Skip to content

Wallarm Connector for Kong Ingress Controller

To secure APIs managed by Kong Ingress Controller, Wallarm provides a connector that integrates seamlessly into your Kubernetes environment. By deploying the Wallarm filtering node and connecting it to Kong via a custom Lua plugin, incoming traffic is analyzed in real-time, allowing Wallarm to mitigate malicious requests before they reach your services.

The Wallarm connector for Kong Ingress Controller supports only in-line mode:

Kong with Wallarm plugin

Use cases

Among all supported Wallarm deployment options, this solution is the recommended one for securing APIs managed by the Kong Ingress Controller running the Kong API Gateway.

Limitations

This setup allows fine-tuning Wallarm only via the Wallarm Console UI. Some Wallarm features that require file-based configuration are not supported in this implementation, such as:

Requirements

To proceed with the deployment, ensure that you meet the following requirements:

  • Kong Ingress Controller deployed and managing your API traffic in Kubernetes cluster

  • Helm v3 package manager

  • Access to https://us1.api.wallarm.com (US Wallarm Cloud) or to https://api.wallarm.com (EU Wallarm Cloud)

  • Access to https://charts.wallarm.com to add the Wallarm Helm chart

  • Access to the Wallarm repositories on Docker Hub https://hub.docker.com/r/wallarm

  • Access to the IP addresses below for downloading updates to attack detection rules, as well as retrieving precise IPs for your allowlisted, denylisted, or graylisted countries, regions, or data centers

    34.96.64.17
    34.110.183.149
    35.235.66.155
    
    34.160.38.183
    34.144.227.90
    34.90.110.226
    
  • Administrator access to Wallarm Console for US Cloud or EU Cloud

Deployment

To secure APIs managed by Kong Ingress Controller, follow these steps:

  1. Deploy the Wallarm filtering node service in your Kubernetes cluster.

  2. Obtain and deploy the Wallarm Lua plugin to route incoming traffic from the Kong Ingress Controller to the Wallarm filtering node for analysis.

Step 1: Deploy a Wallarm node

Deploy the Wallarm node as a separate service in your Kubernetes cluster using Helm.

The node operates in blocking mode by default, meaning malicious requests will be blocked, and a 403 response will be returned. You can change this mode in the Wallarm Console UI.

  1. Generate an API token to connect the Wallarm node to the Wallarm Cloud:

    1. Open Wallarm Console → SettingsAPI tokens in the US Cloud or EU Cloud.
    2. Find or create API token with the Deploy source role.
    3. Copy this token.
  2. Add the Wallarm chart repository:

    helm repo add wallarm https://charts.wallarm.com
    helm repo update wallarm
    
  3. Deploy the Wallarm filtering node service:

    helm upgrade --install --version 0.5.3 <WALLARM_RELEASE_NAME> wallarm/wallarm-node-next -n wallarm-node --create-namespace --set config.api.token=<WALLARM_API_TOKEN> --set config.api.host=us1.api.wallarm.com --set config.connector.http_inspector.real_ip_header=X-Real-IP
    
    helm upgrade --install --version 0.5.3 <WALLARM_RELEASE_NAME> wallarm/wallarm-node-next -n wallarm-node --create-namespace --set config.api.token=<WALLARM_API_TOKEN> --set config.api.host=api.wallarm.com --set config.connector.http_inspector.real_ip_header=X-Real-IP
    

    config.connector.http_inspector.real_ip_header specifies the header to extract the client's real IP address when traffic passes through proxies or load balancers.

Step 2: Obtain and deploy the Wallarm Lua plugin

  1. Contact support@wallarm.com to obtain the Wallarm Lua plugin code for your Kong Ingress Controller.

  2. Create a ConfigMap with the plugin code:

    kubectl apply -f wallarm-kong-lua.yaml -n <KONG_NS>
    

    <KONG_NS> is the namespace where your Kong Ingress Controller is deployed.

  3. Update your values.yaml file for Kong Ingress Controller to load the Wallarm Lua plugin:

    gateway:
      plugins:
        configMaps:
        - name: kong-lua
          pluginName: kong-lua
    
  4. Update Kong Ingress Controller:

    helm upgrade --install <KONG_RELEASE_NAME> kong/ingress -n <KONG_NS> --values values.yaml
    
  5. Activate the Wallarm Lua plugin by creating a KongClusterPlugin resource and specifying the Wallarm node service address:

    echo '
    apiVersion: configuration.konghq.com/v1
    kind: KongClusterPlugin
    metadata:
      name: kong-lua
      annotations:
        kubernetes.io/ingress.class: kong
    config:
      wallarm_node_address: "http://next-processing.wallarm-node.svc.cluster.local:5000"
    plugin: kong-lua
    ' | kubectl apply -f -
    

    wallarm-node is the namespace where the Wallarm node service is deployed.

  6. Add the following annotations to your Ingress or Gateway API route to enable the plugin for selected services:

    konghq.com/plugins: kong-lua
    kubernetes.io/ingress.class: kong
    

Testing

To test the functionality of the deployed connector, follow these steps:

  1. Verify that the Wallarm pods are up and running:

    kubectl -n wallarm-node get pods
    

    wallarm-node is the namespace where the Wallarm node service is deployed.

    Each pod status should be STATUS: Running or READY: N/N. For example:

    NAME                                READY   STATUS    RESTARTS   AGE
    next-aggregation-5fb5d5444b-6c8n8   3/3     Running   0          51m
    next-processing-7c487bbdc6-4j6mz    3/3     Running   0          51m
    
  2. Retrieve the Kong Gateway IP (which is usually configured as a LoadBalancer service):

    export PROXY_IP=$(kubectl get svc --namespace <KONG_NS> <KONG_RELEASE_NAME>-gateway-proxy -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
    
  3. Send the request with the test Path Traversal attack to the balancer:

    curl -H "Host: kong-lua-test.wallarm" $PROXY_IP/etc/passwd
    

    The expected response is the following since the node operates in blocking mode by default:

    {"error": {"code": 403, "message": "request blocked"}}
    
  4. Open Wallarm Console → Attacks section in the US Cloud or EU Cloud and make sure the attack is displayed in the list.

    Attacks in the interface

You can change the filtration mode via the Wallarm Console UI if needed.