K8s and DMZ hosting

Hi everyone would like to get everyones thoughts on how to secure K8s when hosting in the cloud with external and internal facing apps on a single K8s cluster.

The story goes as our security team is doing a review of our K8s cluster and app design in the cloud. We’ve only recently just started migrating and moving our on-prem appss to the cloud to K8s. Traditionally we have been using VM’s for apps and our network design always centered around a 2 tier DMZ with front and back firewalls before reaching the internal network. And we would place our Web Front Ends in the DMZ and then App and DB’s on the internal.network.

Now with the move the cloud and K8s we are at opposites on how we should design our K8s clusters. Our plan was to have WAF → Firewall → K8s ingress → K8s cluster and we’d have namespace for running different services for segregation/isolation. Or we could use add something like an additional AppGateway to become WAF → Firewall → AppGateway → K8s ingress → K8s cluster.

Our apps hosted on the K8s will serve internal users and external users. At the extreme end we could possibly have 2 K8s cluster one behind the other and we would host the front end service on the cluster behind the firewall then it would pass the traffic to another cluster which contains the App services and also DBs behind but this doesn’t seem to practical.

Appreciate if anyone can share some thoughts.

Has anyone encountered a similar dilemma and how did you go about the setup.