Kubernetes and Wallarm

If you are one – like I am – among the lucky ones who attended
KubeCon 2019 in San Diego, California in November, then you know Kubernetes is the Tsunami of next-generation computing. It is bringing a huge wave of Cloud-Native technologies along with it. Tsunami may be a scary word for some, although this time around there is so much to gain, that technologists are truly excited about the future of cloud computing and building things that support and protect Cloud-Native Infrastructures. KubeCon 2019 felt like the arrival of a new genre of music at a global Music festival and celebrated by everyone interested in Cloud technology. Along come the new risks associated with this genre, but thanks to Wallarm’s team of geniuses and a few alike, we might be ready to safely handle this wave and even thrive.

So, what is Kubernetes? And why does Wallarm technology protection is a perfect match for Kubernetes? Well, if you are a curious technologist like me, read on!

What is Kubernetes?

Greek word for helmsman or pilot, Kubernetes (K8s) is an open-source system for automating deployment, scaling, and management of containerized applications. It is a software layer that sits between your applications and your hardware infrastructure.


Fig 1 – Kubernetes Architecture

Another way to think of it is as an operating system. Kubernetes does for your enterprise applications what the operating system in your phone does for your personal apps: it makes sure those apps can be deployed, updated, restarted, configured, deleted, and more. The main difference is the scale at which Kubernetes operates – it manages applications across multiple different clouds and servers. This is why Kubernetes is often called “the operating system for the cloud”.

Kubernetes and Wallarm

Wallarm has been an active member of the CNCF community for more than two years. Wallarm’s AI-powered security platform automates application protection and security testing. Installed directly on an Ingress controller, Wallarm protects websites, microservices, and APIs. Many of the enterprise customers and partners are actively using Wallarm’s Kubernetes native API security, which has been supported with Kubernetes ingress and
NGINX Plus ingress controllers running on private and public clouds. Wallarm invests heavily in the Application Security communities, including OWASP (Open Web Application Security Project) and Kubernetes community via conferences, meetups, hackathons, CTFs and various innovation projects. For instance, Wallarm recently extended its app and API security solution to work with the distributed applications using Envoy proxy and released it at KubeCon 2019 in San Diego, California.

Many Reasons to Use Wallarm WAF for Kubernetes

Wallarm Cloud-Native WAF offers automated application security. It Installs directly on an NGINX and Envoy-based Ingress Controller. Alternately, Wallarm can install as a sidecar Docker container within Kubernetes pods and supports Google GKE, Amazon EKS, and Azure AKS or Kubernetes in private cloud. The licensing model allows dynamic deployment of the nodes and Kubernetes clusters.


Fig 2 – Wallarm WAF for Kubernetes

Wallarm Kubernetes WAF Protects Cloud-Native Apps by securing a variety of API protocols including gRPC, GraphQL, REST, JSON, XML, SOAP, and others against XSS, XXE, SQL Injections, RCE, and other OWASP Top 10 threats protection, brute-force attacks, dirbusting, and account takeover (ATO), application abuse and logic bombs and bots. 

Wallarm ML/AI powered WAF, does not require any manual rule configuration and eliminates false positives without tuning. As a result, 90% of customers use Wallarm Kubernetes WAF in blocking mode.

Wallarm goes the Extra Mile Protecting Service Mesh and Envoy

What is Service Mesh?

Service mesh is built to accommodate the unique nature of distributed microservice environments. In a large-scale application built from microservices, over time services can get overloaded with requests and developers are then required to spend more and more time coding request logic for each service. This is where Service Mesh comes to rescue and automatically takes care of discovering and enabling service-to-service communication with minimal disruption to operations.

Service mesh can be thought of as the equivalent of software-defined networking (SDN) for Application Programming Interface (API), decoupling the underlying infrastructure of the application from the abstract architecture.


Fig 3 – Wallarm Extends Kubernetes Security Protection

At the Kubecon 2019, Wallarm extended the Kubernetes security protection capabilities to support Service Mesh architecture and Envoy Proxy. While relatively new, Envoy proxy already has a large following in the Kubernetes community. Envoy was incubated in CNCF and has officially graduated in the fall of 2018. Envoy is extremely lightweight and performs very efficiently. The speed and performance are making Envoy popular both as an alternative to NGINX as an Ingress controller and as a foundation of the service-to-service communication within Service Mesh infrastructure. Envoy offers broad support of modern protocols, including HTTP/2 and gRPC, advanced load balancing features and capabilities specifically designed for API introspection and observability. Wallarm not only protects the edge traffic with East-West API for Service-Mesh but also protects North-South API in the applications that use Envoy as an alternative Ingress controller at the front end of a Kubernetes cluster. One of the original premises of Envoy was observability, which is what allows large teams to monitor and troubleshoot issues in hybrid, cloud and distributed environments. Envoy monitoring and observability features are built on Layer 7 API inspection. With Wallarm Advanced Cloud-Native WAF deployed directly on Envoy, companies get full visibility on the API (XML, JSON, gRPC and others), real-time protection against static attacks such as XSS, RCE, Path Traversal and other OWASP Top 10, protection from behavioral attacks and more.

Conclusion

Being a part of Wallarm, I have the chance to work closely with the Wallarm team and contribute to the mission. Hearing the buzz about Envoy at KubeCon last week, several of the attendees approached Wallarm to learn more about Linkerd and protection around it. I had the opportunity to speak with the Wallarm Co-founder and COO, Stepan Ilyin, who was there for the big launch of Cloud-Native security protection via Service Mesh and Envoy. Stepan indicated that Wallarm is currently researching the security models and services around it, we can expect to hear something in 2020.


In the Video – Stepan Ilyin at KubeCon 2019

As an enthusiast and learner of Cloud-Native technologies, I feel super excited and confident having been a part of this mission and team that cares so deeply about Kubernetes and Cloud-Native. With recent explosion of Kubernetes adoption and Wallarm’s consistent effort to deliver Kubernetes native security offerings, I feel gratitude and tremendous confidence in our collective ability to stay ahead of the emerging threats in the cloud native ecosystem. Clearly, Kubernetes and Wallarm is a match made in the Clouds. 

About the Author

Well known as the “Cyber Guardian”, Kavya Pearlman is an Award-winning cybersecurity professional with a deep interest in emerging technologies. Kavya is the Global Cybersecurity Strategist at Wallarm, a global security company that protects hundreds of customers across e-commerce, fintech, health-tech, and SaaS for their artificial intelligence powered application security platform.

Kavya is the founder of non-profit, XR Safety Initiative (XRSI), the very first global effort that promotes privacy, security, ethics and develops standards and guidelines for Virtual Reality, Augmented Reality and Mixed Reality (VR/AR/MR) collectively known as XR. She has previously advised Facebook on third party security risks during 2016 US presidential elections, reviewing security for various third parties of all sizes configurations and cloud composition.