Start With Kubernetes

Overview

open-appsec for Kubernetes protects web applications and APIs running in Kubernetes environments. It integrates with the popular Ingress NGINX (Ingress Controller), securing the ingress HTTP/S traffic to Services inside Kubernetes clusters. It also integrates with Kong Gateway (native Lua-based Kong plugin available) as well as APISIX API Gateways, securing distributed, exposed APIs at the API Gateway level. If you are using Istio Service Mesh with your Kubernetes clusters, you can integrate open-appsec directly with your existing Istio Ingress Gateway. More integrations are planned to be added in the future (e.g. Envoy Gateway, Emissary Ingress).

Ingress NGINX

Kong Gateway

APISIX gateway

Istio Ingress Gateway

The NGINX Ingress Controller and open-appsec for Kubernetes agent are deployed together with a single Helm chart. This diagram shows an example of a Kubernetes service exposed outside the Kubernetes cluster with an Ingress controller protected with open-appsec. The NGINX Ingress Controller container contains the open-appsec Attachment which communicates with the open-appsec Agent.

open-appsec can be flexibly integrated with Kong. This diagram shows K8s Web APIs/Apps exposed by an Kong API Gateway that is protected by open-appsec. Inside the Kong Gateway Pod there are following containers: Kong Gateway container, open-appsec Agent container and optional Kong Controller (Ingress Controller). Here open-appsec is integrated with the Kong Gateway container which contains the open-appsec Attachment for communication with the open-appsec Agent, this is implemented using a native Lua-based Kong plugin for attaching the open-appsec agent to the Kong Gateway.

For Kubernetes based-deployments of APISIX integrated with open-appsec there’s a helm chart available, which is based on the official APISIX helm chart and further enhanced to also include the open-appsec attachment in the APISIX gateway container and the deployment of the open-appsec agent as a sidecar container in the same pod.

Here’s a simple architecture schematic for deployment on Kubernetes.

open-appsec integrates with Istio Ingress Gateway in Kubernetes environments with Istio service mesh. This diagram shows K8s Web APIs/Apps exposed by an Istio Ingress Gateway that is protected by open-appsec. As part of the open-appsec deployment, using a K8s webhook, the open-appsec Agent container is injected automatically to the Istio Ingress Gateway pod and an Attachment filter is added to and loaded by the Envoy-based, istio-proxy container. This open-appsec Attachment filter is required for communication with the open-appsec Agent.

Deployment Options

The recommended deployment option depends on the proxy solution you want to integrate with:

Deployment with helm chart (recommended)

For integration with the following solutions, we provide a flexible helm chart, which is an extended version based on the original helm chart of the proxy solution to integrate with and offers separate, optional CRD deployment for locally, declaratively-managed deployments:

• Ingress NGINX

• APISIX API Gateway

• Kong API Gateway (first generation of Kong integration using an NGINX attachment, an improved, native Kong integration using Lua-plugin is available further below!)

Deployment with injector helm chart (recommended)

For integration with the following proxy solutions, we provide a helm chart, which is used additionally to the original helm chart of the solution to integrate with, this helm chart automatically injects all required open-appsec components using a Kubernetes webhook into the existing solution's deployment:

• Kong API Gateway (recommended Kong integration, using native Lua-based attachment plugin)

• Istio Ingress Gateway

First generation helm chart (will be deprecated soon)

Our first generation Kubernetes helm chart is an extended version based on the original helm chart of the proxy solution to integrate with, following proxy solutions are supported:

• Ingress NGINX

• APISIX API Gateway

• Kong API Gateway (first generation of Kong integration using an NGINX attachment, an improved, native Kong integration using Lua-plugin is available further below!)