open-appsec
WebsiteManagement PortalPlaygroundGitHub
  • open-appsec Documentation
  • What is open-appsec?
  • open-appsec Video Tutorials
  • Release Notes
  • Getting started
    • Getting Started
    • Start With Kubernetes
      • Install Using Interactive CLI Tool (Ingress NGINX)
      • Configuration Using Interactive CLI Tool
      • Install Using Helm
      • Install Using Helm - new flow (beta)
      • Configuration Using CRDs
      • Configuration Using CRDs - v1beta2
      • Configuration using CRDs - special options for Large Scale Deployments
        • Using appsec class for assigning separate custom resources to specific deployments
        • Using namespace-scoped custom resources
      • Monitor Events
    • Start With Linux
      • Install open-appsec for Linux
      • Using the open-appsec-ctl Tool
      • Configuration Using Local Policy File (Linux)
      • Local Policy File (Advanced)
      • Local Policy File v1beta2 (beta)
      • Monitor Events
    • Start with Docker
      • Install With Docker (Centrally Managed)
      • Install With Docker (Locally Managed)
      • Deploy With Docker-Compose (Beta)
      • Configuration Using Local Policy File (Docker)
      • Local Policy File (Advanced)
    • Using the Web UI (SaaS)
      • Sign-Up and Login to Portal
      • Agents Deployment
      • Connect Deployed Agents to SaaS Management Using Tool (K8s & Linux)
      • Connect Deployed Agents to SaaS Management Using Helm (K8s)
      • Connect Deployed Agents to SaaS Management (Docker)
      • Create a Profile
      • Protect Additional Assets
      • Monitor Events
    • Using the Advanced Machine Learning Model
  • Concepts
    • Agents
    • Management & Automation
    • Security Practices
    • Contextual Machine Learning
  • SETUP INSTRUCTIONS
    • Setup Web Application Settings
    • Setup Custom Rules and Exceptions
    • Setup Web User Response Pages
    • Setup Log Triggers
    • Setup Behavior Upon Failure
    • Setup Agent Upgrade Schedule
  • Additional Security Engines
    • Anti-Bot
    • API Schema Enforcement
    • Data Loss Prevention (DLP) Rules
    • File Security
    • Intrusion Prevention System (IPS)
    • Rate Limit
  • Snort Rules
    • Import Snort Rules
    • Write Snort Signatures
  • HOW TO
    • Configuration and Learning
      • Track Learning and Move From Learn/Detect to Prevent
      • Configure Contextual Machine Learning for Best Accuracy
      • Track Learning and Local Tuning in Standalone Deployments
      • Move From Detect to Prevent in K8s With Many Ingress Rules
  • Deployment and Upgrade
    • Load the Attachment in Proxy Configuration
    • Upgrade Your Reverse Proxy/API Gateway When an Agent is Installed
    • Integration in GitOps CD (K8s)
    • Build open-appsec Based on Source Code
  • Management Web UI
    • Track Agent Status
    • Delete or Reset Management Tenant (SaaS)
    • Disconnect an open-appsec agent from Central Management
  • Integrations
    • About Integrations With 3rd Party Solutions
    • CrowdSec
      • CrowdSec Bouncer Support
      • CrowdSec Intelligence Sharing Using open-appsec Parser/Scenario
    • NGINX Proxy Manager
      • Install NGINX Proxy Manager with open-appsec managed from NPM WebUI
      • Install NGINX Proxy Manager with open-appsec managed from central WebUI (SaaS)
      • Frequently Asked Questions
      • How to Migrate from an Existing NGINX Proxy Manager Deployment and Keep Configuration
    • NPMplus
    • Docker SWAG
      • Install Docker SWAG with open-appsec (locally managed)
      • How to connect locally managed Docker SWAG with open-appsec to WebUI
      • Install Docker SWAG with open-appsec (centrally managed)
      • Deploy Docker SWAG with docker-compose (beta)
      • Frequently Asked Questions
  • Troubleshooting
    • Troubleshooting
    • Troubleshooting Guides
      • Configuration contains ingress/asset with URL which already has asset attached to it in your tenant
      • HTTP Request to Port 80 Not Returning as Expected
      • Agent Fails to Recognize HTTP Transactions with NGINX
      • Agent Not Recognizing Initial HTTP Requests
      • Handling Large Requests (413 Responses)
      • open-appsec on Docker HTTP Transaction Handler Is Set To Ready
      • Traffic Recognition Issue on Single-Core Machine/Connection Timed Out
      • Installing open-appsec on CentOS 7
      • SELinux: checking status and disabling
      • Deploy open-appsec directly on the web server hosting the application to protect
      • object is locked or remote, and therefore cannot be modified
      • Failed to Register to Fog
  • references
    • Agent CLI
    • Event Query Language
    • Events/Logs Schema
    • WAF Comparison Project
Powered by GitBook
On this page
  • Prerequisites
  • Installation
  • Post-Install
  • Configuration Changes

Was this helpful?

  1. Getting started
  2. Start With Kubernetes

Install Using Interactive CLI Tool (Ingress NGINX)

PreviousStart With KubernetesNextConfiguration Using Interactive CLI Tool

Last updated 1 month ago

Was this helpful?

The fastest and easiest way to deploy and configure open-appsec is using an interactive CLI tool which will guide you through the most commonly required customizations.

You can try out the - a fully operational K8S lab where you can learn to deploy open-appsec using the interactive CLI tool

Prerequisites

  • Kubernetes 1.16.0+ cluster with enabled with Cluster admin permissions

  • installed on your local machine

  • The kubectl and wget command-line tools installed on your bastion or platform that you use to access the Kubernetes cluster

  • You have understanding of Kubernetes Ingress and either have a deployed Ingress or know how to configure one.

For more details about Kubernetes Ingress see Kubernetes documentation .

Installation

Download and run the installer (Linux-only, macOS soon) using these commands:

wget https://downloads.openappsec.io/open-appsec-k8s-install && chmod +x open-appsec-k8s-install
./open-appsec-k8s-install

The interactive installer has 3 steps:

Step 1: Ingress

The installer will present the available Kubernetes ingresses in the cluster and suggest two options:

1) Duplicate an existing Ingress and add open-appsec to it. This option allows you to test that all services are properly accessible via the new ingress, while the existing ingress is up and running and without worrying about traffic disruption.

2) Add open-appsec to an existing Ingress resource. This is a good approach for a lab, staging or non-critical production environment.

Choose the option that you prefer and press Enter. You will then be asked to select the ingress you wish to duplicate or add-to.

In both cases we will automatically add the required annotation linking the open-appsec policy to the ingress resource and we will also change the ingress class specification for the ingress (either to the copy or to the existing Ingress resource depending on your choice above) to point to the new NGINX Ingress Controller with open-appsec integration.

Step 2: Policy

The installer will display the default policy and allow you to change it if you wish. When saving you will be asked whether to save the settings as a manifest (YAML) or Helm chart

The default-best-practice-policy will:

  • Inspect all traffic to all ingress rules (paths) / routes and learn it

  • Detect suspicious requests in confidence high or critical.

  • If set to prevent-learn, send an HTTP Error Code 403 Forbidden to the client that sent the bad request

  • Log to stdout (so you can use fluentd/fluentbit) to send logs to ELK or other collector.

Step 3: Apply Configuration

The installation tool will list commands to run in order to complete the installation and apply the configuration. The configuration resides in three files:

  • open-appsec helm chart for NGINX Ingress Controller or Kong (CRDs and other necessary files)

  • ingress.yaml - manifest created by the installer per your selections in Step 1

  • open-appsec-policy.yaml - manifest created by the installer per your selections in Step 2

You can run the commands now or later. If you run them, congratulations - open-appsec is installed and working!

Post-Install

Point your DNS to the Duplicated Ingress (skip if you chose existing Ingress in Step 1 above)

After testing that your services are reachable, you can point your DNS to the new ingress.

In case of a problem, at any time, you can either switch open-appsec off while running the same ingress code, or change your DNS back.

You can identify the IP address of the new ingress by running:

kubectl get ing -A

Configuration Changes

You can conduct policy changes, define exception and other advanced configuration in one of three ways:

  • By running the interactive configuration tool: open-appsec-cli

For Production usage you might want to switch from using the Basic to the more accurate Advanced Machine Learning model, as described here:

Using the Advanced Machine Learning Model

Note: In the current implementation the installer will only show existing ingress resources where the ingress class name starts with "nginx". If your ingress resource's name does not match this requirement you can either rename it or install using helm (without the tool): .

The CLI tool will create a v1beta1 policy, if you are interested in using v1btea2 please use Helm to deploy open-appsec, find the full instructions .

Install using Helm
here
By using open-appsec K8S custom resources
Using the WebUI
Playground
RBAC
Helm 3 Package Manager
here