Meet the Humanitec Agent, the newest addition to our security suite. This new feature acts as a bridge between the Humanitec Platform Orchestrator and private networks. It’s a simple yet powerful tool that paves the way for advanced security scenarios by giving you control over network traffic and ensuring compliance with security guidelines for access management.
Following several months of beta testing, we’re excited to announce the Agent as a robust and dependable solution that’s now ready for production use.
The Humanitec Agent at your service
The Agent is driven by the need to restrict access to internal resources such as clusters or databases. In its default mode, the Platform Orchestrator deploys workloads with their dependencies directly into the target network and requires a publicly accessible endpoint. This is a concern for teams that prefer to not expose certain endpoints to the public internet. The Agent addresses this challenge by enabling the use case for private networks. It establishes a secure tunnel between the user’s network and Humanitec’s servers, ensuring connectivity to the necessary systems the Platform Orchestrator needs access to.
The agent provides security teams with complete control over which external services have access to specific endpoints, reinforcing security measures within your Internal Developer Platform (IDP).
The Agent in a nutshell
Our developer documentation provides helpful guidance on the Agent’s inner workings, a series of frequently asked questions, and it’s where you can find an installation guide. Below is a brief summary, offering a high-level overview of the agent's functionality.
Setting the scene
By default, the Platform Orchestrator deploys your application and its dependencies directly to the target network through a public endpoint, as illustrated below.
For private networks
When dealing with resources in private networks, the Agent is installed as a container image within your network. It establishes a secure communication tunnel, allowing it to call out from the network to the Platform Orchestrator and forward any requests to the cluster.
From the developer’s perspective, the deployment process remains unchanged and mirrors that of public clusters. The only change is the rerouting of traffic through the agent.
How the Agent fits in
While exploring Humanitec’s security-related features and extensions, you may have come across the Humanitec Operator which offers control and flexibility in managing secrets. While both the Operator and Agent are components of Humanitec’s security suite, they serve different use cases and can be used independently:
- Humanitec Operator (secrets management): Allows you to store secrets in your own secrets store instead of the default store used by the Humanitec SaaS solution.
- Humanitec Agent (network access): Enables you to control network access to internal resources such as clusters and databases.
If you’ve been conceptualizing different architecture approaches for cluster management in this context, you might be asking yourself how the Agent fits into all of this.
Direct Cluster mode with the Agent
Direct Cluster mode describes the default operating mode for the Platform Orchestrator. In this setup, the Operator isn’t installed, so the Humanitec Platform Orchestrator securely stores any secrets an Application needs in a separate, internal secret store. Deployments take place directly to the cluster by default or alternatively as illustrated below, via the Agent into a secure network.
If you’re interested in making use of the Agent to provision resources via internal systems, please reach out to us. This capability is currently under development and not yet available for public use.
Operator mode with the Agent
In this mode, deployments are managed by the Operator which sits inside the target cluster. The Platform Orchestrator passes on a set of Kubernetes custom resources, either directly to the Operator, or as illustrated below through a secure tunnel enabled by the Agent. The Operator receives the custom resources and completes the remaining rendering stages by retrieving secrets and calling drivers.
Get started now
We hope you enjoy exploring the new feature and if you have questions or need any help, please get in touch. Our team is always here to make sure you have the best experience.