Skip to content
This repository has been archived by the owner on Jan 10, 2024. It is now read-only.

Latest commit

 

History

History
41 lines (33 loc) · 2.25 KB

File metadata and controls

41 lines (33 loc) · 2.25 KB

DEPRECATED

This repository was archived on 2023-07-27. It is no longer maintained because there is now a cloud-native alternative to protect your Kubernetes workload: Airlock Microgateway If you continue to use Airlock Gateway, consider automating its configuration using the Airlock Gateway REST API.

Introduction

To use Airlock WAF as Reverse Proxy without human interaction in a Kubernetes or OpenShift environment, our recommendations are:

  • place Airlock WAF in front of a Kubernetes or OpenShift environment
  • use Ingress in case of Kubernetes or Route in case of OpenShift
  • listen on Ingress or Route events and create an Airlock WAF configuration via REST API
  • use metadata annotations and ConfigMap for parameterization

Blueprint

The demo application listens to Ingress and Route events. It builds and activates a new Airlock WAF configuration using the Airlock WAF REST API and lives inside a Pod in a Kubernetes Worker Node.

Disclaimer

This Proof of Concept application is NOT for production use.

Requirements

  • Airlock WAF 7.1 or newer
  • Airlock WAF JWT token (API Key)
  • Kubernetes or OpenShift
  • Airlock WAF and Kubernetes/OpenShift need to be in the same sub network

Software Architecture Hints

  • Based on Spring Boot
  • Application Entry Point is in case of
    • Kuberentes: IngressEventWatcher.java
    • Openshift: RouteEventWatcher.java
  • The official Kubernetes Java Client is used to communicate with the API Server
  • The OpenShift Route REST API has been implemented in OpenShiftV1Api.java
  • It uses a client certificate to authenticate against the Kubernetes API Server

Tutorial

Under examples you will find some tutorials and detail description.