Installation in the Kubernetes cluster¶
These instructions provide you with the steps to deploy the Wallarm Ingress controller to your K8s cluster using Helm when there are no other non-NGINX Ingress controllers deployed.
Requirements¶
-
Kubernetes platform version 1.21 and lower
-
Helm package manager
-
Compatibility of your services with the official NGINX Ingress Controller version 0.26.2
-
Access to the account with the Administrator role in Wallarm Console for the EU Cloud or US Cloud
-
Access to
https://api.wallarm.com:444
for working with EU Wallarm Cloud or tohttps://us1.api.wallarm.com:444
for working with US Wallarm Cloud -
Access to
https://charts.wallarm.com
to add the Wallarm Helm charts. Ensure the access is not blocked by a firewall
See also
Known restrictions¶
-
Operation without the postanalytics module is not supported.
-
Scaling down postanalytics module may result in a partial loss of attack data.
Installation¶
-
Install the Wallarm Ingress controller.
-
Enable traffic analysis for your Ingress.
-
Check the Wallarm Ingress controller operation.
Step 1: Installing the Wallarm Ingress Controller¶
-
Go to Wallarm Console → Nodes via the link below:
- https://my.wallarm.com/nodes for the EU Cloud
- https://us1.my.wallarm.com/nodes for the US Cloud
-
Create a filtering node with the Wallarm node type and copy the generated token.
-
Clone the repository of Wallarm Helm chart:
git clone https://github.com/wallarm/ingress-chart --branch 2.18.1-8 --single-branch
-
Install the Wallarm Ingress controller:
helm install --set controller.wallarm.enabled=true,controller.wallarm.token=<NODE_TOKEN> <INGRESS_CONTROLLER_NAME> ingress-chart/wallarm-ingress -n <KUBERNETES_NAMESPACE>
helm install --set controller.wallarm.enabled=true,controller.wallarm.token=<NODE_TOKEN>,controller.wallarm.apiHost=us1.api.wallarm.com <INGRESS_CONTROLLER_NAME> ingress-chart/wallarm-ingress -n <KUBERNETES_NAMESPACE>
<NODE_TOKEN>
is the Wallarm node token<INGRESS_CONTROLLER_NAME>
is the name of the Wallarm Ingress controller<KUBERNETES_NAMESPACE>
is the namespace of your Ingress
Step 2: Enabling traffic analysis for your Ingress¶
kubectl annotate ingress <YOUR_INGRESS_NAME> nginx.ingress.kubernetes.io/wallarm-mode=monitoring
kubectl annotate ingress <YOUR_INGRESS_NAME> nginx.ingress.kubernetes.io/wallarm-instance=<INSTANCE>
-
<YOUR_INGRESS_NAME>
is the name of your Ingress -
<INSTANCE>
is a positive number that is unique to each of your applications or application groups. This will allow you to obtain separate statistics and to distinguish between attacks aimed at the corresponding applications
Step 3: Checking the Wallarm Ingress Controller operation¶
-
Get the list of pods specifying the name of the Wallarm Ingress controller in
<INGRESS_CONTROLLER_NAME>
:
kubectl get pods -l release=<INGRESS_CONTROLLER_NAME>
Each pod should display the following: STATUS: Running and READY: N/N. For example:
NAME READY STATUS RESTARTS AGE ingress-controller-nginx-ingress-controller-675c68d46d-cfck8 3/3 Running 0 5m ingress-controller-nginx-ingress-controller-wallarm-tarantljj8g 8/8 Running 0 5m ingress-controller-nginx-ingress-default-backend-584ffc6c7xj5xx 1/1 Running 0 5m
-
Send the request with test SQLI and XSS attacks to the Wallarm Ingress controller address:
curl http://<INGRESS_CONTROLLER_IP>/?id='or+1=1--a-<script>prompt(1)</script>'
If the filtering node is working in the
block
mode, the code403 Forbidden
will be returned in the response to the request and attacks will be displayed in Wallarm Console → Events.
Configuration¶
After the Wallarm Ingress controller is successfully installed and checked, you can make advanced configurations to the solution such as:
To find parameters used for advanced configuration and appropriate instructions, please follow the link.