One-Step Ingress

One-Step Ingress

Saaras Inc. July 18, 2021
One-Step Ingress

One-Step Ingress

EnRoute Ingress allows you to configure any security policy for a service at Kubernetes Ingress in One Step

Examples Include -

Apart from this, in the near future, we plan on extending support for

  • Setup external-dns to auto-create DNS records and setup DNS auto certificate renewal
  • More security blocks like CSRF filter to prevent request forgery and IP Tagging to tag trusted IP addresses
  • More programmability using WASM to provide Web Assembly code invocation capability out-of-the box

Truly Declarative

EnRoute model is truly declarative service policy. Service policy does not need configuration, declaring it is sufficient. Once declared, policy configuration is automatically created and enforced for the service.

For example, to enable the JWT plugin, simply invoke -

helm install httpbin-service-policy saaras/service-policy       \
        --set service.namespace=demo-service                    \
        --set service.name=httpbin                              \
        --set service.port=80                                   \
        --set filters.jwt.enable=true                           \

This enables the JWT plugin for the service httpbin

Update L7 Policy blocks using same abstraction

L7 Policy blocks (like SSL, CORS, JWT, Rate-Limit etc.) can be included/excluded declaratively. They can be added or removed using a single helm command.

The helm chart supports enabling/disabling filters for the service

helm upgrade httpbin-service-policy saaras/service-policy       \
        --set service.namespace=demo-service                    \
        --set service.name=httpbin                              \
        --set service.prefix=/get                               \
        --set service.port=80                                   \
        --set service.enableTLS=true                            \
        --set autoTLS.certificateCN=httpbin.enroutedemo.com     \
        --set autoTLS.enableProd=true                           \
        --set autoTLS.createIssuers=true                        \
        --set autoTLS.email=contact@example.com                 \
        --set filters.cors.enable=true                          \
        --set filters.jwt.enable=false                          \

Declarative policy can be specified using helm install. Declaratively modifying this policy using helm upgrade reconciles L7 policy for a service to new state.

High-level abstractions

EnRoute One-Step provides higher-level abstractions. This is similar to a higher-level programming language compared to assembly code.

Higher level abstractions (and languages) simplify programming the Ingress.

EnRoute leverages existing Envoy filter abstraction and extends them to the Ingress layer. EnRoute keeps it simple to use well-known tool like helm while working with well-known Envoy filter abstractions. It forms a light-weight shim for Envoy proxy.

Security first

EnRoute’s deep integration with Let’s Encrypt radically simplifies setting up certificates, verifying them and installing them for a service.

Unpacking details

The helm command creates GatewayHost and related artifacts to support installing different filters.

The helm code that creates the artifacts can be modified to meet needs of different types of services and create microservice connectivity and security profiles.

Advantages of running Policy with EnRoute One-Step Ingress Controller

There are several distinct advantages of running an Ingress Controller and enforcing policies at Ingress.

  • Ingress provides a portable mechanism to enforce policy inside the Kubernetes Cluster. Policies enforced inside a cluster are easier to port across clouds.
  • Ingress can be scaled horizontally inside the Kubernetes Cluster. Elasticity of L7 fabric makes it easier to operate and scale it
  • L7 policies can be hosted along with services inside the cluster with cluster-native state storage
  • Keeping L7 policy closer to services simplifies policy enforcement and troubleshooting of services and APIs.

Conclusion

One-Step Ingress provides an opportunity to make Ingress extremely simple to understand and operate. It cuts down the number of artifacts required to configure service connectivity and policy. When there are higher-level abstractions to work with, it improves operational velocity to work with Kubernetes without sacrificing DevOps agility

As Kubernetes is adopted as a standard to run microservices and adopt DevOps practices, working with fewer tools cuts down the number of moving parts. EnRoute One-Step Ingress drives simplicity and operational velocity by relying on existing tools like helm and Envoy.


Got Questions?       Slack        Send Us a Note