Kubernetes Zero to Hero Part 3: Enterprise Security with Akamai App & API Protection and EdgeDNS
This is the final part of our Kubernetes Zero to Hero series. In Part 1, we built observability with Prometheus and Grafana. In Part 2, we added Traefik ingress with automatic SSL. Now we're completing the journey with enterprise-grade security and global performance.
Security and performance at scale require more than what any single cluster can provide. Today, we're adding the final layer: Akamai's global edge network for DDoS protection, Web Application Firewall, API security, and intelligent DNS management. This is how you protect and accelerate applications at internet scale.
What We're Building
Completing our production platform with:
- Akamai App & API Protection for DDoS and WAF security
- EdgeDNS for intelligent global DNS with health checks
- cert-manager integration for automated certificate management
- Global performance optimization with edge caching and acceleration
- Advanced threat protection with bot management and rate limiting
- Complete observability across edge, ingress, and cluster
This is enterprise-grade infrastructure that Fortune 500 companies rely on.
Prerequisites
- Completed Part 1 and Part 2
- Akamai account with App & API Protection enabled
- Domain registered and ready for DNS delegation
- API credentials for Akamai EdgeGrid
Step 1: Setting Up Akamai EdgeDNS
First, let's configure EdgeDNS for intelligent traffic management:
Install the Akamai CLI
# Install Akamai CLI
npm install -g @akamai/cli
# Install DNS module
akamai install dns
# Configure credentials
akamai configure --section default
Create EdgeDNS Zone
# Create DNS zone configuration
cat <<EOF > edgedns-zone.json
{
"zone": "yourdomain.com",
"type": "primary",
"comment": "Production K8s cluster DNS",
"signAndServe": false
}
EOF
# Create the zone
akamai dns create-zone edgedns-zone.json
# Verify zone creation
akamai dns list-zones
Configure DNS Records
# Create A records for your services
akamai dns create-record yourdomain.com A app 300 "YOUR_LOADBALANCER_IP"
akamai dns create-record yourdomain.com A traefik 300 "YOUR_LOADBALANCER_IP"
akamai dns create-record yourdomain.com A api 300 "YOUR_LOADBALANCER_IP"
# Create health check monitors
cat <<EOF > health-check.json
{
"name": "k8s-cluster-health",
"interval": 60,
"timeout": 30,
"protocol": "HTTPS",
"port": 443,
"path": "/health",
"expectedStatusCode": 200
}
EOF
akamai dns create-healthcheck health-check.json
Step 2: Installing cert-manager with Akamai Integration
Set up automated certificate management:
# Install cert-manager
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.0/cert-manager.yaml
# Wait for cert-manager to be ready
kubectl wait --for=condition=available --timeout=300s deployment/cert-manager -n cert-manager
Configure Akamai EdgeDNS Issuer
# akamai-issuer.yaml
apiVersion: v1
kind: Secret
metadata:
name: akamai-secret
namespace: cert-manager
type: Opaque
data:
# Base64 encoded Akamai EdgeGrid credentials
access_token: <BASE64_ACCESS_TOKEN>
client_token: <BASE64_CLIENT_TOKEN>
client_secret: <BASE64_CLIENT_SECRET>
host: <BASE64_HOST>
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: akamai-issuer
spec:
acme:
email: your-email@example.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: akamai-issuer-account-key
solvers:
- dns01:
webhook:
groupName: akamai.webhook.cert-manager
solverName: akamai
config:
accessTokenSecretRef:
name: akamai-secret
key: access_token
clientTokenSecretRef:
name: akamai-secret
key: client_token
clientSecretSecretRef:
name: akamai-secret
key: client_secret
hostSecretRef:
name: akamai-secret
key: host
kubectl apply -f akamai-issuer.yaml
Step 3: Configuring Akamai App & API Protection
Create Property Configuration
{
"productId": "prd_App_Performance",
"contractId": "ctr_YOUR_CONTRACT",
"groupId": "grp_YOUR_GROUP",
"propertyName": "k8s-production-app",
"hostnames": [
"app.yourdomain.com",
"api.yourdomain.com"
],
"rules": {
"name": "default",
"children": [
{
"name": "Origin",
"criteria": [],
"behaviors": [
{
"name": "origin",
"options": {
"originType": "CUSTOMER",
"hostname": "traefik.yourdomain.com",
"forwardHostHeader": "REQUEST_HOST_HEADER",
"cacheKeyHostname": "ORIGIN_HOSTNAME",
"compress": true,
"enableTrueClientIp": true,
"verificationMode": "PLATFORM_SETTINGS",
"originSni": true,
"ports": "",
"httpPort": 80,
"httpsPort": 443
}
}
]
},
{
"name": "Security",
"criteria": [],
"children": [
{
"name": "WAF Protection",
"criteria": [],
"behaviors": [
{
"name": "webApplicationFirewall",
"options": {
"configurationSet": {
"id": "YOUR_WAF_CONFIG_ID",
"name": "Production WAF Policy"
}
}
}
]
},
{
"name": "Bot Management",
"criteria": [],
"behaviors": [
{
"name": "botManagerAkamai",
"options": {
"enableBotManagement": true
}
}
]
},
{
"name": "Rate Limiting",
"criteria": [
{
"name": "path",
"options": {
"matchOperator": "MATCHES_ONE_OF",
"values": ["/api/*"]
}
}
],
"behaviors": [
{
"name": "rateLimiting",
"options": {
"rateLimitingBehavior": "DENY",
"threshold": 1000,
"window": 60
}
}
]
}
]
},
{
"name": "Performance",
"criteria": [],
"children": [
{
"name": "Caching",
"criteria": [
{
"name": "fileExtension",
"options": {
"matchOperator": "IS_ONE_OF",
"values": ["css", "js", "png", "jpg", "jpeg", "gif", "ico", "svg"]
}
}
],
"behaviors": [
{
"name": "caching",
"options": {
"behavior": "MAX_AGE",
"mustRevalidate": false,
"ttl": "7d"
}
}
]
},
{
"name": "Image Optimization",
"criteria": [
{
"name": "fileExtension",
"options": {
"matchOperator": "IS_ONE_OF",
"values": ["jpg", "jpeg", "png", "webp"]
}
}
],
"behaviors": [
{
"name": "imageManager",
"options": {
"enabled": true,
"resize": true,
"applyBestFileType": true
}
}
]
}
]
},
{
"name": "Observability",
"criteria": [],
"behaviors": [
{
"name": "realUserMonitoring",
"options": {
"enabled": true
}
},
{
"name": "cpCode",
"options": {
"value": {
"id": "YOUR_CP_CODE"
}
}
}
]
}
]
}
}
Deploy the Configuration
# Create property using Akamai CLI
akamai property create-property property-config.json
# Activate on staging
akamai property activate-property YOUR_PROPERTY_ID STAGING
# After testing, activate on production
akamai property activate-property YOUR_PROPERTY_ID PRODUCTION
Step 4: Advanced WAF Configuration
Create custom WAF rules for your applications:
{
"name": "Kubernetes App Protection",
"description": "Custom WAF rules for K8s applications",
"rules": [
{
"name": "Block SQL Injection",
"description": "Prevent SQL injection attacks",
"conditions": [
{
"type": "request_body",
"operator": "contains",
"value": "union select",
"case_sensitive": false
}
],
"action": "deny",
"response_code": 403
},
{
"name": "Block XSS Attempts",
"description": "Prevent cross-site scripting",
"conditions": [
{
"type": "query_string",
"operator": "regex_match",
"value": "<script[^>]*>.*?</script>",
"case_sensitive": false
}
],
"action": "deny",
"response_code": 403
},
{
"name": "API Rate Limiting",
"description": "Rate limit API endpoints",
"conditions": [
{
"type": "path",
"operator": "begins_with",
"value": "/api/"
}
],
"action": "rate_limit",
"rate_limit": {
"requests_per_minute": 1000,
"burst": 100
}
},
{
"name": "Admin Path Protection",
"description": "Protect admin paths",
"conditions": [
{
"type": "path",
"operator": "begins_with",
"value": "/admin"
}
],
"action": "challenge",
"challenge_type": "captcha"
}
]
}
Step 5: Kubernetes Integration with Akamai
Create operators to automate Akamai configuration:
# akamai-operator.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: akamai-operator
namespace: akamai-system
spec:
replicas: 1
selector:
matchLabels:
app: akamai-operator
template:
metadata:
labels:
app: akamai-operator
spec:
serviceAccountName: akamai-operator
containers:
- name: operator
image: akamai/k8s-operator:latest
env:
- name: AKAMAI_CLIENT_TOKEN
valueFrom:
secretKeyRef:
name: akamai-credentials
key: client_token
- name: AKAMAI_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: akamai-credentials
key: client_secret
- name: AKAMAI_ACCESS_TOKEN
valueFrom:
secretKeyRef:
name: akamai-credentials
key: access_token
- name: AKAMAI_HOST
valueFrom:
secretKeyRef:
name: akamai-credentials
key: host
resources:
requests:
memory: 128Mi
cpu: 100m
limits:
memory: 256Mi
cpu: 200m
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: akamai-operator
namespace: akamai-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: akamai-operator
rules:
- apiGroups: [""]
resources: ["services", "endpoints"]
verbs: ["get", "list", "watch"]
- apiGroups: ["extensions", "networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["akamai.com"]
resources: ["*"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: akamai-operator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: akamai-operator
subjects:
- kind: ServiceAccount
name: akamai-operator
namespace: akamai-system
Create Custom Resource Definitions
# akamai-property-crd.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: akamaiproperties.akamai.com
spec:
group: akamai.com
versions:
- name: v1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
hostname:
type: string
origin:
type: object
properties:
hostname:
type: string
port:
type: integer
waf:
type: object
properties:
enabled:
type: boolean
policy:
type: string
caching:
type: object
properties:
enabled:
type: boolean
ttl:
type: string
status:
type: object
properties:
phase:
type: string
propertyId:
type: string
version:
type: integer
scope: Namespaced
names:
plural: akamaiproperties
singular: akamaiproperty
kind: AkamaiProperty
Step 6: Application-Level Integration
Configure your applications to work optimally with Akamai:
# optimized-app-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: optimized-web-app
namespace: default
annotations:
akamai.com/property: "app.yourdomain.com"
akamai.com/waf-policy: "strict"
spec:
replicas: 5
selector:
matchLabels:
app: optimized-web-app
template:
metadata:
labels:
app: optimized-web-app
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "9113"
spec:
containers:
- name: web-app
image: nginx:1.21-alpine
ports:
- containerPort: 80
env:
- name: AKAMAI_EDGE_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
volumeMounts:
- name: nginx-config
mountPath: /etc/nginx/conf.d
resources:
requests:
memory: 128Mi
cpu: 100m
limits:
memory: 256Mi
cpu: 200m
livenessProbe:
httpGet:
path: /health
port: 80
httpHeaders:
- name: Host
value: app.yourdomain.com
initialDelaySeconds: 10
periodSeconds: 10
readinessProbe:
httpGet:
path: /ready
port: 80
initialDelaySeconds: 5
periodSeconds: 5
volumes:
- name: nginx-config
configMap:
name: optimized-nginx-config
---
apiVersion: v1
kind: ConfigMap
metadata:
name: optimized-nginx-config
namespace: default
data:
default.conf: |
server {
listen 80;
server_name app.yourdomain.com;
# Security headers (complementing Akamai)
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
# Cache control for static assets
location ~* \.(css|js|png|jpg|jpeg|gif|ico|svg|woff|woff2)$ {
expires 1y;
add_header Cache-Control "public, immutable";
add_header Vary "Accept-Encoding";
}
# API endpoints with rate limiting hints
location /api/ {
add_header X-RateLimit-Limit "1000" always;
proxy_pass http://backend-service;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# Health checks
location /health {
access_log off;
return 200 "healthy\n";
add_header Content-Type text/plain;
}
location /ready {
access_log off;
return 200 "ready\n";
add_header Content-Type text/plain;
}
# Main application
location / {
root /usr/share/nginx/html;
index index.html;
try_files $uri $uri/ /index.html;
# Enable compression
gzip on;
gzip_types text/css application/javascript application/json text/plain;
}
}
Step 7: Monitoring and Observability Integration
Integrate Akamai metrics with your monitoring stack:
# akamai-metrics-exporter.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: akamai-exporter
namespace: monitoring
spec:
replicas: 1
selector:
matchLabels:
app: akamai-exporter
template:
metadata:
labels:
app: akamai-exporter
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "8080"
spec:
containers:
- name: exporter
image: akamai/prometheus-exporter:latest
ports:
- containerPort: 8080
name: metrics
env:
- name: AKAMAI_CLIENT_TOKEN
valueFrom:
secretKeyRef:
name: akamai-credentials
key: client_token
- name: AKAMAI_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: akamai-credentials
key: client_secret
- name: AKAMAI_ACCESS_TOKEN
valueFrom:
secretKeyRef:
name: akamai-credentials
key: access_token
- name: AKAMAI_HOST
valueFrom:
secretKeyRef:
name: akamai-credentials
key: host
resources:
requests:
memory: 64Mi
cpu: 50m
limits:
memory: 128Mi
cpu: 100m
---
apiVersion: v1
kind: Service
metadata:
name: akamai-exporter
namespace: monitoring
labels:
app: akamai-exporter
spec:
ports:
- port: 8080
targetPort: 8080
name: metrics
selector:
app: akamai-exporter
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: akamai-exporter
namespace: monitoring
spec:
selector:
matchLabels:
app: akamai-exporter
endpoints:
- port: metrics
interval: 30s
path: /metrics
Custom Akamai Alerts
# akamai-alerts.yaml
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: akamai-alerts
namespace: monitoring
labels:
prometheus: kube-prometheus
role: alert-rules
spec:
groups:
- name: akamai.rules
rules:
- alert: AkamaiHighErrorRate
expr: akamai_requests_total{status=~"5.."} / akamai_requests_total > 0.05
for: 5m
labels:
severity: critical
annotations:
summary: "High error rate on Akamai edge"
description: "Error rate is above 5% for {{ $labels.hostname }}"
- alert: AkamaiCacheHitRateLow
expr: akamai_cache_hit_ratio < 0.8
for: 10m
labels:
severity: warning
annotations:
summary: "Low cache hit ratio"
description: "Cache hit ratio is below 80% for {{ $labels.hostname }}"
- alert: AkamaiWAFBlocks
expr: increase(akamai_waf_blocks_total[5m]) > 100
for: 2m
labels:
severity: warning
annotations:
summary: "High WAF block rate"
description: "WAF is blocking >100 requests in 5 minutes for {{ $labels.hostname }}"
- alert: AkamaiOriginConnectFailure
expr: akamai_origin_connect_failures_total > 0
for: 1m
labels:
severity: critical
annotations:
summary: "Origin connection failures"
description: "Akamai cannot connect to origin {{ $labels.origin }}"
Step 8: Disaster Recovery and Failover
Configure intelligent failover with EdgeDNS:
# Create failover configuration
cat <<EOF > failover-config.json
{
"name": "k8s-failover",
"type": "failover",
"ttl": 60,
"targets": [
{
"target": "primary.yourdomain.com",
"weight": 100,
"enabled": true,
"handoutMode": "normal"
},
{
"target": "secondary.yourdomain.com",
"weight": 0,
"enabled": true,
"handoutMode": "backup"
}
],
"healthCheck": {
"protocol": "HTTPS",
"port": 443,
"path": "/health",
"timeout": 10,
"interval": 60
}
}
EOF
# Apply failover configuration
akamai dns create-recordset yourdomain.com failover-config.json
Step 9: Performance Testing and Optimization
Test your complete setup:
# Install siege for comprehensive testing
kubectl create configmap siege-config --from-literal=urls.txt='
https://app.yourdomain.com/
https://app.yourdomain.com/api/health
https://app.yourdomain.com/static/app.js
https://app.yourdomain.com/static/style.css
'
# Run performance test
kubectl run siege --image=yokogawa/siege --rm -i --restart=Never -- \
siege -c 50 -t 10m -f /config/urls.txt --mount configMap:siege-config:/config
# Monitor during test
kubectl top nodes
kubectl top pods -A
Global Performance Validation
# Test from multiple regions using curl
REGIONS=("us-east-1" "eu-west-1" "ap-southeast-1")
for region in "${REGIONS[@]}"; do
echo "Testing from $region:"
aws ec2 run-instances --region $region --instance-type t3.micro \
--image-id ami-0abcdef1234567890 --user-data '#!/bin/bash
yum update -y
yum install -y curl
for i in {1..10}; do
curl -w "@curl-format.txt" -o /dev/null -s https://app.yourdomain.com/
sleep 1
done' --tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=perf-test}]'
done
Step 10: Final Production Checklist
Security Validation
- WAF rules tested and tuned
- Bot management configured
- Rate limiting verified
- SSL certificates auto-renewing
- Security headers implemented
Performance Validation
- Cache hit ratio >80%
- Global latency <200ms
- Image optimization enabled
- Compression working
- CDN fully populated
Observability Validation
- All metrics flowing to Prometheus
- Dashboards populated
- Alerts firing correctly
- Log aggregation working
- Health checks passing
Disaster Recovery
- Failover tested
- Backup procedures documented
- Recovery time objectives met
- Data replication verified
Production Best Practices
1. Security Hardening
# Network policies for Akamai integration
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: akamai-ingress-policy
namespace: default
spec:
podSelector:
matchLabels:
app: web-app
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: traefik
ports:
- protocol: TCP
port: 80
2. Resource Optimization
- Monitor and tune cache ratios
- Optimize image delivery
- Use appropriate TTLs
- Implement smart prefetching
3. Cost Management
- Monitor Akamai usage
- Optimize traffic patterns
- Use appropriate service levels
- Regular cost reviews
Troubleshooting Guide
Common Issues and Solutions
SSL Certificate Problems
# Check certificate status
kubectl describe certificate your-cert -n cert-manager
kubectl logs -n cert-manager deployment/cert-manager
Origin Connectivity Issues
# Test origin connectivity
kubectl run debug --image=nicolaka/netshoot --rm -it -- /bin/bash
# From inside: curl -H "Host: app.yourdomain.com" http://traefik.traefik.svc.cluster.local
WAF False Positives
# Check WAF logs in Akamai Control Center
# Tune rules based on application behavior
# Use staging environment for testing
What We've Accomplished
Over this three-part series, we've built a production-ready Kubernetes platform with:
Part 1: Observability Foundation
- Prometheus for comprehensive metrics collection
- Grafana for visualization and dashboards
- AlertManager for intelligent notifications
- Complete monitoring of cluster and applications
Part 2: Intelligent Ingress
- Traefik for automatic service discovery
- Let's Encrypt for SSL automation
- Advanced routing with middleware
- Blue-green deployments for zero downtime
Part 3: Enterprise Security & Performance
- Akamai App & API Protection for global security
- EdgeDNS for intelligent traffic management
- WAF and DDoS protection at internet scale
- Global performance optimization with edge caching
The Complete Architecture
┌─────────────────────────────────────────────────────────────┐
│ Global Edge Network │
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐│
│ │ Akamai WAF │ │ Bot Mgmt │ │ DDoS Protect ││
│ │ & Security │ │ & Rate Limit │ │ & Caching ││
│ └─────────────────┘ └─────────────────┘ └─────────────────┘│
└─────────────────────────┬───────────────────────────────────┘
│
┌─────────────────────────▼───────────────────────────────────┐
│ EdgeDNS Layer │
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐│
│ │ Health Checks │ │ Failover │ │ Load Balancing ││
│ │ & Monitoring │ │ & DR │ │ & GTM ││
│ └─────────────────┘ └─────────────────┘ └─────────────────┘│
└─────────────────────────┬───────────────────────────────────┘
│
┌─────────────────────────▼───────────────────────────────────┐
│ Kubernetes Cluster │
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐│
│ │ Traefik │ │ Applications │ │ Monitoring ││
│ │ Ingress + │ │ + Services │ │ Prometheus ││
│ │ Auto SSL │ │ + Storage │ │ + Grafana ││
│ └─────────────────┘ └─────────────────┘ └─────────────────┘│
└─────────────────────────────────────────────────────────────┘
Conclusion
You've now mastered the complete journey from zero to production-ready Kubernetes hero. This enterprise-grade platform provides:
- Global scale and performance with Akamai's edge network
- Enterprise security with WAF, DDoS protection, and bot management
- Automatic operations with SSL, DNS, and certificate management
- Complete observability from edge to cluster to application
- High availability with intelligent failover and disaster recovery
This isn't just a learning exercise—this is how Fortune 500 companies run their critical applications. You now have the knowledge and tools to build, secure, and operate Kubernetes at internet scale.
The combination of Kubernetes orchestration, Traefik ingress automation, Prometheus observability, and Akamai's global edge creates a platform that can handle anything the internet throws at it while maintaining security, performance, and reliability.
Congratulations—you're now a Kubernetes hero! 🦸♂️
Alexander Cedergren is a Solutions Engineer specializing in Kubernetes, edge computing, and enterprise cloud security. This series represents real-world experience building platforms that scale to millions of users.