open-appsec
WebsiteManagement PortalPlaygroundGitHub
  • open-appsec Documentation
  • What is open-appsec?
  • open-appsec Video Tutorials
  • Release Notes
  • Getting started
    • Getting Started
    • Start With Kubernetes
      • Install Using Interactive CLI Tool (Ingress NGINX)
      • Configuration Using Interactive CLI Tool
      • Install Using Helm
      • Install Using Helm - new flow (beta)
      • Configuration Using CRDs
      • Configuration Using CRDs - v1beta2
      • Configuration using CRDs - special options for Large Scale Deployments
        • Using appsec class for assigning separate custom resources to specific deployments
        • Using namespace-scoped custom resources
      • Monitor Events
    • Start With Linux
      • Install open-appsec for Linux
      • Using the open-appsec-ctl Tool
      • Configuration Using Local Policy File (Linux)
      • Local Policy File (Advanced)
      • Local Policy File v1beta2 (beta)
      • Monitor Events
    • Start with Docker
      • Install With Docker (Centrally Managed)
      • Install With Docker (Locally Managed)
      • Deploy With Docker-Compose (Beta)
      • Configuration Using Local Policy File (Docker)
      • Local Policy File (Advanced)
    • Using the Web UI (SaaS)
      • Sign-Up and Login to Portal
      • Agents Deployment
      • Connect Deployed Agents to SaaS Management Using Tool (K8s & Linux)
      • Connect Deployed Agents to SaaS Management Using Helm (K8s)
      • Connect Deployed Agents to SaaS Management (Docker)
      • Create a Profile
      • Protect Additional Assets
      • Monitor Events
    • Using the Advanced Machine Learning Model
  • Concepts
    • Agents
    • Management & Automation
    • Security Practices
    • Contextual Machine Learning
  • SETUP INSTRUCTIONS
    • Setup Web Application Settings
    • Setup Custom Rules and Exceptions
    • Setup Web User Response Pages
    • Setup Log Triggers
    • Setup Behavior Upon Failure
    • Setup Agent Upgrade Schedule
  • Additional Security Engines
    • Anti-Bot
    • API Schema Enforcement
    • Data Loss Prevention (DLP) Rules
    • File Security
    • Intrusion Prevention System (IPS)
    • Rate Limit
  • Snort Rules
    • Import Snort Rules
    • Write Snort Signatures
  • HOW TO
    • Configuration and Learning
      • Track Learning and Move From Learn/Detect to Prevent
      • Configure Contextual Machine Learning for Best Accuracy
      • Track Learning and Local Tuning in Standalone Deployments
      • Move From Detect to Prevent in K8s With Many Ingress Rules
  • Deployment and Upgrade
    • Load the Attachment in Proxy Configuration
    • Upgrade Your Reverse Proxy/API Gateway When an Agent is Installed
    • Integration in GitOps CD (K8s)
    • Build open-appsec Based on Source Code
  • Management Web UI
    • Track Agent Status
    • Delete or Reset Management Tenant (SaaS)
    • Disconnect an open-appsec agent from Central Management
  • Integrations
    • About Integrations With 3rd Party Solutions
    • CrowdSec
      • CrowdSec Bouncer Support
      • CrowdSec Intelligence Sharing Using open-appsec Parser/Scenario
    • NGINX Proxy Manager
      • Install NGINX Proxy Manager with open-appsec managed from NPM WebUI
      • Install NGINX Proxy Manager with open-appsec managed from central WebUI (SaaS)
      • Frequently Asked Questions
      • How to Migrate from an Existing NGINX Proxy Manager Deployment and Keep Configuration
    • NPMplus
    • Docker SWAG
      • Install Docker SWAG with open-appsec (locally managed)
      • How to connect locally managed Docker SWAG with open-appsec to WebUI
      • Install Docker SWAG with open-appsec (centrally managed)
      • Deploy Docker SWAG with docker-compose (beta)
      • Frequently Asked Questions
  • Troubleshooting
    • Troubleshooting
    • Troubleshooting Guides
      • Configuration contains ingress/asset with URL which already has asset attached to it in your tenant
      • HTTP Request to Port 80 Not Returning as Expected
      • Agent Fails to Recognize HTTP Transactions with NGINX
      • Agent Not Recognizing Initial HTTP Requests
      • Handling Large Requests (413 Responses)
      • open-appsec on Docker HTTP Transaction Handler Is Set To Ready
      • Traffic Recognition Issue on Single-Core Machine/Connection Timed Out
      • Installing open-appsec on CentOS 7
      • SELinux: checking status and disabling
      • Deploy open-appsec directly on the web server hosting the application to protect
      • object is locked or remote, and therefore cannot be modified
      • Failed to Register to Fog
  • references
    • Agent CLI
    • Event Query Language
    • Events/Logs Schema
    • WAF Comparison Project
Powered by GitBook
On this page

Was this helpful?

  1. Getting started
  2. Start With Kubernetes
  3. Configuration using CRDs - special options for Large Scale Deployments

Using appsec class for assigning separate custom resources to specific deployments

PreviousConfiguration using CRDs - special options for Large Scale DeploymentsNextUsing namespace-scoped custom resources

Last updated 3 months ago

Was this helpful?

The advanced configuration options explained on this page require an existing helm-based deployment on K8s with CRD version v1beta2. See here for instructions: Install Using Helm - new flow (beta)

In deployment scenarios with multiple parallel open-appsec deployments on the same Kubernetes cluster (each having same or also different Proxy/API Gateway integration type) often also separate, distinct sets of custom resources for the open-appsec configuration of the different deployments are required.

Starting with open-appsec CRD version you can now define multiple, distinct sets of custom resources for the configuration of different, parallel open-appsec deployments on the same Kubernetes cluster by specifying an appsec class.

Using appsec class

When you , you can optionally specify an appsec.className as shown e.g. in the example below to associate that specific appsec class (myCustomClass1 in the example) with your deployment.

helm install ... --set appsec.className=myCustomClass1 ...

As a result, this specific open-appsec deployment (more specifically the open-appsec agent) will only look at those custom resources, which also have the key appsecClassName set to that exact same value.

When you do not specify appsec.className for a deployment of open-appsec, then that open-appsec agent will ignore the appsecClassName property in custom resources and apply both of the following custom resource definitions, those with no appsecClassName set as well as those with an appsecClassName specified with the helm install command.

Here's an example of a policy custom resource with the added property appsecClassName (see line 6) set to myCustomClass1 so that a deployment, which was also configured with appsec.className myCustomClass1 (see above) would consider/implement it:

apiVersion: openappsec.io/v1beta2
kind: Policy
metadata:
    name: policy-example
spec:
    appsecClassName: myCustomClass1
    default:
        mode: detect-learn
        accessControlPractices: [access-control-practice-example]
        threatPreventionPractices: [threat-prevention-practice-example]
        triggers: [log-trigger-example]
        customResponse: custom-response-code-example
        sourceIdentifiers: ""
        trustedSources: ""
        exceptions:
        - exception-example
    specificRules:
        - host: "example.com"
          mode: prevent-learn
          threatPreventionPractices: [threat-prevention-practice-example]
          accessControlPractices: [access-control-practice-example]
          triggers: [log-trigger-example]
          customResponse: custom-response-code-example
          sourceIdentifiers: ""
          trustedSources: ""
          exceptions:
          - exception-example

Make sure to set the appsecClassName property in all custom resources relevant for the specific open-appsec deployment which is configured to using it, including all relevant dependencies (e.g. the custom resources for customResponse, triggers, accessControlPractices, threatPreventionPractices, exceptions as referenced in the example policy custom resource above).

This approach is similar to how you can e.g. set different ingressClassNames to associate which ingress API resources should be satisfied by which Ingress Controllers.

open-appsec deployments without an appsec.className explicitly set, will only apply the configuration from those custom resources, which do not have any appsecClassName explicitly defined.

open-appsec deployments with an appsec.className explicitly set, will only apply the configuration from those custom resources, which do also have the exact same appsecClassName explicitly defined.

v1beta2
deploy open-appsec using helm