EnRoute Ingress allows you to configure any security policy for a service at Kubernetes Ingress in One Step
Examples Include -
- Get, Verify and Install SSL Certificate from Let’s Encrypt
- Rate Limit configuration for service
- JWT Validation for Service
- Attach Lua script to request/response path for the service
- Enable CORS for the service
Apart from this, in the near future, we plan on extending support for
- Setup external-dns to auto-create DNS records and setup DNS auto certificate renewal
- More security blocks like CSRF filter to prevent request forgery and IP Tagging to tag trusted IP addresses
- More programmability using WASM to provide Web Assembly code invocation capability out-of-the box
EnRoute model is truly declarative service policy. Service policy does not need configuration, declaring it is sufficient. Once declared, policy configuration is automatically created and enforced for the service.
For example, to enable the JWT plugin, simply invoke -
helm install httpbin-service-policy saaras/service-policy \ --set service.namespace=demo-service \ --set service.name=httpbin \ --set service.port=80 \ --set filters.jwt.enable=true \
This enables the JWT plugin for the service
Update L7 Policy blocks using same abstraction
L7 Policy blocks (like SSL, CORS, JWT, Rate-Limit etc.) can be included/excluded declaratively. They can be added or removed using a single helm command.
The helm chart supports enabling/disabling filters for the service
helm upgrade httpbin-service-policy saaras/service-policy \ --set service.namespace=demo-service \ --set service.name=httpbin \ --set service.prefix=/get \ --set service.port=80 \ --set service.enableTLS=true \ --set autoTLS.certificateCN=httpbin.enroutedemo.com \ --set autoTLS.enableProd=true \ --set autoTLS.createIssuers=true \ --set autoTLS.firstname.lastname@example.org \ --set filters.cors.enable=true \ --set filters.jwt.enable=false \
Declarative policy can be specified using
helm install. Declaratively modifying this policy using
helm upgrade reconciles L7 policy for a service to new state.
EnRoute One-Step provides higher-level abstractions. This is similar to a higher-level programming language compared to assembly code.
Higher level abstractions (and languages) simplify programming the Ingress.
EnRoute leverages existing Envoy filter abstraction and extends them to the Ingress layer. EnRoute keeps it simple to use well-known tool like
helm while working with well-known Envoy filter abstractions. It forms a light-weight shim for Envoy proxy.
EnRoute’s deep integration with Let’s Encrypt radically simplifies setting up certificates, verifying them and installing them for a service.
The helm command creates
GatewayHost and related artifacts to support installing different filters.
The helm code that creates the artifacts can be modified to meet needs of different types of services and create microservice connectivity and security profiles.
Advantages of running Policy with EnRoute One-Step Ingress Controller
There are several distinct advantages of running an Ingress Controller and enforcing policies at Ingress.
- Ingress provides a portable mechanism to enforce policy inside the Kubernetes Cluster. Policies enforced inside a cluster are easier to port across clouds.
- Ingress can be scaled horizontally inside the Kubernetes Cluster. Elasticity of L7 fabric makes it easier to operate and scale it
- L7 policies can be hosted along with services inside the cluster with cluster-native state storage
- Keeping L7 policy closer to services simplifies policy enforcement and troubleshooting of services and APIs.
One-Step Ingress provides an opportunity to make Ingress extremely simple to understand and operate. It cuts down the number of artifacts required to configure service connectivity and policy. When there are higher-level abstractions to work with, it improves operational velocity to work with Kubernetes without sacrificing DevOps agility
As Kubernetes is adopted as a standard to run microservices and adopt DevOps practices, working with fewer tools cuts down the number of moving parts. EnRoute One-Step Ingress drives simplicity and operational velocity by relying on existing tools like helm and Envoy.
Got Questions? Slack Send Us a Note