Start With Kubernetes

Overview

open-appsec for Kubernetes protects web applications and APIs running in Kubernetes environments. It integrates with the popular Ingress NGINX (Ingress Controller), securing the ingress HTTP/S traffic to Services inside Kubernetes clusters. It also integrates with Kong Gateway (native Lua-based Kong plugin available) as well as APISIX API Gateways, securing distributed, exposed APIs at the API Gateway level. If you are using Istio Service Mesh with your Kubernetes clusters, you can integrate open-appsec directly with your existing Istio Ingress Gateway. More integrations are planned to be added in the future (e.g. Envoy Gateway, Emissary Ingress).

The NGINX Ingress Controller and open-appsec for Kubernetes agent are deployed together with a single Helm chart. This diagram shows an example of a Kubernetes service exposed outside the Kubernetes cluster with an Ingress controller protected with open-appsec. The NGINX Ingress Controller container contains the open-appsec Attachment which communicates with the open-appsec Agent.

Deployment Options

The recommended deployment option depends on the proxy solution you want to integrate with:

For integration with the following solutions, we provide a flexible helm chart, which is an extended version based on the original helm chart of the proxy solution to integrate with and offers separate, optional CRD deployment for locally, declaratively-managed deployments:

  • Ingress NGINX

  • APISIX API Gateway

  • Kong API Gateway (first generation of Kong integration using an NGINX attachment, an improved, native Kong integration using Lua-plugin is available further below!)

Install Using Helm - new flow (beta)

For integration with the following proxy solutions, we provide a helm chart, which is used additionally to the original helm chart of the solution to integrate with, this helm chart automatically injects all required open-appsec components using a Kubernetes webhook into the existing solution's deployment:

  • Kong API Gateway (recommended Kong integration, using native Lua-based attachment plugin)

  • Istio Ingress Gateway

Install With Helm using Webhook

First generation helm chart (will be deprecated soon)

Our first generation Kubernetes helm chart is an extended version based on the original helm chart of the proxy solution to integrate with, following proxy solutions are supported:

  • Ingress NGINX

  • APISIX API Gateway

  • Kong API Gateway (first generation of Kong integration using an NGINX attachment, an improved, native Kong integration using Lua-plugin is available further below!)

Install Using Helm

Last updated

Was this helpful?