Skip to content

Customizing Kong Ingress Controller with integrated Wallarm services

This article instructs you on the safe and effective customization of the Kong Ingress Controller with integrated Wallarm services.

Configuration area

Kong Ingress Controller with integrated Wallarm services is based on the standard Kubernetes components, thus the solution configuration is largely similar to the Kubernetes stack configuration.

You can configure the solution as follows:

  • Globally via values.yaml - it allows setting up the general deployment configuration, the Kong API Gateway and some basic Wallarm API Security settings. These settings apply to all Ingress resources the solution proxies traffic to.

  • Via the Ingress annotations - it allows fine-tuning the Wallarm API Security settings on a per-Ingress basis.

    Annotation support

    Ingress annotation is supported only by the solution based on the Open-Source Kong Ingress controller. The list of supported annotations is limited.

  • Via the Wallarm Console UI - it allows fine-tuning the Wallarm API Security settings.

Configuration of Kong API Gateway

Configuration of Kong Ingress Controller for Kong API Gateway is set by the default Helm chart values. This configuration can be overridden by the values.yaml file provided by the user during helm install or helm upgrade.

To customize the default Helm chart values, learn the official instructions on the Kong and Ingress Controller configuration.

Configuration of the Wallarm API Security layer

You can configure the Wallarm API Security layer of the solution as follows:

  • Set basic configuration via values.yaml: connection to the Wallarm Cloud, resource allocation, fallbacks.

  • Fine-tune traffic analysis on a per-Ingress basis via annotations (only for the Open-Source edition): traffic filtration mode, application management, multitenancy configuration, etc.

  • Fine-tune traffic analysis via the Wallarm Console UI: traffic filtration mode, notifications about security events, request source management, mask sensitive data, allow certain attack types, etc.

Basic configuration via values.yaml

The default values.yaml file provides the following Wallarm API Security configuration:

wallarm:
  image:
    tag: "<WALLARM_NODE_IMAGE_TAG>"
  enabled: true
  apiHost: api.wallarm.com
  apiPort: 443
  apiSSL: true
  token: ""
  fallback: "on"
  tarantool:
    kind: Deployment
    service:
      annotations: {}
    replicaCount: 1
    arena: "0.2"
    livenessProbe:
      failureThreshold: 3
      initialDelaySeconds: 10
      periodSeconds: 10
      successThreshold: 1
      timeoutSeconds: 1
    resources: {}
  heartbeat:
    resources: {}
  wallarm-appstructure:
    resources: {}
  wallarm-antibot:
    resources: {}
  metrics:
    port: 18080
    enabled: false

    service:
      annotations:
        prometheus.io/scrape: "true"
        prometheus.io/path: /wallarm-metrics
        prometheus.io/port: "18080"

      # clusterIP: ""

      ## -- List of IP addresses at which the stats-exporter service is available
      ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips
      ##
      externalIPs: []

      # loadBalancerIP: ""
      loadBalancerSourceRanges: []
      servicePort: 18080
      type: ClusterIP
      # externalTrafficPolicy: ""
      # nodePort: ""
  addnode:
    resources: {}
  cron:
    jobs:
      exportEnvironment:
        schedule: "0 */1 * * *"
        timeout: 10m
      exportAttacks:
        schedule: "* * * * *"
        timeout: 3h
      exportCounters:
        schedule: "* * * * *"
        timeout: 11m
      bruteDetect:
        schedule: "* * * * *"
        timeout: 6m
      syncIpLists:
        schedule: "* * * * *"
        timeout: 3h
      exportMetrics:
        schedule: "* * * * *"
        timeout: 3h
      syncIpListsSource:
        schedule: "*/5 * * * *"
        timeout: 3h
      syncMarkers:
        schedule: "* * * * *"
        timeout: 1h
    resources: {}
  exportenv:
    resources: {}
  synccloud:
    wallarm_syncnode_interval_sec: 120
    resources: {}
  collectd:
    resources: {}

The main parameters you may need to change are:

Parameter Description Default value
wallarm.enabled Allows you to enable or disable the Wallarm API Security layer. true
wallarm.apiHost Wallarm API server:
  • us1.api.wallarm.com for the US Cloud
  • api.wallarm.com for the EU Cloud
api.wallarm.com
wallarm.token Wallarm node token. Required. Empty
wallarm.fallback Whether to run the Kong API Gateway services if the Wallarm service start failed. on
wallarm.tarantool.replicaCount The number of running pods for the Wallarm postanalytics module that is the local data analytics backend for the solution. 1
wallarm.tarantool.arena Specifies the amount of memory allocated for the Wallarm postanalytics module. It is recommended to set up a value sufficient to store request data for the last 5-15 minutes. 0.2
wallarm.metrics.enabled This switch toggles information and metrics collection. If Prometheus is installed in the Kubernetes cluster, no additional configuration is required. false

Other parameters come with default values and rarely need to be changed.

Fine-tuning of traffic analysis via Ingress annotations (only for the Open-Source edition)

Below is the list of annotations supported in the Open-Source Kong Ingress controller with integrated Wallarm services.

Priorities of global and per-Ingress's settings

Per-Ingress's annotations take precedence over Helm chart values.

Before using an annotation, please add the wallarm.com/ prefix to it, e.g.:

wallarm.com/wallarm-mode: block
Annotation Description
wallarm-mode Traffic filtration mode: off (default), monitoring, safe_blocking, or block.
wallarm-application Wallarm application ID. The value can be a positive integer except for 0.
wallarm-parse-response Whether to analyze the application responses for attacks: true (default) or false. Response analysis is required for vulnerability detection during passive detection and active threat verification.
wallarm-parse-websocket Wallarm has full WebSockets support. By default, the WebSockets' messages are not analyzed for attacks. To force the feature, use this annotation: true or false (default).
wallarm-unpack-response Whether to decompress compressed data returned in the application response: true (default) or false.
wallarm-partner-client-uuid Unique identifier of the tenant for the multi-tenant Wallarm node. The value should be a string in the UUID format, e.g. 123e4567-e89b-12d3-a456-426614174000.

Know how to:

Fine-tuning of traffic analysis via the Wallarm Console UI

The Wallarm Console UI enables you to fine-tune the traffic analysis performed by the Wallarm API Security layer as follows: