Install Using Helm (Istio)
The steps described here to deploy open-appsec on Kubernetes with Istio integration are currently in beta.
The steps described on this page explain how to deploy and integrate open-appsec with an existing Istio Ingress Gateway deployment on Kubernetes.
Prerequisites
Kubernetes 1.16.0+ cluster with RBAC enabled with Cluster admin permissions
Helm 3 Package Manager installed on your local machine
kubectl
andwget
command-line tools installed on the system that you use to access the Kubernetes clusterAn existing deployment of Istio Ingress Gateway. Supported versions: 1.23 - 1.25
You should have an understanding of Istio Kubernetes CRD types "Virtual Service" and "Gateway"
Optional (Recommended)
To manage your open-appsec WAF deployment—either centrally via WebUI (SaaS) or locally with optional read-only WebUI monitoring—follow these steps:
Sign Up / Log In Go to https://my.openappsec.io and sign up or log in to access the WebUI.
Create a Deployment Profile Once logged in, create a new deployment profile for your open-appsec setup. Important: After completing policy installation, copy the profile token—you’ll need it in the installation steps that follow.
Installation
Step 1: Add the Helm Repo
helm repo add openappsec https://charts.openappsec.io
helm repo update
Step 2: Deploy open-appsec Helm Chart for Istio
Run the following command to deploy the open-appsec helm chart into your Istio Ingress Controller namespace:
helm install open-appsec-istio openappsec/open-appsec-istio \
--set webhook.objectSelector.labelValue=istio-ingress \
--set webhook.objectSelector.labelName=app \
--set appsec.persistence.enabled=false \
--set gateways.istio-ingressgateway.service.externalTrafficPolicy=Local \
--set appsec.userEmail=<your-email-address> \
--set appsec.agentToken= \
-n [istio ingress gateway namespace]
Before running the installation command, make sure to update the placeholders according to your environment:
istio ingress gateway namespace
- Replace this with the namespace of your existing Istio ingress gateway deployment.appsec.agentToken
- If you are connecting to the central WebUI, add the profile token you received after creating a deployment profile in the WebUI.For standalone deployments leave parameter empty
appsec.userEmail
- Replace<your-email-address>
with your own email address.
open-appsec will now be deployed into the existing namespace of your istio ingress gateway.
Step 3: Enable open-appsec Injection on Istio Ingress Gateway
To allow open-appsec to inspect traffic through your Istio ingress gateway, it must be attached to the existing deployment. This happens automatically if the proper labels are set and the deployment is restarted.
Label the Namespace Add the
inject-waf-attachment=true
label to the namespace of your Istio ingress gateway:kubectl label namespace [istio ingress gateway namespace] inject-waf-attachment="true" --overwrite
Label the Deployment Ensure your Istio ingress deployment has the required labels as configured in your
webhook.objectSelector
:webhook.objectSelector.labelKey
webhook.objectSelector.labelValue
(These labels must match what’s configured in the open-appsec Helm chart. Refer to your Helm values or the section above for details.)
Restart the Istio Ingress Deployment The restart injects the open-appsec attachment into the istio ingress gateway container, and open-appsec agent container into all existing istio ingress gateway pods, by using a Kubernetes mutating webhook to adjust the deployment.
kubectl rollout restart deployment [istio ingress gateway deployment name] -n [istio ingress gateway namespace]
The
inject-waf-attachment
label enables open-appsec to patch the deployment.During restart, the open-appsec attachment is injected into the existing ingress gateway container.
An open-appsec agent container is also injected into each pod using a Kubernetes mutating webhook.
Step 4: Validate that open-appsec is installed and running
kubectl get pods -n [istio ingress gateway namespace]
The READY column should show 2/2 for each istio ingress gateway pod and 1/1 for each of the following pods: waf injector, learning deployment (only in standalone deployment), shared storage deployment (only in standalone deployment).
Step 5: If you connected to central WebUI AND configured your deployment profile in the WebUI to "This management" mode for centrally managing open-appsec configuration:
Create one or more assets in the WebUI which represent web applications and/or Web APIs which you want to be protected by open-appsec WAF and allows you to adjust the open-appsec configuration specifically for each of them. Make sure to link your assets to the specific WebUI Profile which you created earlier (General -> Profiles) and adjust the Threat Prevention mode to Detect-Learn or Prevent (Threat Prevention -> Mode), the steps are described here:
Don't forget to Enforce policy in the WebUI after you did any changes for those changes to become effective!
The following steps 6-10 are only relevant if you want to locally manage this open-appsec deployment in Kubernetes using a declarative configuration using custom resources.
They apply to the following two cases:
You do not want to connect to central WebUI at all (you didn't provide a deployment profile token earlier)
You provided deployment profile token earlier for a WebUI profile set to mode "Declarative Management"
If you are not managing your deployment locally, scroll down to Install Using Helm (Istio)
Step 6: (only for locally-managed deployments) Download the yaml file for open-appsec CRD installation
Run the following command to obtain the yaml file containing the open-appsec CRD definitions, choose the CRD version you want to use. v1beta2 CRDs:
wget https://raw.githubusercontent.com/openappsec/openappsec/main/config/crds/open-appsec-crd-v1beta2.yaml
Step 7: (only for locally-managed deployments) Create the open-appsec CRDs which add new K8s resource-types that will be used later for defining the protection policies, log settings, exceptions, user response and more.
Deploy the CRDs using the following command:
For the v1beta2 CRDs:
kubectl apply -f ./open-appsec-crd-v1beta2.yaml
Step 8: (only for locally-managed deployments) Download a default configuration for the open-appsec custom resources
Run the following command to obtain the yaml file containing the open-appsec default configuration custom resources, chose the CRD version which you have deployed in the steps above on your cluster. Default configuration for v1beta2 in detect-learn mode:
wget https://raw.githubusercontent.com/openappsec/openappsec/main/config/k8s/v1beta2/open-appsec-k8s-default-config-v1beta2.yaml
Step 9: (only for locally-managed deployments) Deploy default configuration for the open-appsec custom resources
To deploy the default configuration for the open-appsec custom resources perform the step below: Default configuration for v1beta2 (beta):
kubectl apply -f ./open-appsec-k8s-default-config-v1beta2.yaml
Step 10: Configure open-appsec protection using custom resources (only relevant for locally-managed deployments)
a. Make sure to have an open-appsec Policy
resource
If you followed the steps above you should now have an open-appsec-best-practice-policy custom resource deployed on your K8s cluster. You can check this with the following command which will list all open-appsec policy custom resources:
kubectl get policies.openappsec.io
If you want to check if it's set to detect-learn
(default) or prevent-learn
mode you can use this command (the name of the policy created by the default configuration in v1beta2 is default-policy
):
kubectl get policies.openappsec.io default-policy -o yaml
If you want to create your own custom policy, you find all details here:
For v1beta2 CRDs: Configuration Using CRDs - v1beta2
b. Create a PolicyActivation
resource
Using a PolicyActivation
custom resource you can now specify that your existing open-appsec policy (e.g. default-policy
, see above) should be applied to all traffic matching the hostname example.com
. (You can have multiple Policy
custom resources and also multiple PolicyActivation
custom resources)
Create a new file policy-activation.yaml
to specify a new PolicyActivation
custom resource similar to the below specification (change example.com
to your own hostname, adjust default-policy
if you want to reference another Policy
custom resource instead of the default one):
apiVersion: openappsec.io/v1beta2
kind: PolicyActivation
metadata:
name: policy-activation-example
spec:
enabledPolicies:
- name: default-policy
hosts:
- "example.com"
Then apply it to your Kubernetes cluster using:
kubectl apply -f policyactivation.yaml
If you want to create your own PolicyActivation custom resource, you find all details here:
For v1beta2 CRDs: Configuration Using CRDs - v1beta2
Validate the Deployment:
Your Istio ingress gateway is now protected with open-appsec (in detect or prevent mode)!
Generate some traffic to one of the services defined by your Istio
Gateway
andVirtualService
resources.Run this command to see logs:
Note the name of an Istio ingress gateway pod by running:
kubectl get pods -n [istio ingress gateway namespace]
Then show the logs of the open-appsec agent container by running:
kubectl logs [istio ingress gateway pod name] -c open-appsec -n appsec
Last updated
Was this helpful?