Pod's Annotations Supported by Wallarm Sidecar¶
The Wallarm Sidecar solution can be configured via annotations on the per-pod's basis. The list of annotations supported in this solution are described in this document.
Priorities of global and per-pod's settings
Per-pod's annotations take precedence over Helm chart values.
Annotation list¶
| Annotation and corresponding chart value | Description |
|---|---|
Annotation: sidecar.wallarm.io/sidecar-injection-schemaconfig.injectionStrategy.schema | Pattern of Wallarm container deployment: single (default) or split. |
Annotation: sidecar.wallarm.io/sidecar-injection-iptables-enableconfig.injectionStrategy.iptablesEnable | Whether to start the iptables init container: true (default) or false. |
Annotation: sidecar.wallarm.io/wallarm-applicationNo chart value | Wallarm application ID. |
Annotation: sidecar.wallarm.io/wallarm-block-pageNo chart value | Blocking page and error code to return to blocked requests. |
Annotation: sidecar.wallarm.io/wallarm-enable-libdetectionconfig.wallarm.enableLibDetection | Whether to additionally validate the SQL Injection attacks using the libdetection library: on (default) or off. |
Annotation: sidecar.wallarm.io/wallarm-fallbackconfig.wallarm.fallback | Wallarm fallback mode: on (default) or off. |
Annotation: sidecar.wallarm.io/wallarm-modeconfig.wallarm.mode | Traffic filtration mode: monitoring (default), safe_blocking, block or off. |
Annotation: sidecar.wallarm.io/wallarm-mode-allow-overrideconfig.wallarm.modeAllowOverride | Manages the ability to override the wallarm_mode values via settings in the Cloud: on (default), off or strict. |
Annotation: sidecar.wallarm.io/wallarm-node-groupconfig.wallarm.api.nodeGroup | Specifies the name of the group of filtering nodes you want to add newly deployed nodes to. Node grouping this way is available only when you create and connect nodes to the Cloud using an API token with the Node deployment/Deployment usage type (its value is passed in the config.wallarm.api.token parameter).This value does not take effect on the postanalytics pods, nodes for them are always linked to the node group specified in the config.wallarm.api.nodeGroup Helm chart value. |
Annotation: sidecar.wallarm.io/wallarm-parser-disableNo chart value | Allows to disable parsers. The directive values correspond to the name of the parser to be disabled, e.g. json. Multiple parsers can be specified, dividing by semicolon, e.g. json;base64. |
Annotation: sidecar.wallarm.io/wallarm-parse-responseconfig.wallarm.parseResponse | Whether to analyze the application responses for attacks: on (default) or off. Response analysis is required for vulnerability detection during passive detection and threat replay testing. |
Annotation: sidecar.wallarm.io/wallarm-acl-export-enableconfig.wallarm.aclExportEnable | Enables on / disables off sending statistics about the requests from the denylisted IPs from node to the Cloud.
|
Annotation: sidecar.wallarm.io/wallarm-parse-websocketconfig.wallarm.parseWebsocket | Wallarm has full WebSockets support. By default, the WebSockets' messages are not analyzed for attacks. To force the feature, activate the API Security subscription plan and use this annotation: on or off (default). |
Annotation: sidecar.wallarm.io/wallarm-unpack-responseconfig.wallarm.unpackResponse | Whether to decompress compressed data returned in the application response: on (default) or off. |
Annotation: sidecar.wallarm.io/wallarm-upstream-connect-attemptsconfig.wallarm.upstream.connectAttempts | Defines the number of immediate reconnects to postanalytics or Wallarm API. |
Annotation: sidecar.wallarm.io/wallarm-upstream-reconnect-intervalconfig.wallarm.upstream.reconnectInterval | Defines the interval between attempts to reconnect to postanalytics or Wallarm API after the number of unsuccessful attempts has exceeded the threshold for the number of immediate reconnects. |
Annotation: sidecar.wallarm.io/application-portconfig.nginx.applicationPort | Wallarm container awaits for incoming requests to go to this port if no exposed application pod ports were found. |
Annotation: sidecar.wallarm.io/nginx-listen-portconfig.nginx.listenPort | Port listened by the Wallarm container. This port is reserved for using by the Wallarm sidecar solution, in cannot be the same as application-port. |
Annotation: sidecar.wallarm.io/nginx-http-includeNo chart value | Array of paths to the NGINX configuration files that should be included on the http level of NGINX configuration. The file should be mounted to the container and this path should point to the file in the container. |
Annotation: sidecar.wallarm.io/nginx-http-snippetNo chart value | Additional inline config that should be included on the http level of NGINX configuration. |
Annotation: sidecar.wallarm.io/nginx-server-includeNo chart value | Array of paths to the NGINX configuration files that should be included on the server level of NGINX configuration. The file should be mounted to the container and this path should point to the file in the container. |
Annotation: sidecar.wallarm.io/nginx-server-snippetNo chart value | Additional inline config that should be included on the server level of NGINX configuration. |
Annotation: sidecar.wallarm.io/nginx-location-includeNo chart value | Array of paths to the NGINX configuration files that should be included on the location level of NGINX configuration. The file should be mounted to the container and this path should point to the file in the container. |
Annotation: sidecar.wallarm.io/nginx-location-snippetNo chart value | Additional inline config that should be included on the location level of NGINX configuration. |
Annotation: sidecar.wallarm.io/nginx-extra-modulesNo chart value | Array of additional NGINX modules to be enabled. |
Annotation: sidecar.wallarm.io/nginx-worker-connectionsconfig.nginx.workerConnections | The maximum number of simultaneous connections that can be opened by an NGINX worker process. By default, the chart value is set to 4096. |
Annotation: sidecar.wallarm.io/nginx-worker-processesconfig.nginx.workerProcesses | NGINX worker process number. By default, the chart value is set to auto, which means the number of workers is set to the number of CPU cores. |
Annotation: sidecar.wallarm.io/proxy-extra-volumesNo chart value | Custom volumes to be added to the Pod (array). Annotation value must be wrapped in single quotes ''. |
Annotation: sidecar.wallarm.io/proxy-extra-volume-mountsNo chart value | Custom volume mounts to be added to the sidecar-proxy container (JSON object). Annotation value must be wrapped in single quotes ''. |
Annotation: sidecar.wallarm.io/proxy-cpuconfig.sidecar.containers.proxy.resources.requests.cpu | Requested CPU for the sidecar-proxy container. |
Annotation: sidecar.wallarm.io/proxy-memoryconfig.sidecar.containers.proxy.resources.requests.memory | Requested memory for the sidecar-proxy container. |
Annotation: sidecar.wallarm.io/proxy-cpu-limitconfig.sidecar.containers.proxy.resources.limits.cpu | CPU limit for the sidecar-proxy container. |
Annotation: sidecar.wallarm.io/proxy-memory-limitconfig.sidecar.containers.proxy.resources.limits.memory | Memory limit for the sidecar-proxy container. |
Annotation: sidecar.wallarm.io/helper-cpuconfig.sidecar.containers.helper.resources.requests.cpu | Requested CPU for the sidecar-helper container. |
Annotation: sidecar.wallarm.io/helper-memoryconfig.sidecar.containers.helper.resources.requests.memory | Requested memory for the sidecar-helper container. |
Annotation: sidecar.wallarm.io/helper-cpu-limitconfig.sidecar.containers.helper.resources.limits.cpu | CPU limit for the sidecar-helper container. |
Annotation: sidecar.wallarm.io/helper-memory-limitconfig.sidecar.containers.helper.resources.limits.memory | Memory limit for the sidecar-helper container. |
Annotation: sidecar.wallarm.io/init-iptables-cpuconfig.sidecar.initContainers.iptables.resources.requests.cpu | Requested CPU for the sidecar-init-iptables container. |
Annotation: sidecar.wallarm.io/init-iptables-memoryconfig.sidecar.initContainers.iptables.resources.requests.memory | Requested memory for the sidecar-init-iptables container. |
Annotation: sidecar.wallarm.io/init-iptables-cpu-limitconfig.sidecar.initContainers.iptables.resources.limits.cpu | CPU limit for the sidecar-init-iptables container. |
Annotation: sidecar.wallarm.io/init-iptables-memory-limitconfig.sidecar.initContainers.iptables.resources.limits.memory | Memory limit for the sidecar-init-iptables container. |
Annotation: sidecar.wallarm.io/init-helper-cpuconfig.sidecar.initContainers.helper.resources.requests.cpu | Requested CPU for the sidecar-init-helper container. |
Annotation: sidecar.wallarm.io/init-helper-memoryconfig.sidecar.initContainers.helper.resources.requests.memory | Requested memory for the sidecar-init-helper container. |
Annotation: sidecar.wallarm.io/init-helper-cpu-limitconfig.sidecar.initContainers.helper.resources.limits.cpu | CPU limit for the sidecar-init-helper container. |
Annotation: sidecar.wallarm.io/init-helper-memory-limitconfig.sidecar.initContainers.helper.resources.limits.memory | Memory limit for the sidecar-init-helper container. |
Annotation: sidecar.wallarm.io/profileNo chart value | The annotation is used to assign a specific TLS profile to an application pod for TLS/SSL termination. This annotation and the TLS/SSL termination are supported starting from the Helm chart 4.6.1. |
There are more NGINX directives supported by Wallarm that are not covered by direct annotations. Nevertheless, you can configure them as well using the nginx-*-snippet and nginx-*-include annotations.
How to use annotations¶
To apply annotation to a pod, specify it in the Deployment object settings of the appropriate application config, e.g.:
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: myapp
template:
metadata:
labels:
app: myapp
wallarm-sidecar: enabled
annotations:
sidecar.wallarm.io/wallarm-mode: block
spec:
containers:
- name: application
image: kennethreitz/httpbin
ports:
- name: http
containerPort: 80