Network traffic
Review your options to secure the network traffic in your cluster.
Gloo Network policies
With Gloo policies, you can enforce strict network-level isolation for Layer 3 and Layer 4 traffic in your cluster and define the services that are allowed to talk to each other. By leveraging the Linux kernel technology eBPF, packets are dropped before they reach your app. For more information, see Control network traffic with policies.
RBAC policies
You can use Kubernetes RBAC policies to grant access to Kubernetes and Gloo resources in your cluster. With RBAC policies, you can control who can manage and change your Kubernetes and Gloo setup. For more information, see User access.
Multitenancy with Gloo workspaces
Use Gloo workspaces to define the boundary of Kubernetes resources that your team has access to. These resources can be spread across namespaces or clusters. Gloo Network policies are automatically translated and applied within the workspace's boundaries. You can optionally turn on service isolation to prevent services from one workspace to be able to communicate with services in a different workspace. For more information, see Multitenancy with workspaces.
Defense-in-depth architecture with Gloo Mesh Enterprise
When using Gloo Network with a service mesh that is managed by Gloo Mesh Enterprise, you can create a multi-layer defense mechanism that protects your apps from being compromised. Gloo Mesh offers a variety of Layer 7 traffic policies that you can apply to your service mesh in addition to the Layer 3/4 network policies that Gloo Network offers to increase the security posture of your apps. For example, you can create L7 policies such as external auth, rate limiting, fault injection, outlier detection, retries, timeouts, mirroring, transformation, WAF, Wasm, and more. By combining both worlds, you can address many different attack vectors. If one layer is compromised, your apps are still protected by policies that are enforced on other layers. For more information about Gloo Mesh, see About Gloo Mesh.
Ingress traffic
You can use Gloo Network in combination with Gloo Gateway to unlock a variety of security features that help you secure incoming traffic into your cluster. The gateway is configured for HTTPS traffic by default, and you have the option to add other security capabilities, such as authentication and authorization for your apps, rate limiting, Web Application Firewalls (WAF), and traffic policies, such as timeouts, retries, outlier detection, mirroring, header manipulation, or custom Web Assembly filters.
Gloo Gateway offers a variety of options to ensure external requests are authenticated and authorized before the request is forwarded to an app in your cluster. For example, you can set up basic, passthrough, API key, OAuth, or OPA authentication. You can also integration with company's LDAP provider to sync user logins with your company's directory.
For more information, see About Gloo Gateway.
Other tools
Besides the workloads that you deploy to your cluster, your app design, container platform, and underlying infrastructure provider all impact the security posture of your apps. Refer to the following links to learn more about how to further secure the network in your cluster.