A Use Case to Secure Kubernetes Network Connections
One of the stumbling blocks organizations typically experience when making the shift to a Kubernetes and microservices infrastructure is sharing and securing data dynamically.
In a traditional monolithic infrastructure, a single firewall structure previously largely sufficed to confine and monitor data and to manage the security layers within a single perimeter. However, applications and data shared between and within Kubernetes clusters typically extend between different cloud and on-premises environments.
As Nicole Hubbard, a developer advocate for HashiCorp observed, customers constantly face difficulties when trying to secure the communication between their services running inside of a Kubernetes cluster. The dilemma often involves trying to figure out how to lock down communications between the applications inside and outside clusters or with apps between clusters, Hubbard said.
In this edition of The New Stack Makers podcast recorded live at Palo Alto Networks’ studio in Santa Clara, CA, Hubbard shows how Consul Connect with Envoy can help to securely maintain data communication between different Kubernetes and microservices environments.
Consul is responsible for is defining the roles, defining and tracking what services are available as well as provisioning that information to the data plane so that the data plane knows how to move traffic around, Hubbard said. The data plane is basically a pluggable proxy that receives this information from the control plane and uses it to route data correctly to the correct place.
Nicole Hubbard – Securing Kubernetes Networking
“If you look at the different ways you can run applications, you can run them everywhere between mainframes, your own hardware in your own data centers, virtual machines or even as far as containers and functions that are serverless. But the one thing that’s common between all of these is the network. You have to secure the communication between all the different services, no matter where they’re running,” Hubbard said. “But as you grow and you start to break these out into microservices, you run into the problem of how does ‘a’ talk to ‘b’ and how do I find where ‘b’ is.”
Hubbard described how some bank partners can have as many as 4,000 services “that won’t scale with VLANs or firewall rules, without an extremely high operational overhead.” Hubbard described how within a service mesh, there is a control plane and the data plane, while “the control plane for us is Consul.” “And what Consul is responsible for is defining the roles, defining and tracking what services are available as well as provisioning that information to the data plane so that the data plane knows how to move traffic around,” Hubbard said. “The data plane is basically a pluggable proxy that receives this information from the control plane and uses it to route data correctly to the correct place.”
For more insight from security thought leaders, Cloud Native Security Live, 2020 Virtual Summit is your opportunity to learn from the experience and expertise of developers, DevOps pros and IT leaders who all have so much at stake in container technologies and DevSecOps. Hosted by Prisma, from Palo Alto Networks, in partnership with The New Stack, you can still virtually attend this event held Feb. 11, 2020, for a full day of discussions about cloud native security — brought to you online wherever you may be.