress.Advantages include:Organizations in nearly every industry rely on containerized applications and container orchestrators like Kubernetes to run their business or deliver their products or services. As organizations scale their Kubernetes environments, it’s important to adapt processes and tools that offer the flexibility, security, and efficiency needed to meet the demands of modern application architectures. Peter Kelly, vice president of engineering, TigeraSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Challenges managing multiple technologies
The fragmented approach to networking and network security in Kubernetes leads to challenges and inefficiencies, including:- Operational overhead: Each technology comes with its own learning curve, setup, configuration, integration, and maintenance requirements. This leads to a challenging user experience.
- Increased costs: Licensing and operational costs accumulate as more tools are deployed.
- Scaling challenges: As clusters grow or spread across diverse environments, ensuring consistent and secure networking becomes harder.
- Security gaps: Disjointed products impair visibility and may create security gaps.
- Troubleshooting issues: Without a single pane of glass, troubleshooting and understanding latency issues across clusters has become a common problem operators face.
Deploy holistic products to drive better outcomes
Organizations can address these challenges by adopting a unified approach to Kubernetes networking. Deploying a single, unified solution for Kubernetes networking from the application to the networking layer eliminates the need for separate tools to manage ingress, egress, in-cluster, and cross-cluster traffic, significantly simplifying operations and reducing costs without compromising performance or security.The main benefits include:- Simplified operations: A single pane of glass for ingress, egress, in-cluster and cross-cluster traffic reduces tool sprawl and configuration overhead.
- Enhanced network security: Unified approach to Kubernetes can extend network policies across egress, lateral traffic and ingress traffic, helping to bolster security controls.
- Efficient network threat detection: Deploying a scalable workload-based WAF that secures both east-west and ingress traffic improves efficiency and accuracy in identifying normal and malicious Kubernetes traffic.
- Improved observability: Unification can offer real-time visibility into traffic flows with detailed metrics and logs for better troubleshooting.
- Cost efficiency: Eliminates the need for multiple standalone tools to reduce infrastructure and licensing costs.
- Advanced traffic management: Facilitates complex routing policies.
- Modular and extensible architecture: Separates the actual gateway from routing rules enabling the organization to adapt to evolving networking requirements.
- Improved portability and consistency: Ensures seamless operation across different Kubernetes implementations.
- Role-based management and multi-tenancy: Simplifies access control and enables efficient resource sharing.
