BLOG | OFFICE OF THE CTO

F5 Friday: Container Ingress Services Gets K8s Native

Lori MacVittie Miniatur
Lori MacVittie
Published April 19, 2019

The world of containers continues to mature at an astounding rate. The adoption of container-related application services both on-premises and in the cloud are a good indicator that this technology has emerged from nascent technology to maturing ecosystem in short order.

As it matures, so does the integration of the enterprise-class technology required to support it. We see continuing maturation and fine-tuning of the other API economy; the one that enables rapid integration and expansion of the container ecosystem.

One of the exciting things about this maturation is it encourages traditionally enterprise-class offerings to move in the direction of container orchestration environments like Kubernetes. By "move in the direction" I mean rapidly adopt ideas like declarative API models that abstract domain expertise. In other words, simplify the integration and inclusion of systems and services like BIG-IP to enable a broader set of roles to configure, deploy, and operate the technology.

That's important because some application services - like a web application firewall - are most efficient and effective at addressing attacks and their undesirable consequences when deployed upstream from containers in the N-S ingress. But that often requires extensive domain expertise in both BIG-IP and WAF terminology and concepts. Addressing that obstacle is a primary objective of our automation and orchestration efforts which can be seen in the rapid evolution of our F5 Automation Toolchain.

Within that toolchain is AS3, the F5 Application Services 3 Extension. AS3 provides a modern (node.js) interface to BIG-IP that enables the consumption of declarative configurations to provision and operate BIG-IP delivered application services. When combined with the latest version of our Container Ingress Services (CIS), operators of container environments can employ BIG-IP delivered application services to secure and speed up APIs and applications.

Container Ingress Services, if you aren't familiar, is a Kubernetes native service that provides the glue between container services and BIG-IP. It watches for changes and communicates those to BIG-IP delivered application services. These, in turn, keep up with the rapid changes in container environments and enable enforcement of security policies.

This latest revision (Container Ingress Services 1.9) is exciting because it introduces native Kubernetes support for integration by moving from the use of annotations to ConfigMaps. This means you can use familiar Kubernetes language to integrate F5 application services by inserting an AS3 declaration in the data field of the ConfigMap. This includes embedding certificates and selecting load balancing algorithms as well as deploying the bare minimum OWASP Top 10 protections for an API or application.

The modern, Kubernetes-friendly declaration also enables the retrieval of the policy declaration from a repository. This enables SecDevOps (or DevSecOps or just SecOps, whatever your preference) to shift security left in a way that does not burden DevOps by requiring security or WAF expertise.

kind: ConfigMap	 
apiVersion: v1	 
metadata:	 
  name: f5-waf
  namespace: default
  labels:
    f5type: virtual-server
    as3: "true"
	 
data:
    template: |
    {
 # service, pool and logging declarations here
        "policyWAF": { 
     	       "use: "owaspautotune" 
         }
 # monitors and pool member declarations here
         "owaspautotune": {
              "class": "WAF Policy", 
              "url": "https://repository/pathToConfig/f5-as3-declarations/master/Common_WAF_Policy.xml",
              "ignoreChanges": true
         }

This native support enables DevOps and DevSecOps with a way to easily and quickly deploy a web application firewall for the APIs, applications, and services these teams operate. Today, there is no Kubernetes language like that for ingress or load balancers - that specifically enables security-related services. By supporting the use of ConfigMaps, Container Ingress Services offers a simplified means of integrating application security with Kubernetes using a more natural and familiar mechanism.

RESOURCES

Get the latest F5 AS3 from Github

The latest (v1.9) Container Ingress Services from Docker Hub