The world of containers continues to mature at an astounding rate. The adoption of container-related application services both on-premises and in the cloud are a good indicator that this technology has emerged from nascent technology to maturing ecosystem in short order.
As it matures, so does the integration of the enterprise-class technology required to support it. We see continuing maturation and fine-tuning of the other API economy; the one that enables rapid integration and expansion of the container ecosystem.
One of the exciting things about this maturation is it encourages traditionally enterprise-class offerings to move in the direction of container orchestration environments like Kubernetes. By "move in the direction" I mean rapidly adopt ideas like declarative API models that abstract domain expertise. In other words, simplify the integration and inclusion of systems and services like BIG-IP to enable a broader set of roles to configure, deploy, and operate the technology.
That's important because some application services - like a web application firewall - are most efficient and effective at addressing attacks and their undesirable consequences when deployed upstream from containers in the N-S ingress. But that often requires extensive domain expertise in both BIG-IP and WAF terminology and concepts. Addressing that obstacle is a primary objective of our automation and orchestration efforts which can be seen in the rapid evolution of our F5 Automation Toolchain.
Within that toolchain is AS3, the F5 Application Services 3 Extension. AS3 provides a modern (node.js) interface to BIG-IP that enables the consumption of declarative configurations to provision and operate BIG-IP delivered application services. When combined with the latest version of our Container Ingress Services (CIS), operators of container environments can employ BIG-IP delivered application services to secure and speed up APIs and applications.
Container Ingress Services, if you aren't familiar, is a Kubernetes native service that provides the glue between container services and BIG-IP. It watches for changes and communicates those to BIG-IP delivered application services. These, in turn, keep up with the rapid changes in container environments and enable enforcement of security policies.
This latest revision (Container Ingress Services 1.9) is exciting because it introduces native Kubernetes support for integration by moving from the use of annotations to ConfigMaps. This means you can use familiar Kubernetes language to integrate F5 application services by inserting an AS3 declaration in the data field of the ConfigMap. This includes embedding certificates and selecting load balancing algorithms as well as deploying the bare minimum OWASP Top 10 protections for an API or application.
The modern, Kubernetes-friendly declaration also enables the retrieval of the policy declaration from a repository. This enables SecDevOps (or DevSecOps or just SecOps, whatever your preference) to shift security left in a way that does not burden DevOps by requiring security or WAF expertise.
kind: ConfigMap apiVersion: v1 metadata: name: f5-waf namespace: default labels: f5type: virtual-server as3: "true" data: template: | {
# service, pool and logging declarations here
"policyWAF": { "use: "owaspautotune" }
# monitors and pool member declarations here
"owaspautotune": { "class": "WAF Policy", "url": "https://repository/pathToConfig/f5-as3-declarations/master/Common_WAF_Policy.xml", "ignoreChanges": true }
This native support enables DevOps and DevSecOps with a way to easily and quickly deploy a web application firewall for the APIs, applications, and services these teams operate. Today, there is no Kubernetes language like that for ingress or load balancers - that specifically enables security-related services. By supporting the use of ConfigMaps, Container Ingress Services offers a simplified means of integrating application security with Kubernetes using a more natural and familiar mechanism.
RESOURCES
Get the latest F5 AS3 from Github
The latest (v1.9) Container Ingress Services from Docker Hub
About the Author
Related Blog Posts
Multicloud chaos ends at the Equinix Edge with F5 Distributed Cloud CE
Simplify multicloud security with Equinix and F5 Distributed Cloud CE. Centralize your perimeter, reduce costs, and enhance performance with edge-driven WAAP.
At the Intersection of Operational Data and Generative AI
Help your organization understand the impact of generative AI (GenAI) on its operational data practices, and learn how to better align GenAI technology adoption timelines with existing budgets, practices, and cultures.
Using AI for IT Automation Security
Learn how artificial intelligence and machine learning aid in mitigating cybersecurity threats to your IT automation processes.
Most Exciting Tech Trend in 2022: IT/OT Convergence
The line between operation and digital systems continues to blur as homes and businesses increase their reliance on connected devices, accelerating the convergence of IT and OT. While this trend of integration brings excitement, it also presents its own challenges and concerns to be considered.
Adaptive Applications are Data-Driven
There's a big difference between knowing something's wrong and knowing what to do about it. Only after monitoring the right elements can we discern the health of a user experience, deriving from the analysis of those measurements the relationships and patterns that can be inferred. Ultimately, the automation that will give rise to truly adaptive applications is based on measurements and our understanding of them.
Inserting App Services into Shifting App Architectures
Application architectures have evolved several times since the early days of computing, and it is no longer optimal to rely solely on a single, known data path to insert application services. Furthermore, because many of the emerging data paths are not as suitable for a proxy-based platform, we must look to the other potential points of insertion possible to scale and secure modern applications.