Skip to content

Deploying Kong Ingress Controller with Integrated Wallarm Services

To secure APIs managed by Kong API Gateway, you can deploy the Kong Ingress controller with integrated Wallarm services in a Kubernetes cluster. The solution involves the default Kong API Gateway functionality with the layer of real-time malicious traffic mitigation.

The solution is deployed from the Wallarm Helm chart.

The key features of the Kong Ingress Controller with integrated Wallarm services:

Use cases

Among all supported Wallarm deployment options, this solution is the recommended one for the following use cases:

  • There is no Ingress controller and security layer routing traffic to Ingress resources managed by Kong.

  • You are using the Open-Source official Kong Ingress controller and looking for a security solution compatible with your technology stack.

    You can seamlessly replace the deployed Kong Ingress Controller with the one these instructions describe by only moving your configuration to a new deployment.

Solution architecture

The solution has the following architecture:

Solution architecture

The solution is based on the official Kong Ingress Controller, its architecture is described in the official Kong documentation.

Kong Ingress Controller with integrated Wallarm services is arranged by the following Deployment objects:

  • Ingress controller (wallarm-ingress-kong) that injects the Kong API Gateway and Wallarm resources into the K8s cluster configuring it based on the Helm chart values and connecting the node components to the Wallarm Cloud.

  • Postanalytics module (wallarm-ingress-kong-wallarm-tarantool) is the local data analytics backend for the solution. The module uses the in-memory storage Tarantool and the set of some helper containers (like the collectd, attack export services).

Limitations

The following Wallarm features unavailable:

Requirements

  • Kubernetes platform version 1.22-1.26

  • K8s Ingress resources that configure Kong to route API calls to the microservices you want to protect

  • Compatibility of K8s Ingress resources with Kong 3.1.x

  • Helm v3 package manager

  • Access to https://us1.api.wallarm.com for working with US Wallarm Cloud or to https://api.wallarm.com for working with EU Wallarm Cloud

  • Access to https://charts.wallarm.com to add the Wallarm Helm charts

  • Access to the Wallarm repositories on Docker Hub https://hub.docker.com/r/wallarm

  • Access to the IP addresses below for downloading updates to attack detection rules, as well as retrieving precise IPs for your allowlisted, denylisted, or graylisted countries, regions, or data centers

    34.96.64.17
    34.110.183.149
    35.235.66.155
    34.102.90.100
    34.94.156.115
    35.235.115.105
    
    34.160.38.183
    34.144.227.90
    34.90.110.226
    
  • Access to the account with the Administrator role in Wallarm Console for the US Cloud or the EU Cloud

Deployment

To deploy Kong Ingress Controller with integrated Wallarm services:

  1. Create the Wallarm node.

  2. Deploy the Wallarm Helm chart with the Kong Ingress Controller and Wallarm services.

  3. Enable traffic analysis for your Ingress.

  4. Test Kong Ingress Controller with integrated Wallarm services.

Step 1: Create the Wallarm node

  1. Open Wallarm Console → Nodes via the link below:

  2. Create a filtering node with the Wallarm node type and copy the generated token.

    Creation of a Wallarm node

Step 2: Deploy the Wallarm Helm chart

  1. Add the Wallarm chart repository:

    helm repo add wallarm https://charts.wallarm.com
    helm repo update wallarm
    

  2. Create the values.yaml file with the solution configuration.

    Example of the file with the minimum configuration to run the Open-Source Kong Ingress controller with integrated Wallarm services:

    wallarm:
      token: "<NODE_TOKEN>"
      apiHost: us1.api.wallarm.com
    
    image:
      repository: wallarm/kong
    
    ingressController:
      enabled: true
      installCRDs: false
      image:
        repository: wallarm/kong-kubernetes-ingress-controller
    
    wallarm:
      token: "<NODE_TOKEN>"
    
    image:
      repository: wallarm/kong
    
    ingressController:
      enabled: true
      installCRDs: false
      image:
        repository: wallarm/kong-kubernetes-ingress-controller
    

    <NODE_TOKEN> is the Wallarm node token you copied from the Wallarm Console UI

    Using one token for several installations

    You can use one token in several installations regardless of the selected platform. It allows logical grouping of node instances in the Wallarm Console UI. Example: you deploy several Wallarm nodes to a development environment, each node is on its own machine owned by a certain developer.

  3. Deploy the Wallarm Helm chart:

    helm install --version 4.6.3 <RELEASE_NAME> wallarm/kong -n <KUBERNETES_NAMESPACE> -f <PATH_TO_VALUES>
    
    • <RELEASE_NAME> is the name for the Helm release of the Kong Ingress Controller chart
    • <KUBERNETES_NAMESPACE> is the new namespace to deploy the Helm release with the Kong Ingress Controller chart
    • <PATH_TO_VALUES> is the path to the values.yaml file

Step 3: Enable traffic analysis for your Ingress

If the deployed solution is based on the Open-Source Kong Ingress controller, enable traffic analysis for your Ingress by setting the Wallarm mode to monitoring:

kubectl annotate ingress <KONG_INGRESS_NAME> -n <KONG_INGRESS_NAMESPACE> wallarm.com/wallarm-mode=monitoring

Where <KONG_INGRESS_NAME> is the name of the K8s Ingress resource routing API calls to the microservices you want to protect.

Step 4: Test Kong Ingress Controller with integrated Wallarm services

To test that Kong Ingress Controller with integrated Wallarm services operates correctly:

  1. Get the Wallarm pod details to check they have been successfully started:

    kubectl get pods -n <NAMESPACE> -l app.kubernetes.io/name=kong
    

    Each pod should display the following: READY: N/N and STATUS: Running, e.g.:

    NAME                                                      READY   STATUS    RESTARTS   AGE
    wallarm-ingress-kong-54cf88b989-gp2vg                     1/1     Running   0          91m
    wallarm-ingress-kong-wallarm-tarantool-86d9d4b6cd-hpd5k   4/4     Running   0          91m
    
  2. Send the test Path Traversal attacks to the Kong Ingress Controller Service:

    curl http://<INGRESS_CONTROLLER_IP>/etc/passwd
    

    Since the Wallarm layer operates in the monitoring filtration mode, the Wallarm node will not block the attack but will register it.

    To check that the attack has been registered, proceed to Wallarm Console → Attacks:

    Attacks in the interface

Customization

Wallarm pods have been injected based on the default values.yaml and the custom configuration you specified on the 2nd deployment step.

You can customize both the Kong API Gateway and Wallarm behavior even more and get the most out of Wallarm for your company.

Just proceed to the Kong Ingress Controller solution customization guide.