Contributed"> Deploy Kubernetes Behind Firewalls Using These Techniques - The New Stack
TNS
SUBSCRIBE
Join our community of software engineering leaders and aspirational developers. Always stay in-the-know by getting the most important news and exclusive content delivered fresh to your inbox to learn more about at-scale software development.
REQUIRED
 
It seems that you've previously unsubscribed from our newsletter in the past. Click the button below to open the re-subscribe form in a new tab. When you're done, simply close that tab and continue with this form to complete your subscription.
Welcome and thank you for joining The New Stack community!
Please answer a few simple questions to help us deliver the news and resources you are interested in.
REQUIRED
REQUIRED
REQUIRED
REQUIRED
REQUIRED
Great to meet you!
Tell us a bit about your job so we can cover the topics you find most relevant.
REQUIRED
REQUIRED
REQUIRED
REQUIRED
REQUIRED
REQUIRED
Welcome!

We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.

What’s next?

Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.

Become a TNS follower on LinkedIn.

Check out the latest featured and trending stories while you wait for your first TNS newsletter.

PREV
of
NEXT
VOXPOP
As a JavaScript developer, what non-React tools do you use most often?
Angular
0%
Astro
0%
Svelte
0%
Vue.js
0%
Other
0%
I only use React
0%
I don't use JavaScript
0%
 
Open Source Cloud Native Ecosystem Containers Edge Computing Microservices Networking Serverless Storage
AWS Adds Support, Drops Prices, for Redis-Forked Valkey
Oct 10th 2024 1:41pm, by Joab Jackson
OSI Finalizes a ‘Humble’ First Definition of Open Source AI
Oct 10th 2024 12:00pm, by Heather Joslyn
Avoiding a Geopolitical Open Source Apocalypse
Oct 9th 2024 10:00am, by Randy Bias
OSI’s Definition of Open Source AI Raises Critical Legal Concerns for Developers and Businesses
Oct 7th 2024 10:20am, by Luca Antiga
How the Argo Project Is Avoiding WordPress-Type Problems
Oct 4th 2024 11:00am, by Dan Garfield
Start Securing Decentralized Clouds With Confidential VMs
Oct 10th 2024 10:00am, by Jonathan Schemoul
Tetrate, Bloomberg Collaborate on Envoy-Based AI Gateways
Oct 7th 2024 2:00pm, by Steven J. Vaughan-Nichols
Anyscale: New Optimized Runtime for Ray, Kubernetes Operator
Oct 7th 2024 1:00pm, by Chris J. Preimesberger
NGINX One Console: Not for Experts Only
Oct 4th 2024 12:39pm, by B. Cameron Gain
Why NoSQL Deployments Are Failing at Scale
Oct 4th 2024 10:00am, by Sunny Bains
How Nvidia Scaled Its Cloud Services With KubeVirt
Oct 4th 2024 6:18am, by Jonathan Gershater
Is Kubernetes Green?
Oct 2nd 2024 8:24am, by Anne Currie
Abstracting Cloud SDKs, Starting With the Runtime
Oct 1st 2024 8:42am, by Rak Siva
Microsoft Open Sources OpenHCL, a Linux-Based 'Paravisor'
Sep 24th 2024 11:00am, by Steven J. Vaughan-Nichols
What Is Testcontainers, and Why Should You Care?
Sep 17th 2024 7:53am, by Kevin Wittek
Integration of AI With IoT Brings Agents to Physical World
Oct 8th 2024 7:46am, by Janakiram MSV
From VMs to AI: How Edge Computing Is Evolving
Sep 13th 2024 3:54am, by Ben Cohen
The New 2GB Raspberry Pi 5: Another Option for Linux Sysadmins
Sep 2nd 2024 9:00am, by Damon M. Garn
Golang Pub/Sub: Why It’s Better When Combined With GoFr
Aug 28th 2024 6:00am, by Robert Kimani
With eLxr, Wind River Brings Debian Linux to the Edge
Aug 12th 2024 1:30pm, by Joab Jackson
How To Secure Microservices in a Multicloud Architecture
Oct 7th 2024 12:30pm, by Manas Chowdhury
Binary Provenance, SBOMs and the Software Supply Chain for Humans
Oct 1st 2024 10:00am, by Mike Long
Platform Engineering Reshapes Software Dev at Bechtle
Sep 4th 2024 6:00am, by Todd R. Weiss
Shift Left on a Budget: Cost-Savvy Testing for Microservices
Aug 27th 2024 12:03pm, by Nočnica Mellifera
Remocal Development: The Future of Efficient Kubernetes Workflows
Aug 25th 2024 10:00am, by Anita Ihuman
Internet Architecture Board ISO Future Networking Tech
Sep 29th 2024 8:00am, by Joab Jackson
Git: Set Up a Local Repository Accessible by LAN
Sep 28th 2024 9:00am, by Jack Wallen
Linux: Create and Connect to an NFS Share
Sep 21st 2024 8:00am, by Jack Wallen
AlmaLinux: Deploy a DHCP Server for Your Internal Network
Sep 14th 2024 7:00am, by Jack Wallen
How Meta Is Reinforcing its Global Network for AI Traffic
Sep 12th 2024 11:45am, by Joab Jackson
Azure Durable Functions: FaaS for Complex Workflows
Aug 15th 2024 8:16am, by Lily Ma and David Justo
Momento: Caching at Scale and More, Without All the Hassle
Jul 22nd 2024 11:23am, by Susan Hall
WebAssembly and Kubernetes Go Better Together: Matt Butcher
May 22nd 2024 2:00pm, by Raghavan "Rags" Srinivas
How to Conquer Cold Starts for Better Performance
Apr 25th 2024 9:17am, by Henry Hamid Safi
Meet DBOS: A Database Alternative to Kubernetes 
Mar 12th 2024 4:00am, by Joab Jackson
Kubernetes Advances Cloud Native Data Protection: Share Feedback
Oct 9th 2024 7:00am, by Mark Lavi
Redis Users Want a Change
Oct 2nd 2024 9:00am, by Aleksandra Mitroshkina
Linux: Recover Files From a Machine That Won't Boot
Sep 29th 2024 6:00am, by Jack Wallen
Columnar Storage: A Developer’s Key to Real-Time Analytics
Sep 27th 2024 7:00am, by Steph Rogers
Bring Storage and Databases Under Kubernetes Control
Sep 23rd 2024 1:00pm, by Murli Thirumale
AI Large Language Models Frontend Development Software Development API Management Python JavaScript TypeScript WebAssembly Cloud Services Data Security
Atlassian’s New AI Product Gives Developers Access to Agents
Oct 10th 2024 1:00pm, by
OSI Finalizes a ‘Humble’ First Definition of Open Source AI
Oct 10th 2024 12:00pm, by
Agents Shift GenAI From Order Takers to Collaborators
Oct 10th 2024 9:00am, by
How AI Agents Are About To Change Your Digital Life
Oct 10th 2024 6:16am, by
Checks by Google: AI-Powered Compliance for Apps and Code
Oct 9th 2024 11:00am, by
AI Agents and Copilots: SAP Introduces Deeper Integrations
Oct 9th 2024 9:12am, by
PDFs Get an Easier Entry to GenAI via New RAG Architecture
Oct 8th 2024 6:27am, by
Mix Human Expertise With LLM Assistance for Easier Coding
Oct 7th 2024 8:00am, by
Microsoft Sees Devs Embracing a ‘Paradigm Shift’ to GenAIOps
Oct 4th 2024 8:28am, by
Build an AI-Powered Question-Answering Application
Oct 3rd 2024 2:00pm, by
JavaScript Due for New Time, Date and Set Features Next Year
Oct 9th 2024 8:19am, by
OpenAI Launches New ChatGPT Interface, Designed for Coding
Oct 5th 2024 7:00am, by
Introduction to Laravel for Ruby on Rails or Django Fans
Oct 5th 2024 5:00am, by
Vite Creator Launches Company To Build JavaScript Toolchain
Oct 3rd 2024 11:00am, by
The Pros and Cons of Web Components, Via Lit and Shoelace
Sep 29th 2024 7:00am, by
How to Install Python 3.13? Use the Interactive Interpreter
Oct 11th 2024 6:36am, by
Atlassian’s New AI Product Gives Developers Access to Agents
Oct 10th 2024 1:00pm, by
How To Work With Date and Time in Python
Oct 10th 2024 7:14am, by
Rust's Expanding Horizons: Memory Safe and Lightning Fast
Oct 10th 2024 5:00am, by
Python 3.13: Blazing New Trails in Performance and Scale
Oct 7th 2024 11:21am, by and
API Gateway Checklist: How Strong Is Your API's Front Door?
Oct 8th 2024 8:45am, by
AI for APIs: Techniques for AI-Assisted SDK Generation
Oct 6th 2024 5:00am, by
Zen and the Art (and Science) of API Development
Oct 3rd 2024 7:00am, by
How To Strengthen API Security With Zero Trust
Oct 2nd 2024 10:00am, by
OpenAI's Realtime API Takes a Bow
Oct 1st 2024 9:05pm, by
How to Install Python 3.13? Use the Interactive Interpreter
Oct 11th 2024 6:36am, by
How To Work With Date and Time in Python
Oct 10th 2024 7:14am, by
Python 3.13: Blazing New Trails in Performance and Scale
Oct 7th 2024 11:21am, by and
Handling Edge Cases and Exceptions in Python
Sep 28th 2024 5:00am, by
How To Get Started With Native Python
Sep 27th 2024 8:00am, by
JavaScript Due for New Time, Date and Set Features Next Year
Oct 9th 2024 8:19am, by
Mix Human Expertise With LLM Assistance for Easier Coding
Oct 7th 2024 8:00am, by
OpenAI Launches New ChatGPT Interface, Designed for Coding
Oct 5th 2024 7:00am, by
Vite Creator Launches Company To Build JavaScript Toolchain
Oct 3rd 2024 11:00am, by
Behind the Scenes at the JavaScript Registry
Oct 3rd 2024 6:00am, by
Why ChatGPT Shifted From Next.js To Remix: Some Theories
Sep 14th 2024 8:05am, by
Is React Now a Full Stack Framework? And Other Dev News
Aug 31st 2024 5:00am, by
Implementing IAM in NestJS: The Essential Guide
Aug 30th 2024 6:26am, by
TypeScript 5.5: Faster, Smarter and More Powerful
Jun 25th 2024 6:41am, by
UIX: A Full Stack Web Dev Framework Leveraging Deno
Jun 11th 2024 11:30am, by
Traefik 3.0 Works Better With WebAssembly and OpenTelemetry
Sep 17th 2024 1:30pm, by
Arcjet Launches: Wasm-Powered Security for Modern Developers
Sep 10th 2024 2:05pm, by
Golang for WebAssembly Can Now Work Like IT Should
Aug 9th 2024 9:00am, by
How To Run WebAssembly on Kubernetes
Jul 28th 2024 10:00am, by
Chicory: Write to WebAssembly, Overcome JVM Shortcomings 
Jul 19th 2024 12:33pm, by
AWS Adds Support, Drops Prices, for Redis-Forked Valkey
Oct 10th 2024 1:41pm, by
Start Securing Decentralized Clouds With Confidential VMs
Oct 10th 2024 10:00am, by
3 Key Practices for Perfecting Cloud Native Architecture
Sep 24th 2024 10:00am, by
AWS Transfers OpenSearch to the Linux Foundation
Sep 17th 2024 12:33pm, by
Why Cloud Migrations Fail
Sep 13th 2024 11:05am, by
Kubernetes Advances Cloud Native Data Protection: Share Feedback
Oct 9th 2024 7:00am, by
How to Handle Bad Data in Event Streams
Oct 8th 2024 11:00am, by
Unlock GA4 Insights: BigQuery SQL Recipes for Key Metrics
Oct 8th 2024 10:00am, by
With WarpStream, Confluent Got a New Type of Kafka Platform
Oct 1st 2024 7:11am, by
OpenAI Structured Outputs: How-To Guide for Developers
Sep 27th 2024 9:00am, by
Runtime Context: Missing Piece in Kubernetes Security
Oct 11th 2024 7:30am, by
Start Securing Decentralized Clouds With Confidential VMs
Oct 10th 2024 10:00am, by
API Gateway Checklist: How Strong Is Your API's Front Door?
Oct 8th 2024 8:45am, by
How To Secure Microservices in a Multicloud Architecture
Oct 7th 2024 12:30pm, by
A Guide to Linux Access Control Lists
Oct 6th 2024 6:00am, by
Platform Engineering Operations CI/CD Tech Careers Tech Culture DevOps Kubernetes Observability Service Mesh
Building an Internal Developer Platform: 4 Essential Pillars
Oct 7th 2024 6:21am, by Ritesh Patel
Microsoft Taking Up the Mantra of Platform Engineering
Oct 4th 2024 7:23am, by Todd R. Weiss
How to Build an Internal Developer Platform Like a Product
Sep 23rd 2024 10:57am, by Jennifer Riggins
Platform Engineering Reshapes Software Dev at Bechtle
Sep 4th 2024 6:00am, by Todd R. Weiss
Build Platform Engineering as a Product for Dev Adoption
Sep 2nd 2024 6:00am, by Todd R. Weiss
eBPF Is Coming for Windows
Oct 11th 2024 9:00am, by Joab Jackson
Buildkite Expands Scale-Out Continuous Delivery Platform
Oct 9th 2024 1:22pm, by Joab Jackson
NGINX One Console: Not for Experts Only
Oct 4th 2024 12:39pm, by B. Cameron Gain
SSHamble: Test Your Servers for Potential SSH Issues
Oct 4th 2024 9:00am, by Jack Wallen
The 4 Evolutions of Your Observability Journey
Oct 3rd 2024 9:00am, by Hazel Weakly
How the Argo Project Is Avoiding WordPress-Type Problems
Oct 4th 2024 11:00am, by Dan Garfield
Implement Third-Party Authentication With Google in Next.js
Oct 4th 2024 9:00am, by Vinod Pal
End of the Road for JavaFX in JDK 8: Keeping Your Apps Alive
Oct 3rd 2024 1:00pm, by Frank Delporte
How Generative AI Is Revolutionizing Debugging
Sep 25th 2024 8:30am, by Eran Kinsbruner
Stop Blaming Regulation for Poor Software Delivery Performance
Sep 24th 2024 12:00pm, by Steve Fenton
It's Critical To Resolve the DevOps Tax on Central Teams
Oct 6th 2024 10:00am, by Travis McPeak
Developer Relations Relies on Authenticity and Trust
Oct 5th 2024 10:00am, by Sarah Guthals
Developer Relations Foundation Aims to Clarify Role
Oct 2nd 2024 12:00pm, by Loraine Lawson
What a CTO Learned at Nvidia About Managing Engineers
Sep 26th 2024 9:20am, by Heather Joslyn
Kelsey Hightower on What’s Next for Developers After GenAI
Sep 17th 2024 11:30am, by Joe Fay
Zorin OS: The Perfect Linux Distro for Migrating From Windows
Oct 5th 2024 8:00am, by Jack Wallen
Lost 1983 Programming Language Resurrected by Retro Compute YouTube Channel
Oct 5th 2024 6:00am, by David Cassel
Developer Relations Foundation Aims to Clarify Role
Oct 2nd 2024 12:00pm, by Loraine Lawson
Social Web Foundation Launched — How In Is W3C on Fediverse?
Sep 24th 2024 6:00am, by Richard MacManus
How To Find Success With Code Reviews
Sep 19th 2024 5:00am, by Loraine Lawson
Building an Internal Developer Platform: 4 Essential Pillars
Oct 7th 2024 6:21am, by Ritesh Patel
It's Critical To Resolve the DevOps Tax on Central Teams
Oct 6th 2024 10:00am, by Travis McPeak
Developer Relations Relies on Authenticity and Trust
Oct 5th 2024 10:00am, by Sarah Guthals
Open Source Supply Chains Can Fix Your Dependency Headaches
Oct 3rd 2024 10:00am, by Sam Snyder
The 4 Evolutions of Your Observability Journey
Oct 3rd 2024 9:00am, by Hazel Weakly
Deploy Kubernetes Behind Firewalls Using These Techniques
Oct 11th 2024 10:00am, by Mohan Sitaram
Runtime Context: Missing Piece in Kubernetes Security
Oct 11th 2024 7:30am, by Oshrat Nir
Kubernetes Advances Cloud Native Data Protection: Share Feedback
Oct 9th 2024 7:00am, by Mark Lavi
How Nvidia Scaled Its Cloud Services With KubeVirt
Oct 4th 2024 6:18am, by Jonathan Gershater
Is Kubernetes Green?
Oct 2nd 2024 8:24am, by Anne Currie
OpenTelemetry Challenges: Handling Long-Running Spans
Oct 10th 2024 11:00am, by Hazel Weakly
Unlock GA4 Insights: BigQuery SQL Recipes for Key Metrics
Oct 8th 2024 10:00am, by Kevin Leary
Key Trends Shaping the Observability Market
Oct 4th 2024 8:00am, by Krishna Yadappanavar
The 4 Evolutions of Your Observability Journey
Oct 3rd 2024 9:00am, by Hazel Weakly
Why Grafana Offers $100,000 to Startups for Observability
Sep 28th 2024 4:00am, by B. Cameron Gain
Tetrate, Bloomberg Collaborate on Envoy-Based AI Gateways
Oct 7th 2024 2:00pm, by Steven J. Vaughan-Nichols
Istio 1.23 Drops the Sidecar for a Simpler 'Ambient Mesh'
Aug 19th 2024 12:59pm, by Joab Jackson
Can Cilium Be a Control Plane Beyond Kubernetes?
Jul 28th 2024 6:00am, by Alex Williams
6 Tips to Integrate Container Orchestration and APM Tools
May 20th 2024 11:03am, by Chris Cooney
Enhancing Business Security and Compliance with Service Mesh
Apr 1st 2024 10:00am, by Ninad Desai
Kubernetes

Deploy Kubernetes Behind Firewalls Using These Techniques

Actionable Strategies for Overcoming the Challenges of Deploying and Managing Kubernetes in Firewalled Environments
Oct 11th, 2024 10:00am by
Featued image for: Deploy Kubernetes Behind Firewalls Using These Techniques
Photo by Growtika on Unsplash

As Kubernetes and cloud native systems become the de facto standard for deploying and managing modern applications, their expansion into restricted or firewalled environments brings unique challenges. These environments are often driven by regulatory compliance, security concerns, or organizational policies, which present architectural, operational, and security-related hurdles. This article delves into the intricacies of deploying Kubernetes clusters behind firewalls, offering solutions and strategies to overcome these obstacles.

A firewalled or restricted environment limits external internet access to ensure data security and protect systems from unauthorized intrusions. These environments are typical in industries with stringent regulatory requirements, such as finance, healthcare, and government. In such environments, only specific types of traffic are permitted, often with strict oversight. While these controls enhance security, they create significant challenges for modern cloud native infrastructures like Kubernetes, which rely on internet access for features such as cluster management, image pulling, and external API communications.

Challenges of Deploying Kubernetes in Firewalled Environments

  1. Image Management and Distribution: Kubernetes applications require container images to be served from container registries such as Docker Hub, gcr.io, or quay.io. In firewalled environments, accessing these registries is often restricted or completely blocked. This can prevent image pulling, hindering the ability to deploy and upgrade applications.

Solution: To address this, enterprises can use registries that have repository replication or pull-through caching capabilities to host container images locally within the firewall. These registries can either replicate or pull images from external registries in a controlled manner, ensuring that the necessary container images are available without constant internet access. Registries like Harbor provide secure, internal image repositories for such environments. Further, utilizing image promotion workflows ensures that only vetted images from external sources make it into the secure registry.

Another approach I’ve used is to copy the images via a gateway or proxy server with connectivity to both source and destination registries. This solution might work where the source and destination registries’ capabilities are unknown. Tools like imgpkg, crane, or skopeo can copy images between registries that cross firewall boundaries. For example, the imgpkg packaging format bundles an application’s helm chart and its container images as a single unit. An imgpkg bundle can be exported as a tar archive from the source registry to the proxy server’s local filesystem. This tar archive can then be pushed to the registry running behind the firewall, and imgpkg ensures that the registry references in the application’s helm chart inside the bundle are automatically updated to point to the destination registry.

  1. Cluster Management and Control Plane Access: Kubernetes’ control plane (API server, etc.) must communicate with the worker nodes and external cloud APIs to manage the cluster. However, in firewalled environments, external access to these APIs or control plane components is often blocked or limited, posing significant challenges for monitoring, scaling, and controlling the cluster.

Solution: Organizations can establish reverse proxying and VPN tunneling techniques to overcome this. A reverse proxy deployed in a demilitarized zone (DMZ) can handle API requests from within the firewall while providing a secure entry point. Additionally, bastion hosts and VPN gateways can allow controlled, secure access to the Kubernetes control plane. These hosts reside outside the internal network but act as a bridge between the restricted environment and external services, allowing administrators to interact with the cluster without violating firewall policies.

For example, Azure allows the creation of “private” AKS clusters that are deployed in an enterprise’s private network. Access to the control plane of private AKS clusters is restricted by default for security reasons. But Azure also provides solutions like Azure Bastion, which provides secure access to a private cluster from the outside world. The user connects to Azure Bastion via RDP or SSH from their local computer and can access the private cluster by proxy. Bastion takes care of securing traffic to the private cluster.

  1. External Dependencies and DNS Resolution: Sometimes, an application running on an air-gapped Kubernetes cluster may need to pull an external dependency for which it may need to resolve a hostname outside the firewall. Access to public DNS like Google DNS or Cloudflare DNS may not be directly available from inside the pod, and the application may not be able to pull the dependency and fail to start. This will force the organization or the application developer to resolve the dependency within the firewall which may only sometimes be feasible.

Solution: Use DNS forwarding in CoreDNS. CoreDNS is the default DNS resolver in Kubernetes clusters and can be configured to resolve external DNS queries from within the firewall. CoreDNS can be modified to forward DNS queries to specific hostnames (like www.example.com) to external resolvers and resolve all other queries within the firewall. This is done by using the “forward” CoreDNS plugin to forward the query for www.example.com to Google or CloudFlare DNS and forward everything else (represented by a ‘.’) to the local resolver by just pointing them to /etc/resolv.conf This ensures that critical DNS resolution is not blocked by firewall policies and also allows the firewall administrator to keep their network secure by allowing only specific external queries.

  1. Updates, Patches, and Kubernetes Components: Regular updates and patches to Kubernetes components are essential for maintaining security, compliance, and performance. However, automated updates may be blocked in firewalled environments, leaving clusters vulnerable to security risks.

Solution: Use local mirrors and internal container registries to update the cluster. Kubernetes installation tools like Kubespray allow cluster management in offline environments. Installing and patching Kubernetes via Kubespray requires access to static files like kubectl and kubeadm, OS packages and a few container images for the core Kubernetes components. Static files can be served by running an nginx/HAproxy server inside the firewall. OS packages can be obtained by deploying a local mirror of a yum or Debian repository. And the container images required by Kubespray can be served by running local instances of a ‘kind’ or docker registry with pre-populated images.

Additionally, companies can use continuous integration/continuous delivery (CI/CD) pipelines to handle updates in a controlled manner, with local testing and validation on staging clusters before rolling out changes to production clusters. GitOps is a subcategory of CI/CD that automatically deploys changes to a target environment triggered by commits to a Git repository. Staging and production clusters can be mapped to different Git branches and upgrades and patches can be rolled out strategically by committing changes to the staging branch first, testing it thoroughly, and only then committing the same change to the production branch. This ensures that the cluster is up to date with the latest security patches despite not having automatic updates.

  1. Third-Party Integrations and Monitoring: Modern Kubernetes applications often rely on third-party integrations like Datadog and external storage solutions like AWS S3 or Google Cloud Storage. In a firewalled environment, outbound traffic is restricted, preventing direct communication with these cloud-hosted services.

Solution: Organizations can deploy self-hosted alternatives within their firewalled environment to maintain observability and monitoring. For example, Prometheus and Grafana can be deployed internally to handle metrics and visualization, while distributed storage solutions like Ceph or MinIO can replace external cloud storage. These tools can replicate the functionality of external services while ensuring that all data remains securely within the firewall. Container images and helm charts for self-hosted alternatives can be pulled into the air-gapped environment using the image management and distribution technique outlined earlier.

  1. Security Policies and Compliance: Security and compliance concerns are often the primary reason for deploying Kubernetes in firewall environments. Industries like healthcare and finance require strict adherence to regulations like HIPAA and PCI-DSS, which mandate the use of secure environments with restricted access to sensitive data.

Solution: Kubernetes’ native features, such as Pod Security Policies (PSPs), Role-Based Access Control (RBAC), and Network Policies, can be leveraged to enhance the security of the Kubernetes cluster within a firewalled environment. Additionally, deploying service meshes like Istio or Linkerd can provide fine-grained traffic control and security, ensuring that only authorized services communicate. These meshes also offer mutual TLS (mTLS) for encrypting traffic between microservices, further enhancing security and compliance.

  1. Ingress control and Load Balancing: In firewalled environments, external load balancing services (like AWS ELB or GCP Load Balancers) may not be available, causing difficulties in routing traffic to services running within the Kubernetes cluster. Kubernetes’ built-in NodePort-type services are not secure as they require a non-standard port to be opened on all the Kubernetes nodes. Each service that needs to be exposed outside the cluster requires a separate NodePort service, thus complicating the firewall administration.

Solution: To expose services outside the cluster, an ingress gateway like Istio or Contour can serve as a proxy that routes traffic to those services. They secure access to the internal services as they can terminate TLS traffic and serve as the single entry point for all services that need to be exposed.

Private load balancing solutions like MetalLB can be deployed to provide high availability of the IP/hostname for the ingress gateway. Using a combination of MetalLB and an ingress gateway improves security. There would be just one IP address/hostname to protect, and all network traffic to all exposed services would be encrypted.

Deploying and managing Kubernetes in firewalled environments introduces unique challenges, from image management and control plane access to DNS resolution and third-party integrations. However, with the right strategies and tools, organizations can harness the power of Kubernetes while maintaining the security, compliance, and operational stability required by their firewalled infrastructure. Techniques such as container registry image replication, DNS forwarding for specific queries, VPN tunnels, ingress gateways, and self-hosted monitoring tools ensure that Kubernetes remains a viable solution even in the most restricted environments.

Organizations aiming to adopt cloud native technologies behind firewalls must design their infrastructure thoughtfully, ensuring that security requirements are met without sacrificing the scalability and flexibility that Kubernetes offers. By leveraging the above solutions, Kubernetes clusters can operate effectively, even in highly restricted environments.

TRENDING STORIES
Group Created with Sketch.
Mohan Sitaram is a seasoned technical leader with over 13 years of experience in software development and testing for large-scale systems. Throughout his career, Mohan has demonstrated a strong ability to understand complex, ambiguous customer use cases and lead cross-geographical...
Read more from Mohan Sitaram
SHARE THIS STORY
TRENDING STORIES
TNS owner Insight Partners is an investor in: Control, Docker.
TRENDING STORIES
TNS DAILY NEWSLETTER Receive a free roundup of the most recent TNS articles in your inbox each day.