| - Appliance with hardened OS
| - Secured container images and restricted permissions
- Data plane mode
- Sidecar
- Kubernetes Gateway API
|
| - Load balancing
- Back-end failover
- Self-healing nurses
- External checks are possible
These functionalities are built-in, except for the external checks. | - Load balancing
- Failover to upstream service
- Readiness and Liveness Probe endpoints
Kubernetes built-in functionalities are used. Microgateway supports the required integration. |
| | - Kubernetes CRs (Custom Resources)
|
| | - Yes, with common Kubernetes tools.
|
| - Partly
- A script to bootstrap the Gateway through REST API can be created and stored in Git.
| |
| | - Zero Trust
- Perimeter security with Kubernetes Gateway API
|
| - Suited best to the following change frequencies:
- moderate
- infrequent
| - Suited for any change frequency:
- frequent
- moderate
- infrequent
|
| - All web applications are protected with the same Airlock Gateway.
The same Airlock Gateway version is used for all web applications. | - Data plane mode
- Sidecar:
Same version for web applications in the same namespace. - Kubernetes Gateway API:
Web applications could share same Airlock Microgateway or use a dedicated version.
|
Bundle web application with Airlock | Because Airlock Gateway is shared, at least the Gateway version can not be bundled to a particular web application version. | Bundling a certain Airlock Microgateway configuration with a particular web application is possible. |
Configuration maintained by | | - Security team
- Project team
- Developers
Shared responsibility. |
Enforcing security settings (baseline security) | - Restricted access to configure Airlock Gateway
| - Policies for 3rd party tools like Open Policy Agent Gatekeeper, Kyverno or Kubewarden enforce certain Airlock Microgateway settings.
- With RBAC in Kubernetes, access to certain CustomResources can be restricted.
The security team can enforce settings and control who has access to which Custom Resources in case different teams maintain the configuration. |
| - Centralized in the security team.
| Depending on team responsibilities and processes the security policies can be configured in a centralized or decentralized way (or even a mix of it). Based on that, the required know how must be present in those teams: - Centralized in the security team.
- Decentralized in many teams.
Must likely the security team is still responsible for the overall security, also if the policies are configured decentralized in the teams. But in such case security know-how must also be present in other teams as well. The security team enables them with templates, guidelines and education. |
| - Ticketing
- Maintenance Windows
| |