Skip to content

Deploying Kong Ingress Controller with integrated Wallarm services

To secure APIs managed by Kong API Gateway, you can deploy the Kong Ingress controller with integrated Wallarm API Security services in a Kubernetes cluster. The solution involves the default Kong API Gateway functionality with the layer of real-time malicious traffic mitigation.

The solution is deployed from the Wallarm Helm chart.

The key features of the Kong Ingress Controller with integrated Wallarm services:

Use cases

Among all supported Wallarm deployment options, this solution is the recommended one for the following use cases:

  • There is no Ingress controller and security layer routing traffic to Ingress resources managed by Kong.

  • You are using either the Open-Source or Enterprise official Kong Ingress controller and looking for a security solution compatible with your technology stack.

    You can seamlessly replace the deployed Kong Ingress Controller with the one these instructions describe by only moving your configuration to a new deployment.

Solution architecture

The solution has the following architecture:

Solution architecture

The solution is based on the official Kong Ingress Controller, its architecture is described in the official Kong documentation.

Kong Ingress Controller with integrated Wallarm services is arranged by the following Deployment objects:

  • Ingress controller (wallarm-ingress-kong) that injects the Kong API Gateway and Wallarm resources into the K8s cluster configuring it based on the Helm chart values and connecting the node components to the Wallarm Cloud.

  • Postanalytics module (wallarm-ingress-kong-wallarm-tarantool) is the local data analytics backend for the solution. The module uses the in-memory storage Tarantool and the set of some helper containers (like the collectd, attack export services).

Limitations of the Enterprise Kong Ingress controller

The described solution for the Enterprise Kong Ingress controller allows the Wallarm API Security layer fine‑tuning only via the Wallarm Console UI.

However, some Wallarm API Security features require configuration files to be changed that is unsupported in the current Enterprise solution implementation. It makes the following Wallarm features unavailable:

As for the Open-Source Kong Ingress controller with Wallarm services, it supports the multitenancy and application configuration on a per-Ingress basis via annotations.

Requirements

  • Kubernetes platform version 1.22-1.25

  • K8s Ingress resources that configure Kong to route API calls to the microservices you want to protect

  • Helm v3 package manager

  • Access to https://us1.api.wallarm.com for working with US Wallarm Cloud or to https://api.wallarm.com for working with EU Wallarm Cloud

  • Access to https://charts.wallarm.com to add the Wallarm Helm charts

  • Access to the Wallarm repositories on Docker Hub https://hub.docker.com/r/wallarm

  • Access to GCP storage addresses to download an actual list of IP addresses registered in allowlisted, denylisted, or graylisted countries, regions or data centers

  • Access to the account with the Administrator role in Wallarm Console for the US Cloud or the EU Cloud

Deployment

To deploy Kong Ingress Controller with integrated Wallarm services:

  1. Create the Wallarm node.

  2. Deploy the Wallarm Helm chart with the Kong API Gateway and Wallarm services.

  3. Enable traffic analysis for your Ingress.

  4. Test Kong Ingress Controller with integrated Wallarm services.

Step 1: Create the Wallarm node

  1. Open Wallarm Console → Nodes via the link below:

  2. Create a filtering node with the Wallarm node type and copy the generated token.

    Creation of a Wallarm node

Step 2: Deploy the Wallarm Helm chart

  1. Add the Wallarm chart repository:

    helm repo add wallarm https://charts.wallarm.com
    

  2. Create the values.yaml file with the solution configuration.

    Example of the file with the minimum configuration to run the Open-Source Kong Ingress controller with integrated Wallarm services:

    wallarm:
      token: "<NODE_TOKEN>"
      apiHost: us1.api.wallarm.com
    
    image:
      repository: wallarm/kong
    
    ingressController:
      enabled: true
      installCRDs: false
      image:
        repository: wallarm/kong-kubernetes-ingress-controller
    
    wallarm:
      token: "<NODE_TOKEN>"
    
    image:
      repository: wallarm/kong
    
    ingressController:
      enabled: true
      installCRDs: false
      image:
        repository: wallarm/kong-kubernetes-ingress-controller
    

    Example of the file with the minimum configuration to run Enterprise Kong Ingress controller with integrated Wallarm services:

    wallarm:
      token: "<NODE_TOKEN>"
      apiHost: us1.api.wallarm.com
    
    image:
      repository: wallarm/kong-ee-preview
      license_secret: "<KONG-ENTERPRISE-LICENSE>"
      vitals:
        enabled: false
      portal:
        enabled: false
      rbac:
        enabled: false
    
    enterprise:
      enabled: true
    
    ingressController:
      enabled: true
      installCRDs: false
      image:
        repository: kong/kubernetes-ingress-controller
    
    wallarm:
      token: "<NODE_TOKEN>"
    
    image:
      repository: wallarm/kong-ee-preview
      license_secret: "<KONG-ENTERPRISE-LICENSE>"
      vitals:
        enabled: false
      portal:
        enabled: false
      rbac:
        enabled: false
    
    enterprise:
      enabled: true
    
    ingressController:
      enabled: true
      installCRDs: false
      image:
        repository: kong/kubernetes-ingress-controller
    
    • <NODE_TOKEN> is the Wallarm node token you copied from the Wallarm Console UI
    • <KONG-ENTERPRISE-LICENSE> is the Kong Enterprise License
  3. Deploy the Wallarm Helm chart:

    helm install --version 4.4.0 <RELEASE_NAME> wallarm/kong -n <KUBERNETES_NAMESPACE> -f <PATH_TO_VALUES>
    
    • <RELEASE_NAME> is the name for the Kong Ingress Controller release
    • <KUBERNETES_NAMESPACE> is the new namespace to deploy the Kong Ingress Controller
    • <PATH_TO_VALUES> is the path to the values.yaml file

Step 3: Enable traffic analysis for your Ingress

If the deployed solution is based on the Open-Source Kong Ingress controller, enable traffic analysis for your Ingress by setting the Wallarm mode to monitoring:

kubectl annotate ingress <KONG_INGRESS_NAME> wallarm.com/wallarm-mode=monitoring

Where <KONG_INGRESS_NAME> is the name of the K8s Ingress resource routing API calls to the microservices you want to protect.

As for the Enterprise Kong Ingress controller, traffic analysis in the monitoring mode is enabled globally for all Ingress resources by default.

Step 4: Test Kong Ingress Controller with integrated Wallarm services

To test that Kong Ingress Controller with integrated Wallarm services operates correctly:

  1. Get the Wallarm pod details to check they have been successfully started:

    kubectl get pods -n <KUBERNETES_NAMESPACE>
    

    As for the wallarm-* pods, each pod should display the following: READY: N/N and STATUS: Running, e.g.:

    NAME                                                      READY   STATUS    RESTARTS   AGE
    wallarm-ingress-kong-54cf88b989-gp2vg                     1/1     Running   0          91m
    wallarm-ingress-kong-wallarm-tarantool-86d9d4b6cd-hpd5k   4/4     Running   0          91m
    
  2. Send the test Path Traversal attacks to the Kong Ingress Controller Service:

    curl http://<INGRESS_CONTROLLER_IP>/etc/passwd
    

    Since the Wallarm layer operates in the monitoring filtration mode, the Wallarm node will not block the attack but will register it.

    To check that the attack has been registered, proceed to Wallarm Console → Events:

    Attacks in the interface

Customization

Wallarm pods have been injected based on the default values.yaml and the custom configuration you specified on the 2nd deployment step.

You can customize both the Kong API Gateway and Wallarm API Security behavior even more and get the most out of API security for your company.

Just proceed to the Kong Ingress Controller solution customization guide.