Category Archives for "Networking – The New Stack"

Enhancing Kubernetes Network Security with Microsegmentation

Microsegmentation represents a transformative approach to enhancing network security within Kubernetes environments. This technique divides networks into smaller, isolated segments, allowing for granular control over traffic flow and significantly bolstering security posture. At its core, microsegmentation leverages Kubernetes network policies to isolate workloads, applications, namespaces and entire clusters, tailoring security measures to specific organizational needs and compliance requirements. The Essence of Microsegmentation Strategies Scalability and Flexibility The fundamental advantage of microsegmentation through network policies lies in its scalability and flexibility. Kubernetes’ dynamic, label-based selection process facilitates the addition of new segments without compromising existing network infrastructure, enabling organizations to adapt to evolving security landscapes seamlessly. Labeling the assets is a key to microsegmentation success. Prevent Lateral Movement of Threats Workload isolation, a critical component of microsegmentation, emphasizes the importance of securing individual microservices within a namespace or tenant by allowing only required and approved communication. This minimizes the attack surface and prevents unauthorized lateral movement. Namespace and Tenant Isolation Namespace isolation further enhances security by segregating applications into unique namespaces, ensuring operational independence and reducing the impact of potential security breaches. Similarly, tenant isolation addresses the needs of multitenant environments by securing shared Kubernetes infrastructure, thus protecting tenants from Continue reading

Tetrate Enterprise Gateway for Envoy Graduates

Istio and Tetrate Enterprise Gateway for Envoy (TEG). This release provides businesses with a modern and secure alternative to traditional Envoy Gateway version 1.0. TEG extends its features by including cross-cluster service discovery and load balancing, OpenID Connect (OIDC), OAuth2, Web Application Firewall (WAF), and rate limiting out of the box along with Federal Information Processing Standard (FIPS) 140-2 compliance. A standout feature of the Envoy Gateway, and by extension TEG, is its native support for the newly introduced

Zero Trust for Legacy Apps: Load Balancer Layer Can Be a Solution

When most security and platform teams think about implementing zero trust, they tend to focus on the identity and access management layer and, in Kubernetes, on the service mesh. These are fine approaches, but they can cause challenges for constellations of legacy internal apps designed to run with zero exposure to outside connections. One solution to this problem is to leverage the load balancer as the primary implementation component for zero trust architectures covering legacy apps. True Story: A Large Bank, Load Balancers and Legacy Code This is a true story: A large bank has thousands of legacy web apps running on dedicated infrastructure. In the past, it could rely on a “hard perimeter defense” for protection with very brittle access control in front of the web app tier. That approach no longer works. Zero trust mandates that even internal applications maintain a stronger security posture. And for the legacy apps to remain useful, they must connect with newer apps and partner APIs. This means exposure to the public internet or broadly inside the data center via East-West traffic — something that these legacy apps were never designed for. Still, facing government regulatory pressure to enhance security, the bank Continue reading

How Observability Is Different for Web3 Apps

Web3 represents the next evolutionary step in building web applications. Web3 combines blockchain technology, decentralized protocols and peer-to-peer interactions to give birth to a new standard for transparency and security through decentralized applications (dApps). The dApps rely on decentralized servers instead of traditional (Web2) applications based on a centralized server. However, this new paradigm presents challenges for logging, tracing — in a Django-based Web3 application using Scout APM. How Is Observability Different in Decentralized Apps? Observability in Web3 dApps poses several unique challenges that need to be resolved. Immutable Transactions Web3 dApps rely heavily on blockchain technology. Generally speaking, once a blockchain transaction has been confirmed, it cannot be changed, even if there has been a mistake. This makes it extremely important to have close monitoring and observability to detect and prevent issues before data is written to the blockchain. Distributed Data Traditional web applications rely on centralized servers while Web3 dApps rely on a globally distributed and decentralized network of nodes. A robust observability solution is therefore required to aggregate and analyze data across this complex network. Variable Continue reading

Simplify Kubernetes Hosted Control Planes with K0smotron

Multicluster Kubernetes gets complicated and expensive fast — especially in dynamic environments. Private cloud multicluster solutions need to wrangle a lot of moving parts: Private or public cloud APIs and compute/network/storage resources (or bare metal management) Linux and Kubernetes dependencies Kubernetes deployment etcd configuration Load balancer integration And, potentially other details, too. So they’re fragile — Kubernetes control planes on private clouds tend to become “pets” (and not in a cute way). Multicluster on public clouds, meanwhile, hides some of the complexity issues (at the cost of flexibility) — but presents challenges like cluster proliferation, hard-to-predict costs, and lock-in. What Are Hosted Control Planes (HCPs)? Kubecon Hosted Control Planes (HCPs) route around some (not all) of these challenges while bringing some new challenges. An HCP is a set of Kubernetes manager node components, running in pods on a host Kubernetes cluster. HCPs are less like “pets” and more like “cattle.” Like other Kubernetes workloads, they’re defined, operated, and updated in code (YAML manifests) — so are repeatable, version-controllable, easy to standardize. But worker nodes, as always, need to live somewhere and networked to control planes, and there are several challenges here. They gain basic resilience from Kubernetes itself: if Continue reading

The Black Hole That Is the Kubernetes Network

There’s been a tension in physics over the last century or so between two theories. Both have proven valuable for predicting the behavior of the universe, as well as for advancing technological engineering, but they seem to make completely incompatible claims about the nature of reality. I’m referring, of course, to the general theory of relativity and quantum theory. Ordinarily, these two theories tackle very different questions about the universe — one at the largest scale and the other at the smallest — but both theories come together in the study of black holes, points of space from which no information can escape. There’s a tension in the air at many enterprise organizations today as well between two heuristics for enterprise networking, both of which have produced excellent results for software companies for years. That tension revolves around Kubernetes. As a manager of cloud security and network infrastructure for a large regional bank put it, “Kubernetes ends up being this black hole of networking.” The analogy is apt. Like black holes, Kubernetes abstracts away much of the information traditionally used to understand and control networks. Like quantum theory, Kubernetes offers a new way to think about your network, but Continue reading

Netflix Releases bpftop: An eBPF-Based Application Monitor

Extended Berkeley Packet Filter, eBPF to its friends, enables you to run sandboxed programs in a privileged context in the Linux kernel. Netflix has unveiled bpftop, a new open source command-line tool designed to enhance the performance optimization and monitoring of eBPF applications. As the streaming giant continues integrating eBPF technology into its infrastructure, ensuring these applications operate efficiently has become a top priority.

Traefik Proxy v3 Adds WebAssembly and Kubernetes Gateway API Support

A leading open source reverse proxy and load balancer, Emile Vauge, Traefik’s creator, said previously in The New Stack, “Traditional reverse proxies were not well-suited for these dynamic environments.” Now, the Traefik Labs, the project’s parent company, introduced the first Release Candidate of Traefik Proxy v3. This new version now supports WebAssembly (Wasm), OpenTelemetry, and Kubernetes Gateway API. A Game-Changer for WebAssembly? WebAssembly support inclusion may prove a game-changer. Besides offering high-performance, language-agnostic capabilities for serverless and containerized applications, Traefik’s support provides Wasm with a larger potential market. “This is a major step towards a low friction extensibility story for Traefik as it brings broader plugins into its growing ecosystem while providing a great developer experience. with plugins that can be written in different languages and compiled directly into Wasm,” said Open Worldwide Application Security Project (OWASP) OpenTelemetry protocol (OTLP), will provide users with improved visibility into their applications. Since the Prometheus and Jesse Haka, a cloud architect at

How the Kubernetes Gateway API Beats Network Ingress

CHICAGO — Incoming traffic looking to access your network and platform probably uses the network’s ingress. But the ingress carries with it scaling, availability and security issues. For instance, said Kate Osborn, a software engineer at NGINX, suggested in this episode of TNS Makers recorded On the Road at KubeCon + CloudNative Con North America. “One of the biggest issues is it’s not extensible,” Osborn said. “So it’s a very simple resource. But there’s a bunch of complex routing that people want to do. And in Continue reading

Farewell to the Internet’s Master Timekeeper: David Mills

Photo by David Woolley, cc0 Dr. David L. Mills, the visionary behind the Network Time Protocol (NTP) that synchronizes time across billions of devices globally, died at age 85 on Jan. 17, 2024. The Chicago song goes, “Network Time Protocol (NTP) was, and is, essential for running the internet. As Cerf wrote, announcing the news of his passing, “He was such NTP. We don’t think about how hard it is to synchronize time around the world to within milliseconds. But everything, and I mean everything, depends on NTP’s accuracy. It’s not just the internet, it’s financial markets, power grids, GPS, cryptography, and far, far more.

The Terrapin Attack: A New Threat to SSH Integrity

This new vulnerability, Terrapin, breaks the integrity of SSH’s secure channel. Yes, that’s just as bad as it sounds. Anyone who does anything on the cloud or programming uses Secure Shell (SSH). So any vulnerability is bad news. Guess what? I’ve got some bad news. Researchers at Ruhr University have found a  significant vulnerability in the SSH cryptographic network protocol, which they’ve labeled CVE-2023-48795: General Protocol Flaw; CVE-2023-46446: Rogue Session Attack in AsyncSSH poses a serious threat to internet security. Terrapin enables attackers to compromise the integrity of SSH connections, which are widely used for secure access to network services. The Terrapin attack targets the SSH protocol by manipulating prefix sequence numbers during the handshake process. This manipulation enables attackers to remove messages sent by the client or server at the beginning of the secure channel without detection. The attack can lead to using less secure client authentication algorithms and deactivation-specific countermeasures against keystroke timing attacks in OpenSSH 9.5. Terrapin is a Man-in-the-Middle The good news — yes, there is good news — is that while the Terrapin attack Continue reading

OpenSpeedTest: Check the Speed of your LAN via Web Browser

Imagine you’re developing an application for your internal network that requires a certain network speed to function properly. You could open a web browser and point it to one of the many network speed tests on the market but I’m sure you know what that does… it tests your connection to the outside world. What if you’re looking to test the speed of your LAN itself? OpenSpeedTest comes in. OpenSpeedTest is a free, open source HTML5 network performance estimation tool that doesn’t require any client-side software or plugin to function. Once deployed, the tool can be accessed from a standard, modern web browser. Even better, OpenSpeedTest can be deployed with Docker. It uses a combination of NGINX and Alpine Linux to use very little resources on your Docker server. You can run OpenSpeedTest with or without

Why Is IPv6 Adoption Slow?

IPv6, the most recent version of the Internet Protocol, was designed to overcome the address-space limitations of IPv4, which has been overwhelmed by the explosion of the digital ecosystem. Although major companies like Google, Meta, Microsoft and YouTube are gradually adopting IPv6, the overall adoption of this technologically superior protocol has been slow. As of September, only 22% of websites have made the switch. What is slowing the adoption of IPv6? Let’s take a walk through the possible causes and potential solutions. Why IPv6? IPv6 has a 128-bit address format that allows for a vastly larger number of unique IP addresses than its predecessor, IPv4. The latter uses a 32-bit address format and has an address catalog sufficient for only340 undecillion (340 trillion³) addresses, more than enough to accommodate the projected surge of devices. In addition to expanding the address space, IPv6 offers these improvements: Streamlined network management: Unlike IPv4, which requires manual configuration or external servers like DHCP (Dynamic Host Configuration Protocol), IPv6 supports stateless Continue reading

Effective Traffic Management with Kubernetes Gateway API Policies

In this article, we will embark on an in-depth journey into Kubernetes Gateway API policies and their pivotal role in managing and controlling traffic within Kubernetes clusters. Gateway API logo With a comprehensive understanding of these policies, how they can be effectively leveraged, and the transformative impact they can have on traffic management strategies, you will be equipped with the knowledge and practical insights needed to harness the full potential of Kubernetes Gateway API policies for optimized traffic management. Benefits of Using Kubernetes Gateway API for Traffic Management Kubernetes Gateway API introduces a paradigm shift in how we manage and control traffic within Kubernetes clusters, offering a range of significant advantages. First and foremost, it simplifies configuration by abstracting away complexities and providing a user-friendly, declarative approach to define routing and traffic policies. Furthermore, its native integration with Kubernetes ensures a seamless fit, leveraging Kubernetes’ orchestration and scalability capabilities. With  the Kubernetes Gateway API, fine-grained control over traffic becomes possible, allowing for precise management with policies applied at various stages, from request routing to response transformations. As applications scale, the Kubernetes Gateway API scales effortlessly, handling high traffic loads and adapting to changing workloads without manual intervention. It incorporates Continue reading

Enhancing Kubernetes Networking with the Gateway API

Kubernetes, the stalwart of container orchestration, has ushered in a new era of application deployment and management. But as the Kubernetes ecosystem evolves, networking  within these clusters has posed persistent challenges. Enter the Gateway API, a transformative solution poised to redefine Kubernetes networking as we know it. At its core, the Gateway API represents a paradigm shift in Kubernetes networking. It offers a standardized approach to configuring and managing network routing, traffic shaping, and security policies within Kubernetes clusters. This standardization brings with it a host of compelling advantages. Firstly, it simplifies the intricate world of networking. By providing a declarative and consistent method to define routing rules, it liberates developers and operators from the complexities of network intricacies. This shift allows them to channel their energies toward refining application logic. The Gateway API doesn’t stop there; it brings scalability to the forefront. Traditional Kubernetes networking solutions, like Ingress controllers, often falter under the weight of burgeoning workloads. In contrast, the Gateway API is engineered to gracefully handle high loads, promising superior performance for modern, dynamic applications. NGINX, now a part of F5, is the company behind the popular open source project, NGINX. NGINX offers a suite of technologies Continue reading

Cilium CNCF Graduation Could Mean Better Observability, Security with eBPF

eBPF (extended Berkeley packet filter) is a powerful technology that operates directly within the Linux kernel, offering robust hooks for extending runtime observability, security, and networking capabilities across various deployment environments. While eBPF has gained widespread adoption, organizations are encouraged to leverage tools and layers built on eBPF to effectively harness its functionality. For instance, Gartner advises that most enterprises lack the expertise to directly utilize Cilium offers additional capabilities with eBPF to help secure the network connectivity between runtimes deployed on Docker and Kubernetes, as well as other environments, including bare metal and virtual machines. Isovalent, which created Cilium and donated it to the CNCF, and the contributors are also, in parallel, developing Cilium capabilities to offer network observability and network security functionality through Cilium sub-projects consisting of Hubble and Tetragon, respectively. This graduation certifies that Cilium — created by

Performant and Programmable Telco Networking with eBPF

To keep the world connected, telecommunication networks demand performance and programmability to meet customers when and where they are, from streaming the winning goal of the world cup to coordinating responses to the latest natural disaster. When switchboards were still run by human operators, telco companies were all about custom hardware with “black boxes” from vendors providing the speed the network needed. These black boxes controlled the performance of the network, which also made it dependent on where they were actually deployed. As telcos moved from traditional phone calls to additional services like messaging and mobile data, the demands on the network pushed the boundaries of what was possible. Network Functions Virtualization (NFV) sought to allow telcos to use “white box” commodity hardware to scale out throughput and increase flexibility. Technologies like the Data Plane Development Kit (

1 2 3 15