Install Using Helm
Last updated
Was this helpful?
Last updated
Was this helpful?
For Ingress NGINX Ingress Controller with open-appsec the following method is recommended if you have an advanced understanding of Kubernetes topics and wish to have very granular controls using CRDs. For simplified installation you can alternatively use the available installation tool, see .
For Kong and Apache APISIX with open-appsec follow the instructions for installation using Helm below.
Kubernetes 1.16.0+ cluster with enabled with Cluster admin permissions
installed on your local machine
The kubectl and wget command-line tools installed on your bastion or platform that you use to access the Kubernetes cluster
You have understanding of Kubernetes Ingress and either have a deployed Ingress or know how to configure one.
Run the following command to obtain the latest helm chart:
Run the following command to install open-appsec together with Ingress NGINX Ingress Controller, Kong API Gateway, or Apache APISIX API Gateway and create the open-appsec CRDs which add new K8s resource-types that will be used later for defining the protection policies, log settings, exceptions, user response and more.
This installs Ingress NGINX Ingress Controller with open-appsec into a new namespace "appsec" in local management mode (stand-alone).
helm install parameters-n <namespace>: select a namespace name that will include the open-appsec and NGINX ingress controller resources, please use the appsec namespace.
--create-namespace: create namespace if it doesn't exist
--name-template: name of your deployment, used for pod naming (optional)
--set appsec.userEmail: allows you to associate your email address with your specific deployment by replacing <your-email-address> with your own email address.
This allows us to provide you easy assistance in case of any issues you might have with your specific deployment in the future and also to provide you information proactively regarding open-appsec in general or regarding your specific deployment. This is an optional parameter and can be removed. If we send automatic emails there will also be an opt-out option included for receiving similar communication in the future.
--set appsec.persistence.enabled: persistent volume includes machine learning information, if this is set to false then machine learning information is lost when the appsec container is stopped/restarted.
true: default is true
false
If this value is set to true (default, when not overriding with false) you must also specify appsec.persistence.learning.storageClass
--set appsec.persistence.learning.storageClass: Specify storage class to be used for the learning pod.
Note: storageClass name specified here must support ReadWriteMany (like AWS EFS or Azure Files).
--set appsec.mode: Configure if the deployment is connected to the central management WebUI (SaaS)
standalone: use this only for standalone deployment (locally managed via CRDs with no connection to central management WebUI (SaaS))
managed: use this for connection to central management WebUI (SaaS), when this is set appsec.agentToken must be provided as well.
--set controller.ingressClassResource.name: specify unique ingress class name, default is 'appsec-nginx'
--set controller.ingressClassResource.controllerValue: default is 'k8s.io/appsec-nginx'
--set controller.service.externalTrafficPolicy=Local required for Azure.
The READY column should show 2/2 for the ingress controller pod and 1/1 for the learning deployment and shared storage deployment pods.
Here's the available options:
open-appsec implements K8s ingress resources serving as an NGINX ingress controller with multi-layered Web App & API protection functionalities.
If you use today an NGINX Ingress, you can easily update your existing K8S ingress resource to use open-appsec ingress. Once you apply the change, the ingress will reload and traffic will be protected.
This is a good approach for a lab, staging or non critical production environments.
a. Create an open-appsec policy resource
First you must create a K8s open-appsec policy resource. There's multiple alternative ways to create a policy:
Run the following commands to create the "open-appsec-best-practice-policy" resource in K8s:
b. Find out the name of your relevant ingress resource:
c. Edit the ingress resource:
d. Change the ingressClassname to use open-appsec:
e. Add this annotations to activate open-appsec:
Make sure to use the correct name for the open-appsec policy resource which you created above.
Your existing or new Ingress is now running and you can try it out!
Generate some traffic to one of the services defined in your ingress.
Run this command to see logs:
Note the name of the ingress nginx pod by running:
Show the logs of the open-appsec agent container by running:
Step 6: Point your DNS to the New Ingress
After testing that your services are reachable, you can point your public DNS record to the new ingress.
In case of a problem, at any time, you can either switch open-appsec off while running the same ingress code, or change your DNS back.
Learn how to define your policies, set exception and other advanced configuration:
--set appsec.agentToken: set the deployment profile token from central management WebUI (SaaS) to connect your open-appsec deployment to the central WebUI (SaaS), also make sure to set appsec.mode to managed when you provide the token, see here how to get the token: .
For additional available configuration values please check the values.yaml within the downloaded Helm chart and the Ingress NGINX documentation available .
--set appsec.agentToken: set the deployment profile token from central management WebUI (SaaS) to connect your open-appsec deployment to the central WebUI (SaaS), also make sure to set appsec.mode to managed when you provide the token, see here how to get the token: .
For additional available configuration values please check the values.yaml within the downloaded Helm chart and the Kong documentation available .
--set appsec.agentToken: set the deployment profile token from central management WebUI (SaaS) to connect your open-appsec deployment to the central WebUI (SaaS), also make sure to set appsec.mode to managed when you provide the token, see here how to get the token: .
For additional available configuration values please check the values.yaml within the downloaded Helm chart and the APISIX documentation available .
Use the available configuration tool as explained to easily create a policy resource.
Create your own custom policy, you find all details.
Use the available configuration tool as explained to easily create a policy resource.
Create your own custom policy, you find all details.
Use the available configuration tool as explained to easily create a policy resource.
Create your own custom policy, you find all details.
Use the available configuration tool as explained to easily create a policy resource.