Installing NGINX Ingress Controller with integrated Wallarm services¶

These instructions provide you with the steps to deploy the Wallarm NGINX-based Ingress controller to your K8s cluster. The solution involves the default functionality of Community Ingress NGINX Controller with integrated Wallarm services.

The solution is deployed from the Wallarm Helm chart.

Use cases¶

Among all supported Wallarm deployment options, this solution is the recommended one for the following use cases:

• There is no Ingress controller and security layer routing traffic to Ingress resources compatible with Community Ingress NGINX Controller.

• You are using Community Ingress NGINX Controller and looking for a security solution compatible with your technology stack.

  You can seamlessly replace the deployed NGINX Ingress Controller with the one these instructions describe by only moving your configuration to a new deployment.

Requirements¶

• Kubernetes platform version 1.24-1.26

• Helm package manager

• Compatibility of your services with the Community Ingress NGINX Controller version 1.7.1

• Access to the account with the Administrator role in Wallarm Console for the US Cloud or EU Cloud

• Access to https://us1.api.wallarm.com for working with US Wallarm Cloud or to https://api.wallarm.com for working with EU Wallarm Cloud

• Access to https://charts.wallarm.com to add the Wallarm Helm charts. Ensure the access is not blocked by a firewall

• Access to the Wallarm repositories on Docker Hub https://hub.docker.com/r/wallarm. Make sure the access is not blocked by a firewall

• Access to GCP storage addresses to download an actual list of IP addresses registered in allowlisted, denylisted, or graylisted countries, regions or data centers

Known restrictions¶

• Operation without the postanalytics module is not supported.

• Scaling down postanalytics module may result in a partial loss of attack data.

Installation¶

1. Install the Wallarm Ingress controller.

2. Enable traffic analysis for your Ingress.

3. Check the Wallarm Ingress controller operation.

Step 1: Installing the Wallarm Ingress Controller¶

1. Go to Wallarm Console → Nodes via the link below:

   • https://us1.my.wallarm.com/nodes for the US Cloud
   • https://my.wallarm.com/nodes for the EU Cloud

2. Create a filtering node with the Wallarm node type and copy the generated token.

   

3. Create a Kubernetes namespace to deploy the Helm chart with the Wallarm Ingress controller:

   kubectl create namespace <KUBERNETES_NAMESPACE>
   

4. Add the Wallarm chart repository:
   

   helm repo add wallarm https://charts.wallarm.com
   

5. Create the values.yaml file with the Wallarm configuration.

   Example of the file with the minimum configuration:

   US CloudEU Cloud

   controller:
     wallarm:
       enabled: "true"
       token: "<NODE_TOKEN>"
       apiHost: "us1.api.wallarm.com"
   

   controller:
     wallarm:
       enabled: "true"
       token: "<NODE_TOKEN>"
   

   Starting from Helm chart version 4.4.1, you can also store the Wallarm node token in Kubernetes secrets and pull it to the Helm chart. Read more

   Using one token for several installations

   You can use one token in several installations regardless of the selected platform. It allows logical grouping of node instances in the Wallarm Console UI. Example: you deploy several Wallarm nodes to a development environment, each node is on its own machine owned by a certain developer.

6. Install the Wallarm packages:

   helm install --version 4.6.3 <RELEASE_NAME> wallarm/wallarm-ingress -n <KUBERNETES_NAMESPACE> -f <PATH_TO_VALUES>
   

   • <RELEASE_NAME> is the name for the Helm release of the Ingress controller chart
   • <KUBERNETES_NAMESPACE> is the Kubernetes namespace you have created for the Helm chart with the Wallarm Ingress controller
   • <PATH_TO_VALUES> is the path to the values.yaml file

Step 2: Enabling traffic analysis for your Ingress¶

kubectl annotate ingress <YOUR_INGRESS_NAME> -n <YOUR_INGRESS_NAMESPACE> nginx.ingress.kubernetes.io/wallarm-mode=monitoring
kubectl annotate ingress <YOUR_INGRESS_NAME> -n <YOUR_INGRESS_NAMESPACE> nginx.ingress.kubernetes.io/wallarm-application=<APPLICATION>

• <YOUR_INGRESS_NAME> is the name of your Ingress

• <YOUR_INGRESS_NAMESPACE> is the namespace of your Ingress

• <APPLICATION> is a positive number that is unique to each of your applications or application groups. This will allow you to obtain separate statistics and to distinguish between attacks aimed at the corresponding applications

Step 3: Checking the Wallarm Ingress Controller operation¶

1. Get the list of pods:
   

   kubectl get pods -n <NAMESPACE> -l app.kubernetes.io/name=wallarm-ingress
   

   Each pod should display the following: STATUS: Running and READY: N/N. For example:

   NAME                                                              READY     STATUS    RESTARTS   AGE
   ingress-controller-nginx-ingress-controller-675c68d46d-cfck8      4/4       Running   0          5m
   ingress-controller-nginx-ingress-controller-wallarm-tarantljj8g   4/4       Running   0          5m
   

2. Send the request with the test Path Traversal attack to the Ingress Controller Service:

   curl http://<INGRESS_CONTROLLER_IP>/etc/passwd
   

   If the filtering node is working in the block mode, the code 403 Forbidden will be returned in the response to the request and the attack will be displayed in Wallarm Console → Events.

Configuration¶

After the Wallarm Ingress controller is successfully installed and checked, you can make advanced configurations to the solution such as:

• Proper reporting of end user public IP address

• Management of IP addresses blocking

• High availability considerations

• Ingress Controller monitoring

To find parameters used for advanced configuration and appropriate instructions, please follow the link.