NetFoundry: Kubernetes Integration on Oracle Cloud Infrastructure

NetFoundry's zero-trust networking integrates with Oracle Cloud Infrastructure Container Engine for Kubernetes to reduce the operational burden of setting up and managing private, enterprise-grade Kubernetes clusters.

NetFoundry and Oracle recognize that connecting to your Kubernetes cluster and its ecosystem is complex, so NetFoundry allows you to connect while adhering to the following Oracle best practice design principles:

  • Secure by default: Oracle Cloud Infrastructure Container Engine for Kubernetes hardens Kubernetes clusters following enterprise security best practices.

  • Simplified Kubernetes operations: Oracle Cloud Infrastructure Container Engine for Kubernetes manages your cluster resources and automates recurrent Kubernetes administration and scaling tasks.

  • High performance: Containerized applications run on high-performance compute resources through Oracle Cloud Infrastructure's non-blocking network.

Customer Story

Learn more about NetFoundry and Oracle Container Engine for Kubernetes on Oracle Cloud:

Architecture

You can deploy a NetFoundry network endpoint as a pod on your Kubernetes cluster by using a Helm chart.

You can then assign the endpoint in your NetFoundry network to host any cluster services that are reachable inside your Kubernetes cluster, such as the Kubernetes API used by kubectl, or any pod or service referenced by cluster-internal IP or cluster DNS that you want to expose to NetFoundry client endpoints.

The following diagram illustrates this reference architecture.

Description of netfoundry-kubernetes-oci.png follows
Description of the illustration netfoundry-kubernetes-oci.png
The architecture has the following components:
  • Region

    An Oracle Cloud Infrastructure region is a localized geographic area that contains one or more data centers, called availability domains. Regions are independent of other regions, and vast distances can separate them (across countries or even continents).

    All the resources in this architecture are deployed in a single region.

  • Identity Cloud Service

    Oracle Identity Cloud Service provides identity management, single sign-on (SSO), and identity governance for a wide range of SaaS and on-premises applications.

  • Cloud Guard

    You can use Oracle Cloud Guard to monitor and maintain the security of your resources in Oracle Cloud Infrastructure. Cloud Guard uses detector recipes that you can define to examine your resources for security weaknesses and to monitor operators and users for risky activities. When any misconfiguration or insecure activity is detected, Cloud Guard recommends corrective actions and assists with taking those actions, based on responder recipes that you can define.

  • Monitoring

    Oracle Cloud Infrastructure Monitoring service actively and passively monitors your cloud resources using metrics to monitor resources and alarms to notify you when these metrics meet alarm-specified triggers.

  • Availability domain

    Availability domains are standalone, independent data centers within a region. The physical resources in each availability domain are isolated from the resources in the other availability domains, which provides fault tolerance. Availability domains don’t share infrastructure such as power or cooling, or the internal availability domain network. So, a failure at one availability domain is unlikely to affect the other availability domains in the region.

  • VCN and subnets

    A VCN is a customizable, software-defined network that you set up in an Oracle Cloud Infrastructure region. Like traditional data center networks, VCNs give you complete control over your network environment. A VCN can have multiple non-overlapping CIDR blocks that you can change after you create the VCN. You can segment a VCN into subnets, which can be scoped to a region or to an availability domain. Each subnet consists of a contiguous range of addresses that don't overlap with the other subnets in the VCN. You can change the size of a subnet after creation. A subnet can be public or private.

    This architecture uses a single VCN, with separate subnets for the load balancer, web servers, application servers, and database.

  • Internet gateway

    The internet gateway allows traffic between the public subnets in a VCN and the public internet.

  • Route tables

    Virtual route tables contain rules to route traffic from subnets to destinations outside a VCN, typically through gateways.

  • Security lists

    For each subnet, you can create security rules that specify the source, destination, and type of traffic that must be allowed in and out of the subnet.

  • Container Engine for Kubernetes

    Oracle Cloud Infrastructure Container Engine for Kubernetes is a fully managed, scalable, and highly available service that you can use to deploy your containerized applications to the cloud. You specify the compute resources that your applications require, and Container Engine for Kubernetes provisions them on Oracle Cloud Infrastructure in an existing tenancy. Container Engine for Kubernetes uses Kubernetes to automate the deployment, scaling, and management of containerized applications across clusters of hosts.