Start With Kubernetes
Overview
open-appsec for Kubernetes protects web applications and APIs running in Kubernetes environments. It integrates with the popular Ingress NGINX (Ingress Controller), securing the ingress HTTP/S traffic to Services inside Kubernetes clusters. It also integrates with Kong Gateway (native Lua-based Kong plugin available) as well as APISIX API Gateways, securing distributed, exposed APIs at the API Gateway level. If you are using Istio Service Mesh with your Kubernetes clusters, you can integrate open-appsec directly with your existing Istio Ingress Gateway. More integrations are planned to be added in the future (e.g. Envoy Gateway, Emissary Ingress).
The NGINX Ingress Controller and open-appsec for Kubernetes agent are deployed together with a single Helm chart. This diagram shows an example of a Kubernetes service exposed outside the Kubernetes cluster with an Ingress controller protected with open-appsec. The NGINX Ingress Controller container contains the open-appsec Attachment which communicates with the open-appsec Agent.

Deployment Options
The recommended deployment option depends on the proxy solution you want to integrate with:
Deployment with helm chart (recommended)
For integration with the following solutions, we provide a flexible helm chart, which is an extended version based on the original helm chart of the proxy solution to integrate with and offers separate, optional CRD deployment for locally, declaratively-managed deployments:
Ingress NGINX
APISIX API Gateway
Kong API Gateway (first generation of Kong integration using an NGINX attachment, an improved, native Kong integration using Lua-plugin is available further below!)
Deployment with injector helm chart (recommended)
For integration with the following proxy solutions, we provide a helm chart, which is used additionally to the original helm chart of the solution to integrate with, this helm chart automatically injects all required open-appsec components using a Kubernetes webhook into the existing solution's deployment:
Kong API Gateway (recommended Kong integration, using native Lua-based attachment plugin)
Istio Ingress Gateway
First generation helm chart (will be deprecated soon)
Our first generation Kubernetes helm chart is an extended version based on the original helm chart of the proxy solution to integrate with, following proxy solutions are supported:
This will be deprecated soon, as more flexible, improved helm-based installation options were made available already. This is shown primarily for existing users that still use this early deployment option.
Ingress NGINX
APISIX API Gateway
Kong API Gateway (first generation of Kong integration using an NGINX attachment, an improved, native Kong integration using Lua-plugin is available further below!)
You can always connect your deployment later to the open-appsec central management web UI (provided as SaaS service), which provides cloud logging & reporting, central management and monitoring of multiple K8s clusters and an easy-to-use WebUI for all administrative tasks.
Last updated
Was this helpful?