Infrastructure

Infrastructure

Exercise 1: NGINX Ingress Controller

In this lab, NGINX Ingress Controller (IC) is hosted in namespaces owned by Infra Ops, this kind of namespace is called an infrastructure namespace. An infrastructure namespace can host one or several ICs. An IC is associated to a unique Ingress Class name. Therefore an infrastructure namespace can propose to Applications several Ingress Classes, for example “silver”, “gold” and “platinium”.

Why different Ingress Class? Because an Ingress Class could offer different service level or be managed by different Infra Ops team, for example: ADC, API GW, WAF, open source, supported, SRE team for digital factory etc.

In order to published, an Application have to select an Ingress Class. However an Application, that is hosted in its namespace, cannot use every existing Ingress Class because an Ingress Class can watch all or some applicative namespace. For example an infrastructure namespace dedicated for non-production should only watch non-production applicative namespace.

Two ICs instances, App Protect module embedded, have been already build on Jumphost following this guide and deployed using Helm

  • Show Arcadia application published by IC facing Internet

kubectl get ingresses -n lab1-arcadia

Capture The Flag

1.1 What is the version of deployed IC? | Tips: NGINX Ingress Controller image’s tag contains: {{IC version}}-{{last update of WAF signature}}. Use docker commands to show images

1.2 What is the ingress-class name of the IC instance accessible from Internet?

1.3 What is the Helm configuration parameter to limit Namespace(s) to watch? | Tips: Configuration parameter for NGINX Ingress Controller here

Exercise 2: NGINX+ API

NGINX Plus includes a real‑time activity monitoring interface that provides key load and performance metrics. Using a simple RESTful JSON interface, it’s very easy to connect these stats to live dashboards and third‑party monitoring tools.

  • On Jumphost, get a IC POD’s name`

kubectl get pods -n external-ingress-controller

output

NAME                                              READY   STATUS    RESTARTS   AGE
nap-external-ingress-controller-7576b65b4-ps4ck   1/1     Running   0          8d
  • Get a IC POD’s IP. Replace {{POD_name}}

kubectl describe pod -n external-ingress-controller {{POD_name}} | grep IP

output

IP:           10.1.1.18
curl {{POD_ip}}:8080/api/6/nginx/

Capture The Flag

2.1 Which build of NGINX is used by IC?

Extra time: NGINX+ dashboard

  • For Windows Users:
    • On your ssh client, configure ssh port forwarding on Jumphost session as described here

    SecureCRT
    • On your web browser, connect to http://127.1.1.1/dashboard.html

    SecureCRT
  • For Mac Users:
    • Run the command below

    • Replace {{IC_POD_IP}} with the IP address found in exercise 6 above

    • Replace {{site_ID} and {{region}} with your allocated site ID and Azure region.

    ssh -L 8090:{{IC_POD_IP}}:8080 -i jumphost.key cyber@jumphost-aksdistrict{{site_ID}}.{{region}}.cloudapp.azure.com
    
    • On your browser, connect to http://127.0.0.1:8090/dashboard.html

    SecureCRT