Skip to content

Customizing Kong Ingress Controller with Integrated Wallarm Services

This article instructs you on the safe and effective customization of the Kong Ingress Controller with integrated Wallarm services.

Configuration area

Kong Ingress Controller with integrated Wallarm services is based on the standard Kubernetes components, thus the solution configuration is largely similar to the Kubernetes stack configuration.

You can configure the solution as follows:

  • Globally via values.yaml - it allows setting up the general deployment configuration, the Kong API Gateway and some basic Wallarm settings. These settings apply to all Ingress resources the solution proxies traffic to.

  • Via the Ingress annotations - it allows fine-tuning the Wallarm settings on a per-Ingress basis.

    Annotation support

    Ingress annotation is supported only by the solution based on the Open-Source Kong Ingress controller. The list of supported annotations is limited.

  • Via the Wallarm Console UI - it allows fine-tuning the Wallarm settings.

Configuration of Kong API Gateway

Configuration of Kong Ingress Controller for Kong API Gateway is set by the default Helm chart values. This configuration can be overridden by the values.yaml file provided by the user during helm install or helm upgrade.

To customize the default Helm chart values, learn the official instructions on the Kong and Ingress Controller configuration.

Configuration of the Wallarm layer

You can configure the Wallarm layer of the solution as follows:

  • Set basic configuration via values.yaml: connection to the Wallarm Cloud, resource allocation, fallbacks.

  • Fine-tune traffic analysis on a per-Ingress basis via annotations (only for the Open-Source edition): traffic filtration mode, application management, multitenancy configuration, etc.

  • Fine-tune traffic analysis via the Wallarm Console UI: traffic filtration mode, notifications about security events, request source management, mask sensitive data, allow certain attack types, etc.

Basic configuration via values.yaml

The default values.yaml file provides the following Wallarm configuration:

  enabled: true
  apiPort: 443
  apiSSL: true
  token: ""
  fallback: "on"
    kind: Deployment
      annotations: {}
    replicaCount: 1
    arena: "0.2"
      failureThreshold: 3
      initialDelaySeconds: 10
      periodSeconds: 10
      successThreshold: 1
      timeoutSeconds: 1
    resources: {}
    podAnnotations: false
    resources: {}
    resources: {}
    resources: {}
    port: 18080
    enabled: false

      annotations: "true" /wallarm-metrics "18080"

      # clusterIP: ""

      ## -- List of IP addresses at which the stats-exporter service is available
      ## Ref:
      externalIPs: []

      # loadBalancerIP: ""
      loadBalancerSourceRanges: []
      servicePort: 18080
      type: ClusterIP
      # externalTrafficPolicy: ""
      # nodePort: ""
    resources: {}
        schedule: "0 */1 * * *"
        timeout: 10m
        schedule: "* * * * *"
        timeout: 3h
        schedule: "* * * * *"
        timeout: 11m
        schedule: "* * * * *"
        timeout: 6m
        schedule: "* * * * *"
        timeout: 3h
        schedule: "* * * * *"
        timeout: 3h
        schedule: "*/5 * * * *"
        timeout: 3h
        schedule: "* * * * *"
        timeout: 1h
    resources: {}
    resources: {}
    wallarm_syncnode_interval_sec: 120
    resources: {}
    resources: {}

The main parameters you may need to change are:

Parameter Description Default value
wallarm.enabled Allows you to enable or disable the Wallarm layer. true
wallarm.apiHost Wallarm API server:
  • for the US Cloud
  • for the EU Cloud
wallarm.token Wallarm node token. Required. Empty
wallarm.fallback Whether to run the Kong API Gateway services if the Wallarm service start failed. on
wallarm.tarantool.replicaCount The number of running pods for the Wallarm postanalytics module that is the local data analytics backend for the solution. 1
wallarm.tarantool.arena Specifies the amount of memory allocated for the Wallarm postanalytics module. It is recommended to set up a value sufficient to store request data for the last 5-15 minutes. 0.2
wallarm.metrics.enabled This switch toggles information and metrics collection. If Prometheus is installed in the Kubernetes cluster, no additional configuration is required. false

Other parameters come with default values and rarely need to be changed.

Fine-tuning of traffic analysis via Ingress annotations (only for the Open-Source edition)

Below is the list of annotations supported in the Open-Source Kong Ingress controller with integrated Wallarm services.

Priorities of global and per-Ingress's settings

Per-Ingress's annotations take precedence over Helm chart values.

Annotation Description Traffic filtration mode: off (default), monitoring, safe_blocking, or block. Wallarm application ID. The value can be a positive integer except for 0. Whether to analyze the application responses for attacks: true (default) or false. Response analysis is required for vulnerability detection during passive detection and active threat verification. Wallarm has full WebSockets support. By default, the WebSockets' messages are not analyzed for attacks. To force the feature, activate the API Security subscription plan and use this annotation: true or false (default). Whether to decompress compressed data returned in the application response: true (default) or false. Unique identifier of the tenant for the multi-tenant Wallarm node. The value should be a string in the UUID format, e.g. 123e4567-e89b-12d3-a456-426614174000.

Know how to:

Fine-tuning of traffic analysis via the Wallarm Console UI

The Wallarm Console UI enables you to fine-tune the traffic analysis performed by the Wallarm layer as follows: