Skip to content

Kubernetes deployment based on manifests

Prerequisites

  • Local or cloud (EKS, GKE, AKE, etc) cluster running any version of Kubernetes

  • Application defined in plain Kubernetes manifest files

  • Pod exposed to the public Internet or other potential sources of malicious web and API attacks

  • Kubernetes Ingress controller or external load balancer (like AWS ELB or ALB) to add the HTTP request header X-Forwarded-For, which contains the real public IP address of the connecting client

  • Wallarm account in the EU Cloud or US Cloud

  • Username and password of the user with the Deploy role added to your company's Wallarm account. To add a new user, please follow these instructions

Installation

  1. Create Wallarm ConfigMap.

  2. Update the definition of the Deployment object in Kubernetes.

  3. Update the definition of the Service object in Kubernetes.

  4. Deploy the manifest to the Kubernetes cluster.

  5. Test the Wallarm sidecar container.

If you deploy several Wallarm nodes

All Wallarm nodes deployed to your environment must be of the same versions. The postanalytics modules installed on separated servers must be of the same versions too.

Before installation of the additional node, please ensure its version matches the version of already deployed modules. If the deployed module version is deprecated or will be deprecated soon (3.2 or lower), upgrade all modules to the latest version.

The version of deployed Wallarm filtering node image is specified in the Deployment template → spec.template.spec.containers section → image of the Wallarm container.

Step 1: Creating Wallarm ConfigMap

  1. Create a new manifest file or add a new object to the existing manifest for a new Kubernetes ConfigMap object that will hold the NGINX configuration file for the Wallarm sidecar container:

    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: wallarm-sidecar-nginx-conf
    data:
      default: |
          server {
              listen 80 default_server;
              listen [::]:80 default_server ipv6only=on;
              server_name localhost;
              root /usr/share/nginx/html;
              index index.html index.htm;
              # Please replace <WALLARM_MODE> below by the request filtration mode: 
              # off to disable request processing
              # monitoring to process but not block requests
              # safe_blocking to block only those malicious requests originated from greylisted IPs
              # block to process all requests and block the malicious ones
              wallarm_mode <WALLARM_MODE>;
              # wallarm_application 1;
              set_real_ip_from 0.0.0.0/0;
              real_ip_header X-Forwarded-For;
              location / {
                      # Please replace <APP_CONTAINER_PORT> below by the port number
                      # on which the container accepts incoming requests,
                      # the value must be identical to ports.containerPort
                      # in definition of your main app container
                      proxy_pass http://localhost:<APP_CONTAINER_PORT>;
                      include proxy_params;
              }
          }
    
  2. Update parameter values following the code comments.

Step 2: Updating the Deployment object in Kubernetes

  1. Go to the Kubernetes manifests and open the template that defines the Deployment object for the application. A complex application can have several Deployment objects for different components of the application - please find an object which defines pods which are actually exposed to the Internet. For example:

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: myapp
    spec:
      selector:
        matchLabels:
          app: myapp
      template:
        metadata:
          labels:
            app: myapp
        spec:
          containers: 
          # Definition of your main app container
          - name: myapp 
            image: <Image>
            resources:
              limits:
                memory: "128Mi"
                cpu: "500m"
            ports:
            # Port on which the application container accepts incoming requests
            - containerPort: 8080 
    
  2. Copy the following elements to the template:

    • The wallarm sidecar container definition to the spec.template.spec.containers section
    • The wallarm-nginx-conf volume definition to the spec.template.spec.volumes section

    An example of the template with added elements is provided below. Elements for copying are indicated by the Wallarm element comment.

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: myapp
    spec:
      selector:
        matchLabels:
          app: myapp
      template:
        metadata:
          labels:
            app: myapp
        spec:
          containers:
            # Wallarm element: definition of Wallarm sidecar container
            - name: wallarm
              image: wallarm/node:3.6.2-1
              imagePullPolicy: Always
              env:
              # Wallarm API endpoint: 
              # "api.wallarm.com" for the EU Cloud
              # "us1.api.wallarm.com" for the US Cloud
              - name: WALLARM_API_HOST
                value: "api.wallarm.com"
              # Username of the user with the Deploy role
              - name: DEPLOY_USER
                value: "username"
              # Password of the user with the Deploy role
              - name: DEPLOY_PASSWORD
                value: "password"
              - name: DEPLOY_FORCE
                value: "true"
              # Amount of memory in GB for request analytics data, 
              # recommended value is 75% of the total server memory
              - name: TARANTOOL_MEMORY_GB
                value: "2"
              ports:
              - name: http
                # Port on which the Wallarm sidecar container accepts requests 
                # from the Service object
                containerPort: 80
              volumeMounts: 
              - mountPath: /etc/nginx/sites-enabled 
                readOnly: true  
                name: wallarm-nginx-conf
            # Definition of your main app container
            - name: myapp
              image: <Image>
              resources:
                limits:
                  memory: "128Mi"
                  cpu: "500m"
              ports:
              # Port on which the application container accepts incoming requests
              - containerPort: 8080
          volumes:
          # Wallarm element: definition of the wallarm-nginx-conf volume
          - name: wallarm-nginx-conf
            configMap:
              name: wallarm-sidecar-nginx-conf
              items:
                - key: default
                  path: default
    
  3. Update parameter values following the code comments.

Step 3: Updating the Service object in Kubernetes

  1. Return to the Kubernetes manifests and open the template that defines the Service object that points to Deployment modified in the previous step. For example:

    apiVersion: v1
    kind: Service
    metadata:
      name: myapp
      labels:
        run: myapp
    spec:
      type: NodePort
      ports:
      - port: 80
        targetPort: 8080
        protocol: TCP
        name: http
      selector:
        run: myapp
    
  2. Change the ports.targetPort value to point to the Wallarm sidecar container port (ports.containerPort defined in the Wallarm sidecar container). For example:

    ...
      ports:
      - port: 80
        targetPort: 80
        protocol: TCP
        name: http
      selector:
        run: myapp
    

Step 4: Deploying the manifest to the Kubernetes cluster

Update or deploy the new application manifest in the Kubernetes cluster.

NetworkPolicy object in Kubernetes

If the application also uses the NetworkPolicy object it should be updated to reflect the Wallarm sidecar container port specified above.

Step 5: Testing the Wallarm sidecar container

  1. Get the list of pods using the following command:

    kubectl get pods
    

    The number of containers in the pod should increase, and the status of the pod should be Running.

    NAME                       READY   STATUS    RESTARTS   AGE
    mychart-856f957bbd-cr4kt   2/2     Running   0          3m48s
    
  2. Go to Wallarm Console → Nodes via the link below and make sure that a new node is displayed. This created node is used to filter requests to your application.

  3. Send a test malicious request to the application as described in these instructions.

  4. Go to Wallarm Console → Events via the link below and make sure that an attack is displayed in the list:

Back to top