Install Using Interactive CLI Tool (Ingress NGINX)
The fastest and easiest way to deploy and configure open-appsec is using an interactive CLI tool which will guide you through the most commonly required customizations.
You can try out the Playground - a fully operational K8S lab where you can learn to deploy open-appsec using the interactive CLI tool
Prerequisites
Kubernetes 1.16.0+ cluster with RBAC enabled with Cluster admin permissions
Helm 3 Package Manager installed on your local machine
The
kubectl
andwget
command-line tools installed on your bastion or platform that you use to access the Kubernetes clusterYou have understanding of Kubernetes Ingress and either have a deployed Ingress or know how to configure one.
For more details about Kubernetes Ingress see Kubernetes documentation here.
Installation
Download and run the installer (Linux-only, macOS soon) using these commands:
The interactive installer has 3 steps:
Step 1: Ingress
The installer will present the available Kubernetes ingresses in the cluster and suggest two options:
1) Duplicate an existing Ingress and add open-appsec to it. This option allows you to test that all services are properly accessible via the new ingress, while the existing ingress is up and running and without worrying about traffic disruption.
2) Add open-appsec to an existing Ingress resource. This is a good approach for a lab, staging or non-critical production environment.
Choose the option that you prefer and press Enter. You will then be asked to select the ingress you wish to duplicate or add-to.
Note: In the current implementation the installer will only show existing ingress resources where the ingress class name starts with "nginx". If your ingress resource's name does not match this requirement you can either rename it or install using helm (without the tool): Install using Helm.
In both cases we will automatically add the required annotation linking the open-appsec policy to the ingress resource and we will also change the ingress class specification for the ingress (either to the copy or to the existing Ingress resource depending on your choice above) to point to the new NGINX Ingress Controller with open-appsec integration.
Step 2: Policy
The installer will display the default policy and allow you to change it if you wish. When saving you will be asked whether to save the settings as a manifest (YAML) or Helm chart
The default-best-practice-policy will:
Inspect all traffic to all ingress rules (paths) / routes and learn it
Detect suspicious requests in confidence high or critical.
If set to prevent-learn, send an HTTP Error Code 403 Forbidden to the client that sent the bad request
Log to stdout (so you can use fluentd/fluentbit) to send logs to ELK or other collector.
Step 3: Apply Configuration
The installation tool will list commands to run in order to complete the installation and apply the configuration. The configuration resides in three files:
open-appsec helm chart for NGINX Ingress Controller or Kong (CRDs and other necessary files)
ingress.yaml - manifest created by the installer per your selections in Step 1
open-appsec-policy.yaml - manifest created by the installer per your selections in Step 2
You can run the commands now or later. If you run them, congratulations - open-appsec is installed and working!
Post-Install
Point your DNS to the Duplicated Ingress (skip if you chose existing Ingress in Step 1 above)
After testing that your services are reachable, you can point your DNS to the new ingress.
In case of a problem, at any time, you can either switch open-appsec off while running the same ingress code, or change your DNS back.
You can identify the IP address of the new ingress by running:
Configuration Changes
You can conduct policy changes, define exception and other advanced configuration in one of three ways:
By running the interactive configuration tool:
open-appsec-cli
For Production usage you might want to switch from using the Basic to the more accurate Advanced Machine Learning model, as described here:
Last updated