EKS (Elastic Kubernetes Service) is popular! It allows you to deploy apps without managing the Kubernetes mgmt plane yourself. If you're planning to run an app using EKS, you will likely need to consider ingress security along with that app. Securing traffic into Kubernetes is a topic we love to talk about at F5.
Why would you want a demo securing traffic into EKS?
It's fully automated! Since most people are new to Kubernetes (k8s for short), I find myself in need of a quick demo that's totally open for anyone to run. This way after I demo, the audience can go back to run it on their own, decompose it for themselves, and take their own time to understand it all.
If you don't have a workstation with Terraform installed, don't worry! You can easily set up the client workstation you need by deploying this demo workstation, which will have all the required tools. Then, configure your AWS IAM credentials.
When building a cloud solution example, I try to stay as "vendor neutral" as practical and avoid using 3rd party tools when possible. For example, I have written a demo using AWS Lambda functions, instead of a 3rd party automation tool, for post-deployment configuration. This might be preferred if you do not (or cannot) use a particular 3rd party tool. So I originally started down the path of following this article to completely build an EKS demo via CFT. I planned to extend the quickstart demo to include an ingress controller and security policy, along with an app to protect. I guess I planned to use Lambda functions again. However, after talking about this with colleagues, the workarounds came to seem silly: nobody would do this in real life, so constraining myself to only using a CFT seemed unnecessary. Instead I chose to use the ubiquitous tool Terraform. This is easier to use and also saves me from requiring a user to have a few other tools, like kubectl, helm, and aws-iam-authenticator, etc. So, for better or worse, Terraform is a pre-req here. The workstation I've used is Ubuntu 18.04.
Now, for the demo
You'll need Terraform set up and your AWS credentials configured.
Optionally, deploy a demo workstation by following the ReadMe guide here.
Configure your AWS credentials in a demo account. Remember, this demo will deploy AWS resources that will cost you money via your AWS bill. Don't forget to destroy all resources at the end of your demo.
If you choose to skip this step, proceed with your own client workstation. But if you hit failures, I recommend using this demo workstation, since it is what I used when building this demo.
Connect to your workstation and run these commands. When prompted for confirmation, type "yes" as instructed.
git clone https://github.com/mikeoleary/aws-eks-bigip-terraform
You've deployed! You will need to wait around 20 mins for everything to deploy: a VPC, EKS, a BIG-IP, and then an application in EKS to be protected by BIG-IP.
To see your finished product:
Once your Terraform commands have completed, you should see output values. If not, type this and take a note of the output values:
Now, open a web browser and visit http://<public_ip_app>.
If you want to inspect the configuration of BIG-IP, visit https://<public_dns> and login with username admin and password <password>.
If you want to see the pods, service, or configmap running in EKS, run:
the helm deployment was configured so that F5 CIS will point at the BIG-IP mgmt address, and use the secret generated earlier.
After all this, the components are all in place. We have an app in k8s that is exposed to ingress traffic, which is routed via the BIG-IP and automatically updated. Our app is protected!
Call to Action
Please use this demo to teach yourself and show your colleagues:
how critical it is to secure traffic into your container environment
how you can automate this process by using the tools you wish, and F5's extensive API's for automation.
Please leave me a note with feedback if you are able to use this demo. I would like it to be useful for you. Let me know how I can make it more useful, or feel free to contribute to the repo yourself. Thanks!