• Post category:StudyBullet-13
  • Reading time:6 mins read


Learn how to secure network communication in AKS/Kubernetes cluster

What you will learn

Learn AKS and Kubernetes network best practices

Learn how to securely expose services in Kubernetes

Learn how to secure pod to pod communication

Learn to setup TLS certificates for pods and ingress

Description

For an AKS cluster, there are two types of traffic. First one is the internal traffic between pods. The second one is the ingress and egress traffic that is between pods and the end users or the internet.

This course provides the tools and techniques to secure these networks using tools like Network Policies with Calico, TLS certificates, etc.

Microsoft provides the following recommendations to secure an AKS cluster and this course will try to go deeper with demonstration.

Recommendation 1: To distribute HTTP or HTTPS traffic to your applications, use ingress resources and controllers. Compared to an Azure load balancer, ingress controllers provide extra features and can be managed as native Kubernetes resources.


Get Instant Notification of New Courses on our Telegram channel.


Recommendation 2: To scan incoming traffic for potential attacks, use a web application firewall (WAF) such as Barracuda WAF for Azure or Azure Application Gateway. These more advanced network resources can also route traffic beyond just HTTP and HTTPS connections or basic TLS termination.

Recommendation 3: Use network policies to allow or deny traffic to pods. By default, all traffic is allowed between pods within a cluster. For improved security, define rules that limit pod communication.

Recommendation 4: Don’t expose remote connectivity to your AKS nodes. Create a bastion host, or jump box, in a management virtual network. Use the bastion host to securely route traffic into your AKS cluster to remote management tasks.

English
language

Content

Kubernetes and AKS architecture

AKS architecture revisited

Introduction to Kubernetes

How to setup an AKS cluster
Cluster infrastructure resources
Create Pod
Create deployment object
Exec into Pod
Scale pods
Create private service
Create public service using LoadBalancer
View kubernetes objects in the Azure portal

Comparing AKS public and private clusters

Intro
Architecture of a public cluster
Private cluster with Private Endpoint
Public cluster with VNET integrtion
Private cluster with VNET integration
Accessing a private cluster
Recap

Kubernetes CoreDNS

Introduction to Core DNS (previously Kube-DNS)
[Demo] Setting up custom domain name using CoreDNS

Securing Traffic in Kubernetes

Securing traffic for ingress and pods

Securing Ingress using TLS/HTTPS

Exposing non secure ingress
Introduction to securing Ingres using TLS certificates
[Demo] Securing ingress using TLS certificate stored in kubernetes secret
Securing ingress traffic using TLS certificates stored in Azure Key vault
[Demo] Securing ingress traffic using TLS certificates stored in Azure Key vault

Securing inter Pod communication using TLS certificates

Introduction to inter pod communication
[Demo] Securing Pod to Pod communication
Using Cert Manager to configure HTTPS on Pods
[Demo] Using Cert Manager to configure HTTPS on Pods

Implementing network policy using Calico

Introduction to Calico
Setting up the demo env
All pods across namespaces can communicate with each other
Deploying the first network policy to deny all traffic between pods
[Demo] Testing the deny all policy
Deploying a policy to allow specific traffic
[Demo] Testing the allow traffic policy
Creating network policy to allow traffic in a certain namespace
Exploring Network Policy Viewer tool

Setting up AKS, ACR and VM in a private virtual network

Introduction to private AKS cluster in VNET
[Demo] Creating private AKS and VM
Introduction to private ACR with private AKS
[Demo] Creating private ACR and setting the connection with AKS