Skip to content

Wallarm Connector for Kong Ingress Controller

To secure APIs managed by Kong Ingress Controller, Wallarm provides a connector that integrates seamlessly into your Kubernetes environment. By deploying the Wallarm filtering node and connecting it to Kong via a custom Lua plugin, incoming traffic is analyzed in real-time, allowing Wallarm to mitigate malicious requests before they reach your services.

The Wallarm connector for Kong Ingress Controller supports only in-line mode:

Kong with Wallarm plugin

Use cases

Among all supported Wallarm deployment options, this solution is the recommended one for securing APIs managed by the Kong Ingress Controller running the Kong API Gateway.

Limitations

This setup allows fine-tuning Wallarm only via the Wallarm Console UI. Some Wallarm features that require file-based configuration are not supported in this implementation, such as:

Requirements

To proceed with the deployment, ensure that you meet the following requirements:

  • Kong Ingress Controller deployed and managing your API traffic in Kubernetes cluster

  • Helm v3 package manager

  • Access to https://us1.api.wallarm.com (US Wallarm Cloud) or to https://api.wallarm.com (EU Wallarm Cloud)

  • Access to https://charts.wallarm.com to add the Wallarm Helm chart

  • Access to the Wallarm repositories on Docker Hub https://hub.docker.com/r/wallarm

  • Access to the IP addresses below for downloading updates to attack detection rules, as well as retrieving precise IPs for your allowlisted, denylisted, or graylisted countries, regions, or data centers

    34.96.64.17
34.110.183.149
35.235.66.155
34.102.90.100
34.94.156.115
35.235.115.105

    34.160.38.183
34.144.227.90
34.90.110.226

  • Administrator access to Wallarm Console for US Cloud or EU Cloud

Deployment

To secure APIs managed by Kong Ingress Controller, follow these steps:

  1. Deploy the Wallarm filtering node service in your Kubernetes cluster.

  2. Obtain and deploy the Wallarm Lua plugin to route incoming traffic from the Kong Ingress Controller to the Wallarm filtering node for analysis.

1. Deploy a Wallarm Native Node

To deploy the Wallarm node as a separate service in your Kubernetes cluster, follow the instructions.

2. Obtain and deploy the Wallarm Lua plugin

  1. Contact support@wallarm.com to obtain the Wallarm Lua plugin code for your Kong Ingress Controller.

  2. Create a ConfigMap with the plugin code:

    kubectl apply -f wallarm-kong-lua.yaml -n <KONG_NS>

    <KONG_NS> is the namespace where your Kong Ingress Controller is deployed.

  3. Update your values.yaml file for Kong Ingress Controller to load the Wallarm Lua plugin:

    gateway:
  plugins:
    configMaps:
    - name: kong-lua
      pluginName: kong-lua

  4. Update Kong Ingress Controller:

    helm upgrade --install <KONG_RELEASE_NAME> kong/ingress -n <KONG_NS> --values values.yaml

  5. Activate the Wallarm Lua plugin by creating a KongClusterPlugin resource and specifying the Wallarm node service address:

    echo '
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
  name: kong-lua
  annotations:
    kubernetes.io/ingress.class: kong
config:
  wallarm_node_address: "http://native-processing.wallarm-node.svc.cluster.local:5000"
plugin: kong-lua
' | kubectl apply -f -

    wallarm-node is the namespace where the Wallarm node service is deployed.

  6. Add the following annotations to your Ingress or Gateway API route to enable the plugin for selected services:

    konghq.com/plugins: kong-lua
kubernetes.io/ingress.class: kong

Testing

To test the functionality of the deployed connector, follow these steps:

  1. Verify that the Wallarm pods are up and running:

    kubectl -n wallarm-node get pods

    wallarm-node is the namespace where the Wallarm node service is deployed.

    Each pod status should be STATUS: Running or READY: N/N. For example:

    NAME                                READY   STATUS    RESTARTS   AGE
native-aggregation-5fb5d5444b-6c8n8   3/3     Running   0          51m
native-processing-7c487bbdc6-4j6mz    3/3     Running   0          51m

  2. Retrieve the Kong Gateway IP (which is usually configured as a LoadBalancer service):

    export PROXY_IP=$(kubectl get svc --namespace <KONG_NS> <KONG_RELEASE_NAME>-gateway-proxy -o jsonpath='{.status.loadBalancer.ingress[0].ip}')

  3. Send the request with the test Path Traversal attack to the balancer:

    curl -H "Host: kong-lua-test.wallarm" $PROXY_IP/etc/passwd

    Since the node operates in the monitoring mode by default, the Wallarm node will not block the attack but will register it.

  4. Open Wallarm Console → Attacks section in the US Cloud or EU Cloud and make sure the attack is displayed in the list.

    Attacks in the interface

Upgrading the Wallarm Lua plugin

To upgrade the deployed Wallarm Lua plugin to a newer version:

  1. Contact support@wallarm.com to obtain the updated Wallarm Lua plugin code for your Kong Ingress Controller.

  2. Update the ConfigMap with the plugin code:

    kubectl apply -f wallarm-kong-lua.yaml -n <KONG_NS>

    <KONG_NS> is the namespace where your Kong Ingress Controller is deployed.

Plugin upgrades may require a Wallarm node upgrade, especially for major version updates. See the Wallarm Native Node changelog for release updates and upgrade instructions. Regular node updates are recommended to avoid deprecation and simplify future upgrades.