Your app design, container platform, and underlying infrastructure provider all impact the security posture of your apps. Review the following recommendations and best practices for developing apps in your Gloo Gateway environment.
App design and deployment
The following general practices can help you deploy your apps securely.
- Follow the twelve-factor app methodology to guide your microservice development.
- Review the security concepts for your container orchestration platform, such as Kubernetes or OpenShift.
- Search for provider-specific app development guides such as IBM Cloud that can help you connect the best practices for app design with tools that the infrastructure provider offers.
- Store your Gloo Mesh and application configuration files in a configuration management system that is integrated into a DevOps pipeline, such as Git.
For example, you might use those guides to make sure that your app deployment includes the following capabilities.
- ✅ Has multiple replicas for high availability
- ✅ Spreads across availability zones for resiliency
- ✅ Runs on machines that are optimized for the workload
- ✅ Runs in isolation from other workloads, such as in separate namespaces
- ✅ Reschedules gracefully in case of unexpected failure, such as with liveness probes, readiness probes, and pod disruption budgets
- ✅ Saves sensitive data in secrets or encrypted storage
- ✅ Automates configuration updates and rolling upgrades
- ❌ Does not run with outdated or unsecure images or versions
- ❌ Does not take up too many resources, by setting resource requests and limits
- ❌ Does not use personally identifiable information as part of its names or other non-secure areas
Istio and Kubernetes reserved ports
For more information, see Reserved ports and pod requirements.
Use Gloo networking and policy resources to secure the traffic that reaches your app and make your apps more resilient. For example, you can implement features, such as the following:
- External authentication and authorization
- Rate limiting
- Network policies, such as mirroring, outlier detection, header manipulation, retries, timeouts, and more
- Load balancing and A/B testing
- Traffic routing, shifting, and failover
The Gloo resources that you created are automatically translated to the Istio resources that you need to enforce these policies in your Gloo workspaces, Kubernetes namespaces, and clusters.
The following guides can help you set up secure traffic policies for the apps in your cluster:
Logging and monitoring
Review the performance and health of your ingress gateway with the built-in logging and monitoring tools.
- Gateway metrics: Gloo includes a built-in Prometheus server that collects metrics of your ingress gateway proxy. With metrics, you can review the number of requests that reach your gateway and that were forwarded successfully.
- Gloo UI: Monitor the health of your gateway and review workspace, networking, and policy configurations with the Gloo UI. The Gloo UI is automatically installed with Gloo Gateway.
- Access logs: Collect and review access logs to monitor the traffic to and from individual services in your service mesh.
This data can help you monitor the health and performance of your apps, find bottlenecks, or troubleshoot issues. In particular, you might use this data to improve the following aspects of your app:
- Kubernetes resource requests and limits, replicas, and scheduling to improve pod performance.
- Gloo Gateway networking resources, such as route tables, to set up the best paths for connectivity to your apps.
- Gloo Gateway policies such as retries, timeouts, and failovers to improve resilience.