Secure Kubernetes Gateway
On This Page:
Objective
This guide provides instructions on how to create a Secure Kubernetes Gateway using VoltConsole and VoltMesh.
The steps to create Secure Kubernetes Gateway are:
The following images shows the topology of the example for the use case provided in this document:
Using the instructions provided in this guide, you can deploy an Secure K8s Gateway in your Amazon Virtual Private Cloud (Amazon VPC), discover the cluster services from that VPC, setup load balancer for them, and secure those services with javascript challenge and Web Application Firewall (WAF).
The example shown in this guide deploys the Secure K8s Gateway on a single VPC for an application called as hipster-shop deployed in an EKS cluster. The application consists of the following services:
- frontend
- cartservice
- productcatalogservice
- currencyservice
- paymentservice
- shippingservice
- emailservice
- checkoutservice
- recommendationservice
- adservice
- cache
Prerequisites
-
VoltConsole SaaS account.
Note: If you do not have an account, see Create a Volterra Account.
-
Amazon Web Services (AWS) account.
Note: This is required to deploy a Volterra site.
-
Volterra vesctl utility.
Note: See vesctl for more information.
- Docker.
- Self-signed or CA-signed certificate for your application domain.
-
AWS IAM Authenticator.
Note: See IAM Authenticator Installation for more information.
Configuration
The use case provided in this guide sets up a Volterra site as Secure K8s Gateway for the ingress and egress traffic for the K8s cluster deployed in the Amazon VPC. The example web application has a front end service to which all the user requests are sent and it redirects to other services accordingly. The following actions outline the activities in setting up the Secure K8s Gateway:
- The frontend service of the application needs to be externally available. Therefore, a HTTPS load balancer is created with origin pool pointing to the frontend service on the EKS cluster.
- The domain of the load balancer is delegated to Volterra so that Volterra can manage its DNS and TLS certificates.
- Security policies are configured to block egress communication to
Google DNSfor DNS query resolution and allow github, docker, AWS, and other required domains for code repository management. - A WAF configuration is applied to secure the externally available load balancer VIP.
- Javascript challenge is set for the load balancer to apply further protection from attacks such as botnets.
Note: Ensure that you keep the Amazon Elastic IP VIPs ready for later use in configuration.
Step 1: Deploy & Secure Site
The following video shows the site deployment workflow:
Perform the following steps to deploy a Volterra site as the Secure K8s Gateway in your VPC.
Step 1.1: Log into the VoltConsole and create cloud credentials object.
- Select
Manage->Site Management->Cloud Credentialsin the configuration menu of theSystemnamespace. ClickAdd Cloud Credentials. - Enter a name for your credentials object and select
AWS Programmatic Access Credentialsfor theSelect Cloud Credential Typefield. - Enter your AWS access key ID in the
Access Key IDfield.
Step 1.2: Configure AWS secret access key.
- Click
Configureunder theSecret Access Keyfield. - Enter your AWS secret access key into the
Typefield. Ensure that theTextradio button is selected.
- Click
Blindfoldto encrypt your secret using Volterra Blindfold. TheBlindfold configuredmessage gets displayed. - Click
Apply.
Step 1.3: Complete creating the credentials.
Click Save and Exit to complete creating the AWS cloud credentials object.
Step 1.4: Start creating AWS VPC site object.
- Select
Manage->Site Management->AWS VPC Sitein the configuration menu of theSystemnamespace. ClickAdd AWS VPC Site. - Enter a name for your VPC object in the metadata section.
Step 1.4.1: Configure site type selection.
-
Go to
Site Type Selectionsection` and perform the following:- Select a region in the
AWS Regiondrop-down field. This example selectsus-east-2. - Select
New VPC Parametersfor theSelect existing VPC or create new VPCfield. Enter the name tag in theAWS VPC Name Tagfield and enter the CIDR in thePrimary IPv4 CIDR blocksfield. - Select
Ingress/Egress Gateway (Two Interface)for theSelect Ingress Gateway or Ingress/Egress Gatewayfield.
- Select a region in the
Step 1.4.2: Configure ingress/egress gateway nodes.
-
Click
Editto open the two-interface node configuration wizard and enter the configuration as per the following guidelines.- Select an option for the
AWS AZ namefield that matches the configuredAWS Region. - Select
New Subnetfor theSelect Existing Subnet or Create Newfield in theSubnet for Inside Interfacesection. Enter a subnet address in theIPv4 Subnetfield. - Similarly configure a subnet address for the
Subnet for Outside Interfacesection.
- Select an option for the
Step 1.4.3: Configure the site network policy.
-
Go to
Site Network Firewallsection and selectActive Network Policiesfor theManage Network Policyfield. Click on theNetwork Policyfield and selectCreate new network policy. Enter the configuration as per the following guidelines:- Enter a name and enter a CIDR for the
IPv4 Prefix Listfield. This CIDR should be within the CIDR block of the VPC.
- Enter a name and enter a CIDR for the
-
Click
ConfigureunderIngress Rulesand enter the following configuration:- Set a name for the
Rule Namefield and selectAllowfor theActionfield. - Select
Match Protocol and Port Rangesfor theSelect Type of Traffic to Matchfield. - Select
tcpfor theProtocolfield. - Enter a port range for the
List Port of Rangefield. - Click
Apply.
- Set a name for the
-
Click
ConfigureunderEgress Rulesand enter the following configuration:- Set a name for the
Rule Namefield and selectDenyfor theActionfield. This example configures a deny rule for Google DNS query traffic. - Select
IPv4 Prefix Listfor theSelect Other Endpointfield and enter8.8.4.4/32for theIPv4 Prefix Listfield. - Select
Match Application Trafficfor theSelect Type of Traffic to Matchfield. - Select
APPLICATION_DNSfor theApplication Protocolsfield.
- Set a name for the
- Click
Add itemand configure another rule of typeallowfor the endpoint prefix8.8.8.8/32. This is another Google DNS endpoint prefix. - Click
Add itemand configure another rule withAllowaction to allow rest of all egress TCP traffic. - Click
Apply. - Click
Continueto apply the network policy configuration.
Step 1.4.3: Configure the site forward proxy policy.
-
Select
Active Forward Proxy Policiesfor theManage Forward Proxy Policyfield. Click on theForward Proxy Policiesfield and selectCreate new forward proxy policy. Enter the configuration as per the following guidelines:- Enter a name and select
All Proxies on Sitefor theSelect Forward Proxyfield. - Select
Allowed connectionsfor theSelect Policy Rulessection and clickConfigureunder theTLS Domainsfield. - Click
Add item. SelectExact Valuefrom the drop-down list of theEnter Domainfield and entergithub.comfor theExact Valuefield. ClickAdd itemand add the following domains with theSuffix Valuetype. gcr.iostorage.googleapis.comdocker.iodocker.comamazonaws.com
- Enter a name and select
Note: The
Allowed connectionsoption allows the configured TLS domains and HTTP URLs. Everything else is denied.`
- Click
Apply. ClickContinueto apply the forward proxy policy configuration.
Step 1.4.4: Configure static route for the inside interface towards the EKS CIDR.
- Enable
Show Advanced Fieldsin theAdvanced Optionssection. - Select
Simple Static Routefor theStatic Route Config Modefield. - Enter a route for your EKS subnet in the
Simple Static Routefield.
- Click
Applyto return to the AWS VPC site configuration screen.
Step 1.4.5: Complete AWS VPC site object creation.
- Select
Automatic Deploymentfor theSelect Automatic or Assisted Deploymentfield. - Select the AWS credentials created in Step 1.1 for the
Automatic Deploymentfield. - Select an instance type for the node for the
AWS Instance Type for Nodefield in theSite Node Parameterssection. - Enter your public SSH key in the
Public SSH keyfield. This is required to access Volterra site once it is deployed.
- Click
Save and Exitto complete creating the AWS VPC object. The AWS VPC site object gets displayed.
Step 1.5: Deploy AWS VPC site.
- Click on the
Applybutton for the created AWS VPC site object. This will create the VPC site.
- Click
...->Terraform Parameters. ClickApply Statustab. Copy the VPC ID from thetf_outputsection.
Step 1.6: Deploy the EKS cluster and hipster-shop application in it.
The EKS CIDR and VPC ID obtained in Step 1.5 are required for this step.
Step 1.6.1: Download the Volterra quickstart deployment script.
Download the latest quickstart utility:
docker pull gcr.io/volterraio/volt-terraform
Download the deployment script:
docker run --rm -v $(pwd):/opt/bin:rw gcr.io/volterraio/volt-terraform:latest cp /deploy-terraform.sh /opt/bin
Step 1.6.2: Prepare input variables file for terraform deployment. The following example shows the sample entries of the input variables:
{
"access_key": "<aws_access_key>",
"secret_key": "<aws_secret_key>",
"region": "us-east-2",
"vpc_id": "vpc-065cdb075a2f05deb",
"eks_cidr": "192.168.1.0/24",
"deployment": "eks-skg",
"volterra_site_name": "aws-skg-svcs",
"machine_public_key": "<pub-key>"
}
Step 1.6.3: Deploy the EKS cluster and application using the deployment script.
./deploy-terraform.sh apply -p aws -i <tfvars> -tn self-serve/eks_only
Note: The deployment approximately takes 10 to 15 minutes to complete.
- After the deployment is complete, download the kubeconfig files of the created EKS cluster using the following commands:
./deploy-terraform.sh output -n eks-skg eks_kubeconfig > /tmp/eks-test
- Set the
KUBECONFIGenvironment variable with the downloaded kubeconfig file.
export KUBECONFIG=/tmp/eks-test
- Verify that the EKS worker node joined the cluster and pods are deployed on the K8s namespace. Enter the following commands:
kubectl get node -o wide
kubectl get pods -n hipster
Note: The deployment creates
hipsterK8s namespace.
Step 2: Discover & Delegate
Discovering services in the VPC requires configuring service discovery objects for the front end service. Also, this includes delegating the domain to Volterra to manage the DNS and certificates for the domain.
The following video shows the service discovery workflow:
Perform the following steps for discovering services.
Step 2.1: Create a secret discovery object.
Log into the VoltConsole and navigate to Manage -> App Management -> Service Discovery. Click Add Discovery and enter the following configuration:
- Enter a name in the
Namefield. - Select
Sitefor theWherefield and clickSelect ref object. Select the site you created as part of Step 1 and clickSelect ref objectto add the site to discovery configuration. - Select the
Site Local Inside Networkfor theNetwork Typefield. - Select
Kubernetes Service Discoveryfor theSelect How Endpoints are Discoveredfield. - Select
Kubeconfigfor theSelect Kubernetes Credentialsfield. ClickConfigureunder theKubeconfigfield to open the secret configuration. - Enter the kubeconfig downloaded as part of Step 1 in the
Typefield. Ensure that you selectTextradio button.
- Click
Blindfoldand wait till the Blindfold process is complete. ClickApply.
- Click
Save and Exitto create the discovery object.
Verify in VoltConsole that the discovery object is created and discovered services. Click ... -> Show Global Status for the discovery object to view the discovered services.
Step 2.2: Delegate your domain to Volterra.
- From the
systemnamespace, selectManagein the configuration menu. SelectNetworking->Delegated Domainsfrom the options pane and clickAdd delegated domain. - Enter the name for your domain in the
Domain Namefield as per the DNS 1035 standard. Ensure that this is a valid and functional domain. This example configuresskg.helloclouds.appas the domain name. - Select
Managed by Volterrafor theDomain Methodfield.
- Click
Continueto complete creating the delegated domain object. - A TXT string gets generated for the created object and the verification status is set to
DNS_DOMAIN_VERIFICATION_PENDING. Copy the string for use in updating TXT records in your domain. - Add a TXT record in your domain with the verification string generated in the VoltConsole.
- Wait for the domain verification to complete. The status
DNS_DOMAIN_VERIFICATION_SUCCESSindicates that domain is verified. The fieldName Serversnow shows the name servers for the delegated domain.
- Add NS records in your domain with the name servers obtained from the VoltConsole.
Step 3: Load Balancer
A HTTP load balancer is required be configured to make the frontend service externally available. As part of the HTTP load balancer, the origin pools are created that define the origin servers where the frontend service is available.
The following video shows the load balancer creation workflow:
Perform the following to configure load balancer:
Step 3.1: Create a namespace and change to it.
- Select
Generalon the namespace selector. SelectPersonal Management->Manage Namespaces. ClickAdd namespace.
- Enter a name and click
Save. - Click on
Apptab of the namespace selector and click on the namespace drop-down menu and select your namespace to change to it.
Step 3.2:Create HTTP load balancer.
Select Manage -> Load Balancers in the configuration menu and HTTP Load Balancers in the options. Click Add HTTP load balancer.
Step 3.2.1: Enter metadata and set basic configuration.
- Enter a name for your load balancer in the metadata section.
- Enter a domain name in the
Domainsfield. Ensure that its sub-domain is delegated to Volterra. This example setshipster.skg.helloclouds.appdomain. Thehipsterpart is prefix andskg.helloclouds.apppart is the domain delegated in Step 2. - Select
HTTPSfor theSelect Type of Load Balancerfield.
Step 3.2.2: Configure origin pool.
-
Click
Configurein theDefault Origin Serverssection and configure the origin pool as per the following guidelines:- Click
Add itemin theOrigin Poolsconfiguration, ClickCreate new poolto load a new pool creation form. - In the pool creation form, enter a name for your pool in the metadata section.
- In the
Select Type of Origin Serverfield ofBasic Configurationsection, selectk8s Service Name of Origin Server on given Sites. - Enter service name in the
<servivename.k8s-namespace>format for theService Namefield. This example setsfrontend.hipsteras the service name. Thehipsteris the K8s namespace created in Step 1. - Select
Sitefor theSelect Site or Virtual Sitefield and select the site you created in Step 1. - Enter 80 for the
Portfield.
Figure: Origin Pool Configuration - Click
Continueto apply the origin pool and clickApplyto set the origin pool to the load balancer configuration.
- Click
Step 3.2.3: Complete load balancer creation.
Scroll down and click Save and Exit to create load balancer. The load balancer object gets displayed with TLS Info field value as DNS Domain Verification. Wait for it to change to Certificate Valid.
The load balancer is now ready and you can verify it by accessing the domain URL from a browser.
Step 4: Secure App
Securing the ingress and egress traffic includes applying WAF and javascript challenge to the load balancer.
The following video shows the workflow of securing the ingress and egress:
Perform the following steps to configure WAF and javascript challenge:
Step 4.1: Configure WAF to load balancer.
- Select
Manage->Load Balancersfrom the configuration menu and selectHTTP Load Balancersin the options. Click...->Editfor the load balancer for which WAF is to be applied. - Navigate to security configuration and enable
Show Advanced Fieldsoption. SelectSpecify WAF Intentfor theSelect Web Application Firewall (WAF) Configfield. Click on theSpecify WAF Intentfield and clickCreate new WAF. This loads WAF creation form.
- Set a name for the WAF and select
BLOCKfor theModefield. ClickContinueto create WAF and apply to the load balancer.
- Click
Save and Exitto save load balancer configuration. - Verify that the WAF is operating. Enter the following command to apply an SQL injection attack:
docker run --name waf -e APP_URL=https://hipster.skg.helloclouds.app -t madhukar32/waf-client:v0.1
The return status 403 indicates that the WAF is operational and blocks the SQL injection attempt.
- Inspect the WAF events from the load balancer monitoring view. Navigate to
Virtual Hosts->HTTP Load Balancersin the configuration menu and click on your load balancer from the displayed list. ClickApp Firewalltab to view the security information such as security events, bot requests, top rules hit, etc.
Step 4.2:Configure javascript challenge for the load balancer.
- Select
Manage->Load Balancersfrom the configuration menu and selectHTTP Load Balancersin the options. Click...->Editfor the load balancer for which javascript challenge is to be applied. - Select
Javascript Challengefor theSelect Type of Challengefield and clickConfigurefor theJavascript Challengefield. - Enter
3000and1800for theJavascript DelayandCookie Expiry periodfields respectively. This sets the delay as 3000 milliseconds and cookie expiry as 1800 seconds.
- Click
Applyto apply the javascript challenge to load balancer.
- Click
Save and Exitto save load balancer configuration. - Verify that the javascript challenge is applied. Enter your domain URL from a browser. The javascript challenge default page appears for 3000 milliseconds before loading the hipster website.