NetFoundry: Kubernetes Integration on Oracle Cloud Infrastructure

NetFoundry's zero-trust networking integrates with OCI Kubernetes Engine to reduce the operational burden of setting up and managing private, enterprise-grade Kubernetes clusters.

NetFoundry and Oracle recognize that connecting to your Kubernetes cluster and its ecosystem is complex, so NetFoundry allows you to connect while adhering to the following Oracle best practice design principles:

• Secure by default: OCI Kubernetes Engine hardens Kubernetes clusters following enterprise security best practices.

• Simplified Kubernetes operations: OCI Kubernetes Engine manages your cluster resources and automates recurrent Kubernetes administration and scaling tasks.

• High performance: Containerized applications run on high-performance compute resources through Oracle Cloud Infrastructure's non-blocking network.

Customer Story

Learn more about NetFoundry and Oracle Cloud Infrastructure Kubernetes Engine on Oracle Cloud:

Architecture

You can deploy a NetFoundry network endpoint as a pod on your Kubernetes cluster by using a Helm chart.

You can then assign the endpoint in your NetFoundry network to host any cluster services that are reachable inside your Kubernetes cluster, such as the Kubernetes API used by kubectl, or any pod or service referenced by cluster-internal IP or cluster DNS that you want to expose to NetFoundry client endpoints.

The following diagram illustrates this reference architecture.

Description of the illustration netfoundry-kubernetes-oci.png

netfoundry-kubernetes-oci-oracle.zip

The architecture has the following components:

• Region

  An Oracle Cloud Infrastructure region is a localized geographic area that contains one or more data centers, hosting availability domains. Regions are independent of other regions, and vast distances can separate them (across countries or even continents).

  All the resources in this architecture are deployed in a single region.

• Identity Cloud Service (Do not use)

  Oracle Identity Cloud Service provides identity management, single sign-on (SSO), and identity governance for a wide range of SaaS and on-premises applications.

• Cloud Guard

  You can use Oracle Cloud Guard to monitor and maintain the security of your resources in Oracle Cloud Infrastructure. Cloud Guard uses detector recipes that you can define to examine your resources for security weaknesses and to monitor operators and users for certain risky activities. When any misconfiguration or insecure activity is detected, Cloud Guard recommends corrective actions and assists with taking those actions, based on responder recipes that you can define.

• Monitoring

  Oracle Cloud Infrastructure Monitoring actively and passively monitors your cloud resources, and uses alarms to notify you when metrics meet specified triggers.

• Availability domain

  Availability domains are standalone, independent data centers within a region. The physical resources in each availability domain are isolated from the resources in the other availability domains, which provides fault tolerance. Availability domains don’t share infrastructure such as power or cooling, or the internal availability domain network. So, a failure at one availability domain shouldn't affect the other availability domains in the region.

• VCN and subnets

  A VCN is a customizable, software-defined network that you set up in an Oracle Cloud Infrastructure region. Like traditional data center networks, VCNs give you control over your network environment. A VCN can have multiple non-overlapping CIDR blocks that you can change after you create the VCN. You can segment a VCN into subnets, which can be scoped to a region or to an availability domain. Each subnet consists of a contiguous range of addresses that don't overlap with the other subnets in the VCN. You can change the size of a subnet after creation. A subnet can be public or private.

  This architecture uses a single VCN, with separate subnets for the load balancer, web servers, application servers, and database.

• Internet gateway

  An internet gateway allows traffic between the public subnets in a VCN and the public internet.

• Route tables

  Virtual route tables contain rules to route traffic from subnets to destinations outside a VCN, typically through gateways.

• Security lists

  For each subnet, you can create security rules that specify the source, destination, and type of traffic that is allowed in and out of the subnet.

• Kubernetes Engine

  Oracle Cloud Infrastructure Kubernetes Engine (OCI Kubernetes Engine or OKE) is a fully-managed, scalable, and highly available service that you can use to deploy your containerized applications to the cloud. You specify the compute resources that your applications require, and Kubernetes Engine provisions them on Oracle Cloud Infrastructure in an existing tenancy. OKE uses Kubernetes to automate the deployment, scaling, and management of containerized applications across clusters of hosts.

Explore More

Learn more about the features of this architecture.

• Well-architected framework for Oracle Cloud Infrastructure
• Learn about architecting a highly available cloud topology
• Overview of Kubernetes Engine (OKE)
• Oracle Cloud Infrastructure documentation
• Oracle Cloud Cost Estimator