Connecting to OKE private API with NetFoundry networking

June 28, 2021 | 5 minute read
Raj Hindocha
ISV Cloud Architect
Text Size 100%:

Oracle Cloud Infrastructure (OCI) and Oracle Container Engine for Kubernetes (OKE) reduce the operational burden of setting up and managing enterprise-grade Kubernetes clusters. NetFoundry and Oracle recognize that connecting to your Kubernetes cluster and its ecosystem is complex, so NetFoundry allows you to connect while adhering to the following Oracle best practice design principles:

  • Secure by default: OKE hardens Kubernetes clusters following Enterprise Security best practices.

  • Simplified Kubernetes operations: OKE manages your cluster resources and automates recurrent Kubernetes administration and scaling tasks.

  • High performance: Containerized applications run on high-performance compute resources through OCI’s non-blocking network.

The problem with an exposed API

A few years ago, the first major vulnerability (CVE-2018–1002105) was discovered in Kubernetes. This vulnerability was present in a default installation of the Kubernetes API server and allowed an attacker to access the backend cluster services. To make matters worse, the attacker’s proxied session was authenticated and masquerading as the kube-apiserver’s identity. While this vulnerability has been fixed, the fact remains that there’s an obvious benefit to not exposing the Kubernetes API to attack in the first place. Researchers are warning of increased complicated attacks targeting Kubernetes including use of malware.

A private Kubernetes API with OKE

Oracle recently announced general availability of fully private Kubernetes clusters for Oracle Container Engine for Kubernetes (OKE). A Kubernetes administrator can connect to the private cluster API, such as FastConnect, VPN, SSH bastion, and now NetFoundry networks, in various ways.

You can connect to your private cluster through the following options:

  • Oracle FastConnect: A dedicated, private connection from point to point. FastConnect is cost-effective and quick to set up, but prerequisites like interconnects and last mile can be expensive, require months to provision, and are not a self-contained solution. Remote clients need to first connect to a corporate VPN.

  • VPN or SSH bastion: VPNs are quicker to set up but still have a public attack surface and introduce points of failure, give access to whole networks, often degrade network performance, and come with high management costs related to issues caused, such as average VPN issues taking 3.4 days. For these reasons, Gartner states that “zero trust network access (ZTNA) will replace 60% of VPNs by 2023."

  • Static access controls: A source IP allowlist is an example of this approach. While limiting the attack vector to known source IPs, these restrictions can be cumbersome to maintain and are not portable in a world where source IPs are rarely fixed.

  • NetFoundry network: What is NetFoundry? Oracle and NetFoundry, an Oracle technology partner, have designed an alternative to circuit and VPN connectivity solutions using NetFoundry’s cloud native network-as-a-service (NaaS) platform. NetFoundry networks provide zero trust connectivity for any use case including edge, multicloud, internet of things (IoT), and on-premises infrastructure. NetFoundry networks are pure software, hosted and orchestrated by NetFoundry’s API-first platform. You can learn more about the NetFoundry zero trust platform by reading this post.

    How does NetFoundry solve these problems? NetFoundry software is installed with a helm install command, the package manager for Kubernetes. Then, the Kubernetes administrator can access the private API from anywhere.

The NetFoundry way

You can deploy a NetFoundry network endpoint as a pod on your Kubernetes cluster with a Helm chart. You can then assign the endpoint in your NetFoundry network to host any cluster services that are reachable inside your Kubernetes cluster, such as the Kubernetes API used by kubectl or any pod or service by cluster-internal IP or cluster DNS that you want to expose to NetFoundry client endpoints.

Developer-friendly Ziti software development kit (SDK)

NetFoundry endpoints are built with open source Ziti. You can create your own endpoint instead of using NetFoundry’s tunneler apps for your client or server or both. With the Ziti SDK, you can embed all the networking capabilities of a Ziti endpoint directly in your application.

For Ziti samples, see the following resources:

  • Zero trust webhooks for GitHub
  • Zero trust webhooks for GitLab

Developer-friendly NetFoundry API

The NetFoundry platform is API-first. So, you can automate anything that you can do in the web console with HTTP requests. Today, the NetFoundry SDK has a general-purpose Python module and Ansible Collection. To learn more, check out the NetFoundry developer portal!

A graphic depicting the solution for a Ziti endpoint running as a pod in a private OKE cluster.

Remote connectivity to the Kubernetes API Server or other cluster workloads is forwarded through the NetFoundry overlay to the endpoint pod, which can reach the API from inside the cluster.

Step by step: Install Ziti with Helm

To install Ziti with Helm, use the following steps and resources:

  1. Get started with Oracle Cloud. For information on VCNs, see the documentation.
  2. Create a Kubernetes cluster in your OCI account with at least one worker node. You might need to upgrade your account to have billing enabled.
  3. Install kubectl on the remote host that you intend to use for administrative purposes.
  4. Install Helm, the package manager for Kubernetes.
  5. Sign up for a free trial with NetFoundry.

For the full demo quick start guide, see NetFoundry’s Kubernetes page.

After the pod is deployed, in addition to connecting to your containers in the cluster, you can manage your OKE cluster over a secure zero trust network.

Conclusion

In summary, we now have a fourth option from Oracle and NetFoundry that enables anyone to take advantage of fully private Kubernetes clusters without the same drawbacks as other solutions. We can create automated and private connectivity in minutes from any device to any public or private cloud with little training or specialized skills. We create zero trust private overlays, which can be highly granular, making OKE and its workloads invisible while having the reach and economics of public internet. We achieve cloud-based consumption in an economic model with automation to increase uptime and availability and reduce operational management costs.

Raj Hindocha

ISV Cloud Architect

ISV Senior Cloud Architect helping companies adopt Oracle Cloud


Previous Post

Secure cloud native applications with Spring Boot, Oracle Autonomous Database, and OCI Vault

Badr NASS LAHSEN | 6 min read

Next Post


Top 10 hybrid cloud trends in 2021

Chacko Thomas | 5 min read