The steps described here to deploy open-appsec on Kubernetes are currently in beta.
The installation flow as described here has changed from the previous one in the way that deployment of the open-appsec helm chart, CRDs and default configuration are now separate steps. This allows more flexibility and custom selection of the preferred CRD version by the user.
Prerequisites
Kubernetes 1.16.0+ cluster with RBAC enabled with Cluster admin permissions
kubectl and wget command-line tools installed on the system that you use to access the Kubernetes cluster
You have understanding of Kubernetes Ingress and either have an already deployed Ingress or know how to configure one.
For more details about Kubernetes Ingress see Kubernetes documentation here.
(Optional, Recommended) Sign-Up and Login to WebUI Portal
If you want to centrally manage your open-appsec WAF deployment via WebUI (SaaS)
OR if you want to locally manage your open-appsec WAF deployment but still connect to central WebUI for viewing the local configuration (in read-only), central monitoring, logging and reporting:
Follow the instructions below to sign-up and login to the WebUI available at https://my.openappsec.io:
(Optional, Recommended) Create deployment profile for the open-appsec deployment in WebUI Portal
If you signed-up and logged in to the WebUI Portal (see prerequisite above), now follow the instructions below to create a new deployment profile for your open-appsec deployment.
Once done, don't forget to copy the profile token after policy installation as this is needed in the installation steps further below.
Your deployment of open-appsec and the selected proxy solution for integration will be done into a new namespace appsec.
If you have created a deployment profile in the WebUI (see prerequisites section above) to connect your deployment to the central WebUI please specify this token as value for the appsec.agentToken parameter (for standalone deployments leave parameter empty).
Replace the value <your-email-address> for the appsec.userEmail parameter with your own email address, for more details on this see below.
If you have persistent storage available in your cluster please set the "--set appsec.persistence.enabled=false" parameter in the following command to "true" to allow open-appsec to use persistent storage for the learning. This is only shown for maximum compatibility reasons below.
Optional open-appsec helm install parameters
-n <namespace>: select a namespace name that will include the open-appsec and NGINX ingress controller resources, please use the appsec namespace.
--create-namespace: create namespace if it doesn't exist
--name-template: name of your deployment, used for pod naming (optional)
--set appsec.userEmail: allows you to associate your email address with your specific deployment by replacing <your-email-address> with your own email address.
This allows us to provide you easy assistance in case of any issues you might have with your specific deployment in the future and also to provide you information proactively regarding open-appsec in general or regarding your specific deployment. This is an optional parameter and can be removed. If we send automatic emails there will also be an opt-out option included for receiving similar communication in the future.
--set appsec.persistence.enabled: persistent volume includes machine learning information, if this is set to false then machine learning information is lost when the appsec container is stopped/restarted.
true: default is true
false
If this value is set to true (default, when not overriding with false) you must also specify appsec.persistence.learning.storageClass
--set appsec.persistence.learning.storageClass: Specify storage class to be used for the learning pod.
Note: storageClass name specified here must support ReadWriteMany (like AWS EFS or Azure Files).
--set appsec.mode: Configure if the deployment is connected to the central management WebUI (SaaS)
standalone: use this only for standalone deployment (locally managed via CRDs with no connection to central management WebUI (SaaS))
managed: use this for connection to central management WebUI (SaaS), when this is set appsec.agentToken must be provided as well.
--set appsec.agentToken: set the deployment profile token from central management WebUI (SaaS) to connect your open-appsec deployment to the central WebUI (SaaS), also make sure to set appsec.mode to managed when you provide the token, see here how to get the token: create a profile in web UI.
--set controller.ingressClassResource.name: specify unique ingress class name, default is 'appsec-nginx'
--set controller.ingressClassResource.controllerValue: default is 'k8s.io/appsec-nginx'
--set controller.service.externalTrafficPolicy=Local required for preserving original IP address in conjunction with LoadBalancer in e.g. Azure AKS (Standard Load Balancer) or AWS EKS (Network Load Balancer).
For additional available configuration values please check the values.yaml within the downloaded Helm chart and the Ingress NGINX documentation available here.
-n <namespace>: select a namespace name that will include the open-appsec and Kong gateway resources, please use the appsec namespace.
--create-namespace: create namespace if it doesn't exist
--name-template: name of your deployment, used for pod naming (optional)
--set appsec.userEmail: allows you to associate your email address with your specific deployment by replacing <your-email-address> with your own email address.
This allows us to provide you easy assistance in case of any issues you might have with your specific deployment in the future and also to provide you information proactively regarding open-appsec in general or regarding your specific deployment. This is an optional parameter and can be removed. If we send automatic emails there will also be an opt-out option included for receiving similar communication in the future.
--set appsec.persistence.enabled: persistent volume includes machine learning information, if this is set to false then machine learning information is lost when the appsec container is stopped/restarted.
true: default is true
false
If this value is set to true (default, when not overriding with false) you must also specify appsec.persistence.learning.storageClass
--set appsec.persistence.learning.storageClass: Specify storage class to be used for the learning pod.
Note: storageClass name specified here must support ReadWriteMany (like AWS EFS or Azure Files).
--set appsec.mode: Configure if the deployment is connected to the central management WebUI (SaaS)
standalone: use this only for standalone deployment (locally managed via CRDs with no connection to central management WebUI (SaaS))
managed: use this for connection to central management WebUI (SaaS), when this is set appsec.agentToken must be provided as well.
--set appsec.agentToken: set the deployment profile token from central management WebUI (SaaS) to connect your open-appsec deployment to the central WebUI (SaaS), also make sure to set appsec.mode to managed when you provide the token, see here how to get the token: create a profile in web UI.
--set kind: select deployment type
AppSec: Installs open-appsec and Kong as K8s Deployment (default, recommended for most scenarios)
Note: If required, in this mode you can also switch to Daemonset using by additionally setting deployment.daemonset to true)
AppSecStateful: Installs open-appsec and Kong as a K8s StatefulSet
Vanilla: (for debugging purposes only) installs just regular Kong based on the Helm chart without open-appsec.
Note: This can be useful when debugging if a potential issue with the Kong deployment is caused by open-appsec or not.
NOTE: If Vanilla mode is used, then the Kong/Kong Gateway image specified under image.repository/image.tag is being used, instead of the open-appsec specific Kong/Kong Gateway image specified here: appsec.kong.image.repository / appsec.kong.image.tag
--set ingressController.ingressClass: specify desired ingress class name
For additional available configuration values please check the values.yaml within the downloaded Helm chart and the Kong documentation available here.
-n <namespace>: select a namespace name that will include the open-appsec and Kong gateway resources, please use the appsec namespace.
--create-namespace: create namespace if it doesn't exist
--name-template: name of your deployment, used for pod naming (optional)
--set appsec.userEmail: allows you to associate your email address with your specific deployment by replacing <your-email-address> with your own email address.
This allows us to provide you easy assistance in case of any issues you might have with your specific deployment in the future and also to provide you information proactively regarding open-appsec in general or regarding your specific deployment. This is an optional parameter and can be removed. If we send automatic emails there will also be an opt-out option included for receiving similar communication in the future.
--set appsec.persistence.enabled: persistent volume includes machine learning information, if this is set to false then machine learning information is lost when the appsec container is stopped/restarted.
true: default is true
false
If this value is set to true (default, when not overriding with false) you must also specify appsec.persistence.learning.storageClass
--set appsec.persistence.learning.storageClass: Specify storage class to be used for the learning pod.
Note: storageClass name specified here must support ReadWriteMany (like AWS EFS or Azure Files)
--set appsec.mode: Configure if the deployment is connected to the central management WebUI (SaaS)
standalone: use this only for standalone deployment (locally managed via CRDs with no connection to central management WebUI (SaaS))
managed: use this for connection to central management WebUI (SaaS), when this is set appsec.agentToken must be provided as well.
--set appsec.agentToken: set the deployment profile token from central management WebUI (SaaS) to connect your open-appsec deployment to the central WebUI (SaaS), also make sure to set appsec.mode to managed when you provide the token, see here how to get the token: create a profile in web UI.
--set ingressController.ingressClass: specify desired ingress class name
For additional available configuration values please check the values.yaml within the downloaded Helm chart and the APISIX documentation available here.
Step 3: Validate that open-appsec is installed and running
kubectl get pods -n appsec
The READY column should show 2/2 for the ingress controller pod and 1/1 for the learning deployment and shared storage deployment pods.
kubectl get pods -n appsec
The READY column typically shows 3/3 (or 2/2 if e.g. Kong is deployed without the Kong ingress controller) for the kong pod and 1/1 for the learning deployment and shared storage deployment pods.
kubectl get pods -n appsec-apisix
The READY column should show 2/2 for the ingress controller pod and 1/1 for the learning deployment and shared storage deployment pods.
Step 4: If you connected to central WebUI AND configured your deployment profile in the WebUI to "This management" mode for centrally managing open-appsec configuration:
Create one or more assets in the WebUI which represent web applications and/or Web APIs which you want to be protected by open-appsec WAF and allows you to adjust the open-appsec configuration specifically for each of them.
Make sure to link your assets to the specific WebUI Profile which you created earlier (General -> Profiles) and adjust the Threat Prevention mode to Detect-Learn or Prevent (Threat Prevention -> Mode), the steps are described here:
Protect Additional Assets
Don't forget to Enforce policy in the WebUI after you did any changes for those changes to become effective!
The following steps 5-10 are only relevant if you want to locally manage this open-appsec deployment in Kubernetes using a declarative configuration using custom resources.
They apply to the following two cases:
You do not want to connect to central WebUI at all (you didn't provide a deployment profile token earlier)
You provided deployment profile token earlier for a WebUI profile set to mode "Declarative Management"
Step 5: (only for locally-managed deployments) Download the yaml file for open-appsec CRD installation
Run the following command to obtain the yaml file containing the open-appsec CRD definitions, chose the CRD version you want to use.
v1beta1 CRDs:
Step 6: (only for locally-managed deployments) Create the open-appsec CRDs which add new K8s resource-types that will be used later for defining the protection policies, log settings, exceptions, user response and more.
You can skip this step if you skipped the previous step, becausae you plan to centrally manage open-appsec from central WebUI and not manage it locally using CRDs.
Deploy the CRDs using the following command:
If you downloaded v1beta1 CRDs:
kubectl apply -f ./open-appsec-crd-v1beta1.yaml
If you downloaded v1beta2 CRDs:
kubectl apply -f ./open-appsec-crd-v1beta2.yaml
Step 7: (only for locally-managed deployments) Download a default configuration for the open-appsec custom resources
Run the following command to obtain the yaml file containing the open-appsec default configuration custom resources, chose the CRD version which you have deployed in the steps above on your cluster.
Default configuration for v1beta1 in detect-learn mode:
The default configuration files provided above are set to detect-learn mode, which is recommended for new deployments to allow the machine learning engine sufficient learning before moving to prevent-learn mode. You can then later easily reconfigure the open-appsec-best-practice-policy custom policy resource to prevent-learn mode.
If you would like to start in prevent-mode in non-critical environment for testing purposes right away, you can alternatively use these files, which are preconfigured to prevent-learn mode:
Default configuration for v1beta1 in prevent-mode
open-appsec implements K8s ingress resources serving as an NGINX ingress controller with multi-layered Web App & API protection functionalities.
If you use today an NGINX Ingress, you can easily update your existing K8S ingress resource to use open-appsec ingress. Once you apply the change, the ingress will reload and traffic will be protected.
This is a good approach for a lab, staging or non critical production environments.
For production deployments we suggest to first run a new Ingress protected with open-appsec WAF in parallel, see instructions "NGINX Ingress Controller (2)" (next tab).
a. Make sure to have an open-appsec policy resource
If you followed the steps above you should now have an open-appsec-best-practice-policy custom resource deployed on your K8s cluster.
You can check this with the following command which will list all open-appsec policy custom resources:
kubectl get policies.openappsec.io
If you want to check if it's set to detect-learn (default) or prevent-learn mode you can use this command:
When using v1beta1 CRDs:
kubectl get policies.openappsec.io open-appsec-best-practice-policy -o yaml
When using v1beta2 CRDs:
kubectl get policies.openappsec.io default-policy -o yaml
If you want to create your own custom policy, you find all details here:
d. Change the ingressClassname to the ingress class name used by open-appsec:
spec:
ingressClassName: appsec-nginx
The default ingress class name used by open-appsec is appsec-nginx. In case you configured another ingress class name, please adjust the setting accordingly.
e. Add this annotation to activate the desired open-appsec policy custom resource:
openappsec.io/policy: default-policy
Make sure to use the correct name for the open-appsec policy resource which you created above.
The default mode of the "default-policy" custom resource is detect-learn. It will not block any traffic, unless you change the policy mode to prevent-learn, either for a specific ingress rule or for the whole policy.
NGINX Ingress Controller Option 2: Run a new protected Ingress in parallel
open-appsec implements K8s ingress resources serving as an NGINX ingress controller with multi-layered Web App & API protection functionalities.
Duplicate your existing ingress rules and run a new ingress, side by side with your existing one. Once you are happy with the result, you can change your DNS setting to point to the new, protected, ingress and take down the existing ("old") ingress.
This option allows you to test that all services are properly accessible via the new ingress, without worrying about traffic disruption.
If you instead prefer to directly add open-appsec to your existing ingress this is possible as well. See alternative instructions "NGINX Ingress Controller (1)" (first tab).
a. Make sure to have an open-appsec policy resource
If you followed the steps above you should now have an open-appsec-best-practice-policy custom resource deployed on your K8s cluster.
You can check this with the following command which will list all open-appsec policy custom resources:
kubectl get policies.openappsec.io
If you want to check if it's set to detect-learn (default) or prevent-learn mode you can use this command:
kubectl get policies.openappsec.io open-appsec-best-practice-policy -o yaml
If you want to create your own custom policy, you find all details here:
Make sure to use the correct name for the open-appsec policy resource which you created above.
h. Apply the new ingress:
kubectl apply -f protected-ingress.yaml
The default mode of the open-appsec-best-practice-policy is detect-learn. It will not block any traffic, unless you change the policy mode to prevent-learn, either for a specific ingress rule or for the whole policy.
Kong Gateway: Add protection to existing Ingress resource
open-appsec will secure traffic integrating directly with the Kong Gateway container, as this allows open-appsec to also inspect HTTPS traffic terminated at the Kong Gateway.
In order for traffic to reach your API Gateway you can use the Kong Controller as an Ingress Controller alongside Kong API Gateway (Kong Controller will be deployed by default within the same pod as Kong Gateway as an additional container, but is an optional component).
Alternatively you can use another ingress controller of your choice.
If you use today an Ingress for proxying traffic to your Kong Gateway, you can easily update your existing K8S ingress resource to secure it's traffic with open-appsec. Once you apply the change, the ingress will reload and traffic will be protected.
Note: Having an Ingress Resource defined for traffic to Kong Gateway is mandatory for being able to protect the traffic with open-appsec, as the open-appsec policy resource has to be linked to an ingress resource via an annotation, see below steps. Additional options will be provided in the future.
a. Make sure to have an open-appsec policy resource
If you followed the steps above you should now have an open-appsec-best-practice-policy custom resource deployed on your K8s cluster.
You can check this with the following command which will list all open-appsec policy custom resources:
kubectl get policies.openappsec.io
If you want to check if it's set to detect-learn (default) or prevent-learn mode you can use this command:
kubectl get policies.openappsec.io open-appsec-best-practice-policy -o yaml
If you want to create your own custom policy, you find all details here:
The default mode of this policy is detect-learn. It will not block any traffic, unless you change the policy mode to prevent-learn, either for a specific ingress rule or for the whole policy.
APISIX Gateway: Add protection to existing Ingress resource
open-appsec will secure traffic integrating directly with the APISIX Gateway container, as this allows open-appsec to also inspect HTTPS traffic terminated at the APISIX Gateway.
In order for traffic to reach your API Gateway you can use the APISIX Ingress Controller as an Ingress Controller alongside APISIX API Gateway.
If you use today an Ingress for proxying traffic to your APISIX Gateway, you can easily update your existing K8S ingress resource to secure it's traffic with open-appsec. Once you apply the change, the ingress will reload and traffic will be protected.
a. Make sure to have an open-appsec policy resource
If you followed the steps above you should now have an open-appsec-best-practice-policy custom resource deployed on your K8s cluster.
You can check this with the following command which will list all open-appsec policy custom resources:
kubectl get policies.openappsec.io
If you want to check if it's set to detect-learn (default) or prevent-learn mode you can use this command:
kubectl get policies.openappsec.io open-appsec-best-practice-policy -o yaml
If you want to create your own custom policy, you find all details here:
Make sure to use the correct name for the open-appsec policy resource which you created above.
The default mode of the open-appsec-best-practice-policy is detect-learn. It will not block any traffic, unless you change the policy mode to prevent-learn, either for a specific ingress rule or for the whole policy.
Step 10: Validate that open-appsec works
Your existing or new Ingress is now running and you can try it out!
Generate some traffic to one of the services defined in your ingress.
Run this command to see logs:
Note the name of the ingress nginx pod by running:
kubectl get pods -n appsec
Show the logs of the open-appsec agent container by running:
kubectl logs [ingress nginx pod name] -c open-appsec -n appsec
Note the name of the Kong pod by running:
kubectl get pods -n appsec
Show the logs of the open-appsec agent container by running:
kubectl logs [kong gateway pod name] -c open-appsec -n appsec
Note the name of the apisix gateway pod by running:
kubectl get pods -n appsec-apisix
Show the logs of the open-appsec agent container by running:
kubectl logs [apisix gateway pod name] -c open-appsec -n appsec-apisix
With the default policy logging being done to stdout, so you can easily direct it with fluentd/fluentbit or similar to logs collector (ELK or other). It is possible to configure open-appsec to log also to syslog.
open-appsec automatically logs the first 10 HTTP requests and then by default will only log malicious requests. You can change this setting.
Step 10: Point your DNS to the New Ingress
After testing that your services are reachable, you can point your public DNS record to the new ingress.
In case of a problem, at any time, you can either switch open-appsec off while running the same ingress code, or change your DNS back.
For Production usage you might want to switch from using the Basic to the more accurate Advanced Machine Learning model, as described here:
