Zero Trust Private Network Connections to containerized applications in GKE - Google Cloud

Kubernetes, while revolutionizing application deployment and management, introduces complexities in securing access to underlying workloads. Traditional network security perimeters struggle to adapt to the dynamic nature of containerized environments, leaving applications vulnerable to threats.

NetFoundry enables Cloud Native Applications to enforce granular access controls ensuring that only authorized users/microservices can interact with specific applications/microservices in a cluster.

This document provides guidance on deployment of Ziti Edge Router within Kubernetes cluster and securing Networks for containerized applications in Google Kubernetes Engine (GKE) with the NetFoundry Cloud.

GKE ER.png

Getting started:

What you need to get started:

  1. A NetFoundry Cloud account - Go through the steps to create a free trial account if you don't have one.
  2. A network in your account with at least one public router. The below articles will guide you through this process. 

1. Deploy a NetFoundry Customer edge router in GKE Cluster:

The NetFoundry edge router is the WAN gateway in the cluster that helps you to reach the applications/microservices over a private and secure zero trust overlay. The ER is deployed as a container within a Kubernetes cluster.

Create and Register Customer Edge Router

  • From your Network Dashboard page, navigate to Edge Routers.
  • Under the Edge Routers tab, click on the + sign at the upper right to add an edge router.
  • Give your edge router a name.
  • Give your edge router a router attribute (optional). Router attributes are tags applied to a router. The same tag can be applied to other edge routers to form a collection of Customer-hosted Edge Routers. This attribute can be used for provisioning APPWANs.
  • Select Customer Hosted as your hosting type.
  • Hit Create to complete the process.
  • A new customer-hosted edge router would be created with the registration key. This registration key is required to register the edge router to the network.
  • Download the JWT registration token.

The below provided command utilizes Helm to install the 'ziti-router' application from the 'openziti' chart repository. The JWT registration token downloaded from the previous step is used for edge router registration.

helm install kube-er\
  --namespace ziti-router --create-namespace \
  openziti/ziti-router \
   --set-file enrollmentJwt=/home/kube-er/kube-er.jwt \
   --set linkListeners.transport.service.enabled=false \
   --set edge.advertisedHost=surener-edge.ziti-router.svc \
   --set ctrl.endpoint="<Controller-DNS>:443" \
       --values /home/kube-er/router.yml

The edge router is deployed in the GKE Cluster named 'lab-cluster' within the ziti-router namespace.

2. Create your Identity, Service and Service Policy:

For our lab, we have depoyed the 'hello-world' web app as a container in the same GKE Cluster 'lab-cluster', where the customer edge router is provisioned in the previous step.

A Kubernetes Service 'hello-world service' is created to expose the deployment using ClusterIP, which is a private IP.

A. Create your service for accessing 'hello-world' web app.

The service configuration is configured with a intercept address of your choice ( IP or host name) and the ClusterIP of the 'hello-world service' as the host address. The identity is that of the customer edge router that was provisioned in the first step.

The steps in the article are applicable even if you use a tunnneler vs a router in the "labcluster". The service config would select the tunneller endpoint instead of the router endpoint.

B. Create your identity - Create an identity in the NetFoundry console to access 'hello-world' web app.

C. Create your service policy to allow your identity (or identities) to access 'hello-world' web app in the GKE Cluster 'lab-cluster' over the highly secure NetFoundry cloud network.

Accessing 'hello-world' web app in the GKE Cluster over the NetFoundry Cloud:

Install the ziti desktop edge based on the OS of your device - https://netfoundry.io/products/netfoundry-downloads/ 

You'll find the installation instructions for the endpoints in the respective sections.

Register your identity to the network from your endpoint software. 

With the required service policy in place, you should see the hello-world' service listed on your endpoint.

mceclip4.png

Access the 'hello-world' web app from your device over the NetFoundry network.

Was this article helpful?
0 out of 0 found this helpful