Install Using Interactive CLI Tool (Ingress NGINX)

The fastest and easiest way to deploy and configure open-appsec is using an interactive CLI tool which will guide you through the most commonly required customizations.

You can try out the Playground - a fully operational K8S lab where you can learn to deploy open-appsec using the interactive CLI tool

Prerequisites

  • Kubernetes 1.16.0+ cluster with RBAC enabled with Cluster admin permissions

  • Helm 3 Package Manager installed on your local machine

  • The kubectl and wget command-line tools installed on your bastion or platform that you use to access the Kubernetes cluster

  • You have understanding of Kubernetes Ingress and either have a deployed Ingress or know how to configure one.

For more details about Kubernetes Ingress see Kubernetes documentation here.

Installation

Download and run the installer (Linux-only, macOS soon) using these commands:

wget https://downloads.openappsec.io/open-appsec-k8s-install && chmod +x open-appsec-k8s-install
./open-appsec-k8s-install

The interactive installer has 3 steps:

Step 1: Ingress

The installer will present the available Kubernetes ingresses in the cluster and suggest two options:

1) Duplicate an existing Ingress and add open-appsec to it. This option allows you to test that all services are properly accessible via the new ingress, while the existing ingress is up and running and without worrying about traffic disruption.

2) Add open-appsec to an existing Ingress resource. This is a good approach for a lab, staging or non-critical production environment.

Choose the option that you prefer and press Enter. You will then be asked to select the ingress you wish to duplicate or add-to.

Note: In the current implementation the installer will only show existing ingress resources where the ingress class name starts with "nginx". If your ingress resource's name does not match this requirement you can either rename it or install using helm (without the tool): Install using Helm.

In both cases we will automatically add the required annotation linking the open-appsec policy to the ingress resource and we will also change the ingress class specification for the ingress (either to the copy or to the existing Ingress resource depending on your choice above) to point to the new NGINX Ingress Controller with open-appsec integration.

Step 2: Policy

The installer will display the default policy and allow you to change it if you wish. When saving you will be asked whether to save the settings as a manifest (YAML) or Helm chart

The default-best-practice-policy will:

  • Inspect all traffic to all ingress rules (paths) / routes and learn it

  • Detect suspicious requests in confidence high or critical.

  • If set to prevent-learn, send an HTTP Error Code 403 Forbidden to the client that sent the bad request

  • Log to stdout (so you can use fluentd/fluentbit) to send logs to ELK or other collector.

Step 3: Apply Configuration

The installation tool will list commands to run in order to complete the installation and apply the configuration. The configuration resides in three files:

  • open-appsec helm chart for NGINX Ingress Controller or Kong (CRDs and other necessary files)

  • ingress.yaml - manifest created by the installer per your selections in Step 1

  • open-appsec-policy.yaml - manifest created by the installer per your selections in Step 2

You can run the commands now or later. If you run them, congratulations - open-appsec is installed and working!

Post-Install

Point your DNS to the Duplicated Ingress (skip if you chose existing Ingress in Step 1 above)

After testing that your services are reachable, you can point your DNS to the new ingress.

In case of a problem, at any time, you can either switch open-appsec off while running the same ingress code, or change your DNS back.

You can identify the IP address of the new ingress by running:

kubectl get ing -A

Configuration Changes

You can conduct policy changes, define exception and other advanced configuration in one of three ways:

For Production usage you might want to switch from using the Basic to the more accurate Advanced Machine Learning model, as described here:

Using the Advanced Machine Learning Model

Last updated