Comment on page
Install using interactive CLI Tool (Ingress NGINX)
The fastest and easiest way to deploy and configure open-appsec is using an interactive CLI tool which will guide you through the most commonly required customizations.
wgetcommand-line tools installed on your bastion or platform that you use to access the Kubernetes cluster
- You have understanding of Kubernetes Ingress and either have a deployed Ingress or know how to configure one.
Download and run the installer (Linux-only, macOS soon) using these commands:
wget https://downloads.openappsec.io/open-appsec-k8s-install && chmod +x open-appsec-k8s-install
The interactive installer has 3 steps:
Step 1: Ingress
The installer will present the available Kubernetes ingresses in the cluster and suggest two options:
1) Duplicate an existing Ingress and add open-appsec to it. This option allows you to test that all services are properly accessible via the new ingress, while the existing ingress is up and running and without worrying about traffic disruption.
2) Add open-appsec to an existing Ingress resource. This is a good approach for a lab, staging or non-critical production environment.
Choose the option that you prefer and press Enter. You will then be asked to select the ingress you wish to duplicate or add-to.
Note: In the current implementation the installer will only show existing ingress resources where the ingress class name starts with "nginx". If your ingress resource's name does not match this requirement you can either rename it or install using helm (without the tool): Install using Helm.
NGINX Ingress Controller
In both cases we will automatically add the required annotation linking the open-appsec policy to the ingress resource and we will also change the ingress class specification for the ingress (either to the copy or to the existing Ingress resource depending on your choice above) to point to the new NGINX Ingress Controller with open-appsec integration.
Step 2: Policy
The installer will display the default policy and allow you to change it if you wish. When saving you will be asked whether to save the settings as a manifest (YAML) or Helm chart
The default-best-practice-policy will:
- Inspect all traffic to all ingress rules (paths) / routes and learn it
- Detect suspicious requests in confidence high or critical.
- If set to prevent-learn, send an HTTP Error Code 403 Forbidden to the client that sent the bad request
- Log to stdout (so you can use fluentd/fluentbit) to send logs to ELK or other collector.
Step 3: Apply Configuration
The installation tool will list commands to run in order to complete the installation and apply the configuration. The configuration resides in three files:
- open-appsec helm chart for NGINX Ingress Controller or Kong (CRDs and other necessary files)
- ingress.yaml - manifest created by the installer per your selections in Step 1
- open-appsec-policy.yaml - manifest created by the installer per your selections in Step 2
You can run the commands now or later. If you run them, congratulations - open-appsec is installed and working!
NGINX Ingress Controller
After testing that your services are reachable, you can point your DNS to the new ingress.
In case of a problem, at any time, you can either switch open-appsec off while running the same ingress code, or change your DNS back.
You can identify the IP address of the new ingress by running:
kubectl get ing -A
You can conduct policy changes, define exception and other advanced configuration in one of three ways: