# Pod's Annotations Supported by Wallarm Sidecar
The [Wallarm Sidecar solution](https://docs.wallarm.com/installation/kubernetes/sidecar-proxy/deployment.md) can be configured via annotations on the per-pod's basis. The list of annotations supported in this solution are described in this document.
!!! info "Priorities of global and per-pod's settings"
Per-pod's annotations [take precedence](https://docs.wallarm.com/installation/kubernetes/sidecar-proxy/customization.md#configuration-area) over Helm chart values.
## Annotation list
| Annotation and corresponding chart value | Description |
|-------------------------------------|------------------------------------------------------------------|
| **Annotation:** `sidecar.wallarm.io/sidecar-injection-schema`
`config.injectionStrategy.schema` | [Pattern of Wallarm container deployment](https://docs.wallarm.com/installation/kubernetes/sidecar-proxy/customization.md#single-and-split-deployment-of-containers): `single` (default) or `split`. |
| **Annotation:** `sidecar.wallarm.io/sidecar-injection-iptables-enable`
`config.injectionStrategy.iptablesEnable` | [Whether to start the `iptables` init container](https://docs.wallarm.com/installation/kubernetes/sidecar-proxy/customization.md#capturing-incoming-traffic-port-forwarding): `true` (default) or `false`. |
| **Annotation:** `sidecar.wallarm.io/wallarm-application`
No chart value | [Wallarm application ID](https://docs.wallarm.com/user-guides/settings/applications.md). |
| **Annotation:** `sidecar.wallarm.io/wallarm-block-page`
No chart value | [Blocking page and error code](https://docs.wallarm.com/admin-en/configuration-guides/configure-block-page-and-code.md) to return to blocked requests. |
| **Annotation:** `sidecar.wallarm.io/wallarm-enable-libdetection`
`config.wallarm.enableLibDetection` | Whether to additionally validate the SQL Injection attacks using the [libdetection](https://docs.wallarm.com/about-wallarm/protecting-against-attacks.md#basic-set-of-detectors) library: `on` (default) or `off`. |
| **Annotation:** `sidecar.wallarm.io/wallarm-fallback`
`config.wallarm.fallback` | [Wallarm fallback mode](https://docs.wallarm.com/admin-en/configure-parameters-en.md#wallarm_fallback): `on` (default) or `off`. |
| **Annotation:** `sidecar.wallarm.io/wallarm-mode`
`config.wallarm.mode` | [Traffic filtration mode](https://docs.wallarm.com/admin-en/configure-wallarm-mode.md): `monitoring` (default), `safe_blocking`, `block` or `off`. |
| **Annotation:** `sidecar.wallarm.io/wallarm-mode-allow-override`
`config.wallarm.modeAllowOverride` | Manages the [ability to override the `wallarm_mode` values via settings in the Cloud](https://docs.wallarm.com/admin-en/configure-wallarm-mode.md#prioritization-of-methods): `on` (default), `off` or `strict`. |
| **Annotation:** `sidecar.wallarm.io/wallarm-node-group`
`config.wallarm.api.nodeGroup` | Specifies the name of the group of filtering nodes you want to add newly deployed nodes to. Node grouping this way is available only when you create and connect nodes to the Cloud using an API token with the **Node deployment/Deployment** usage type (its value is passed in the `config.wallarm.api.token` parameter).
This value does not take effect on the postanalytics pods, nodes for them are always linked to the node group specified in the `config.wallarm.api.nodeGroup` Helm chart value. |
| **Annotation:** `sidecar.wallarm.io/wallarm-parser-disable`
No chart value | Allows to disable [parsers](https://docs.wallarm.com/user-guides/rules/request-processing.md). The directive values correspond to the name of the parser to be disabled, e.g. `json`. Multiple parsers can be specified, dividing by semicolon, e.g. `json;base64`. |
| **Annotation:** `sidecar.wallarm.io/wallarm-parse-response`
`config.wallarm.parseResponse` | Whether to analyze the application responses for attacks: `on` (default) or `off`. Response analysis is required for vulnerability detection during [passive detection](https://docs.wallarm.com/about-wallarm/detecting-vulnerabilities.md#passive-detection) and [threat replay testing](https://docs.wallarm.com/about-wallarm/detecting-vulnerabilities.md#threat-replay-testing-trt). |
| **Annotation:** `sidecar.wallarm.io/wallarm-acl-export-enable`
`config.wallarm.aclExportEnable` | Enables `on` / disables `off` sending statistics about the requests from the [denylisted](https://docs.wallarm.com/user-guides/ip-lists/overview.md) IPs from node to the Cloud.- With the `"on"` value (default) the statistics on the requests from the denylisted IPs will be [displayed](https://docs.wallarm.com/user-guides/ip-lists/overview.md#requests-from-denylisted-ips) in the **Attacks** section.
- With the `"off"` value the statistics on the requests from the denylisted IPs will not be displayed.
|
| **Annotation:** `sidecar.wallarm.io/wallarm-parse-websocket`
`config.wallarm.parseWebsocket` | Wallarm has full WebSockets support. By default, the WebSockets' messages are not analyzed for attacks. To force the feature, activate the API Security [subscription plan](https://docs.wallarm.com/about-wallarm/subscription-plans.md#core-subscription-plans) and use this annotation: `on` or `off` (default). |
| **Annotation:** `sidecar.wallarm.io/wallarm-unpack-response`
`config.wallarm.unpackResponse` | Whether to decompress compressed data returned in the application response: `on` (default) or `off`. |
| **Annotation:** `sidecar.wallarm.io/wallarm-upstream-connect-attempts`
`config.wallarm.upstream.connectAttempts` | Defines the number of immediate reconnects to postanalytics or Wallarm API. |
| **Annotation:** `sidecar.wallarm.io/wallarm-upstream-reconnect-interval`
`config.wallarm.upstream.reconnectInterval` | Defines the interval between attempts to reconnect to postanalytics or Wallarm API after the number of unsuccessful attempts has exceeded the threshold for the number of immediate reconnects. |
| **Annotation:** `sidecar.wallarm.io/application-port`
`config.nginx.applicationPort` | Wallarm container awaits for incoming requests to go to this port if [no exposed application pod ports were found](https://docs.wallarm.com/installation/kubernetes/sidecar-proxy/customization.md#application-container-port-auto-discovery). |
| **Annotation:** `sidecar.wallarm.io/nginx-listen-port`
`config.nginx.listenPort` | Port listened by the Wallarm container. This port is reserved for using by the Wallarm sidecar solution, in cannot be the same as `application-port`. |
| **Annotation:** `sidecar.wallarm.io/nginx-http-include`
No chart value | Array of paths to the NGINX configuration files that should be [included on the `http` level of NGINX configuration](https://docs.wallarm.com/installation/kubernetes/sidecar-proxy/customization.md#using-custom-nginx-configuration). The file should be mounted to the container and this path should point to the file in the container. |
| **Annotation:** `sidecar.wallarm.io/nginx-http-snippet`
No chart value | [Additional inline config](https://docs.wallarm.com/installation/kubernetes/sidecar-proxy/customization.md#using-custom-nginx-configuration) that should be included on the `http` level of NGINX configuration. |
| **Annotation:** `sidecar.wallarm.io/nginx-server-include`
No chart value | Array of paths to the NGINX configuration files that should be [included on the `server` level of NGINX configuration](https://docs.wallarm.com/installation/kubernetes/sidecar-proxy/customization.md#using-custom-nginx-configuration). The file should be mounted to the container and this path should point to the file in the container. |
| **Annotation:** `sidecar.wallarm.io/nginx-server-snippet`
No chart value | [Additional inline config](https://docs.wallarm.com/installation/kubernetes/sidecar-proxy/customization.md#using-custom-nginx-configuration) that should be included on the `server` level of NGINX configuration. |
| **Annotation:** `sidecar.wallarm.io/nginx-location-include`
No chart value | Array of paths to the NGINX configuration files that should be [included on the `location` level of NGINX configuration](https://docs.wallarm.com/installation/kubernetes/sidecar-proxy/customization.md#using-custom-nginx-configuration). The file should be mounted to the container and this path should point to the file in the container. |
| **Annotation:** `sidecar.wallarm.io/nginx-location-snippet`
No chart value | [Additional inline config](https://docs.wallarm.com/installation/kubernetes/sidecar-proxy/customization.md#using-custom-nginx-configuration) that should be included on the `location` level of NGINX configuration. |
| **Annotation:** `sidecar.wallarm.io/nginx-extra-modules`
No chart value | Array of [additional NGINX modules](https://docs.wallarm.com/installation/kubernetes/sidecar-proxy/customization.md#enabling-additional-nginx-modules) to be enabled. |
| **Annotation:** `sidecar.wallarm.io/nginx-worker-connections`
`config.nginx.workerConnections` | The maximum [number of simultaneous connections](http://nginx.org/en/docs/ngx_core_module.html#worker_connections) that can be opened by an NGINX worker process. By default, the chart value is set to `4096`. |
| **Annotation:** `sidecar.wallarm.io/nginx-worker-processes`
`config.nginx.workerProcesses` | [NGINX worker process number](http://nginx.org/en/docs/ngx_core_module.html#worker_processes). By default, the chart value is set to `auto`, which means the number of workers is set to the number of CPU cores. |
| **Annotation:** `sidecar.wallarm.io/proxy-extra-volumes`
No chart value | [Custom volumes](https://docs.wallarm.com/installation/kubernetes/sidecar-proxy/customization.md#include) to be added to the Pod (array). Annotation value must be wrapped in single quotes `''`. |
| **Annotation:** `sidecar.wallarm.io/proxy-extra-volume-mounts`
No chart value | [Custom volume mounts](https://docs.wallarm.com/installation/kubernetes/sidecar-proxy/customization.md#include) to be added to the `sidecar-proxy` container (JSON object). Annotation value must be wrapped in single quotes `''`. |
| **Annotation:** `sidecar.wallarm.io/proxy-cpu`
`config.sidecar.containers.proxy.resources.requests.cpu` | [Requested CPU](https://docs.wallarm.com/installation/kubernetes/sidecar-proxy/customization.md#per-pod-settings) for the `sidecar-proxy` container. |
| **Annotation:** `sidecar.wallarm.io/proxy-memory`
`config.sidecar.containers.proxy.resources.requests.memory` | [Requested memory](https://docs.wallarm.com/installation/kubernetes/sidecar-proxy/customization.md#per-pod-settings) for the `sidecar-proxy` container. |
| **Annotation:** `sidecar.wallarm.io/proxy-cpu-limit`
`config.sidecar.containers.proxy.resources.limits.cpu` | [CPU limit](https://docs.wallarm.com/installation/kubernetes/sidecar-proxy/customization.md#per-pod-settings) for the `sidecar-proxy` container. |
| **Annotation:** `sidecar.wallarm.io/proxy-memory-limit`
`config.sidecar.containers.proxy.resources.limits.memory` | [Memory limit](https://docs.wallarm.com/installation/kubernetes/sidecar-proxy/customization.md#per-pod-settings) for the `sidecar-proxy` container. |
| **Annotation:** `sidecar.wallarm.io/helper-cpu`
`config.sidecar.containers.helper.resources.requests.cpu` | [Requested CPU](https://docs.wallarm.com/installation/kubernetes/sidecar-proxy/customization.md#per-pod-settings) for the `sidecar-helper` container. |
| **Annotation:** `sidecar.wallarm.io/helper-memory`
`config.sidecar.containers.helper.resources.requests.memory` | [Requested memory](https://docs.wallarm.com/installation/kubernetes/sidecar-proxy/customization.md#per-pod-settings) for the `sidecar-helper` container. |
| **Annotation:** `sidecar.wallarm.io/helper-cpu-limit`
`config.sidecar.containers.helper.resources.limits.cpu` | [CPU limit](https://docs.wallarm.com/installation/kubernetes/sidecar-proxy/customization.md#per-pod-settings) for the `sidecar-helper` container. |
| **Annotation:** `sidecar.wallarm.io/helper-memory-limit`
`config.sidecar.containers.helper.resources.limits.memory` | [Memory limit](https://docs.wallarm.com/installation/kubernetes/sidecar-proxy/customization.md#per-pod-settings) for the `sidecar-helper` container. |
| **Annotation:** `sidecar.wallarm.io/init-iptables-cpu`
`config.sidecar.initContainers.iptables.resources.requests.cpu` | [Requested CPU](https://docs.wallarm.com/installation/kubernetes/sidecar-proxy/customization.md#per-pod-settings) for the `sidecar-init-iptables` container. |
| **Annotation:** `sidecar.wallarm.io/init-iptables-memory`
`config.sidecar.initContainers.iptables.resources.requests.memory` | [Requested memory](https://docs.wallarm.com/installation/kubernetes/sidecar-proxy/customization.md#per-pod-settings) for the `sidecar-init-iptables` container. |
| **Annotation:** `sidecar.wallarm.io/init-iptables-cpu-limit`
`config.sidecar.initContainers.iptables.resources.limits.cpu` | [CPU limit](https://docs.wallarm.com/installation/kubernetes/sidecar-proxy/customization.md#per-pod-settings) for the `sidecar-init-iptables` container. |
| **Annotation:** `sidecar.wallarm.io/init-iptables-memory-limit`
`config.sidecar.initContainers.iptables.resources.limits.memory` | [Memory limit](https://docs.wallarm.com/installation/kubernetes/sidecar-proxy/customization.md#per-pod-settings) for the `sidecar-init-iptables` container. |
| **Annotation:** `sidecar.wallarm.io/init-helper-cpu`
`config.sidecar.initContainers.helper.resources.requests.cpu` | [Requested CPU](https://docs.wallarm.com/installation/kubernetes/sidecar-proxy/customization.md#per-pod-settings) for the `sidecar-init-helper` container. |
| **Annotation:** `sidecar.wallarm.io/init-helper-memory`
`config.sidecar.initContainers.helper.resources.requests.memory` | [Requested memory](https://docs.wallarm.com/installation/kubernetes/sidecar-proxy/customization.md#per-pod-settings) for the `sidecar-init-helper` container. |
| **Annotation:** `sidecar.wallarm.io/init-helper-cpu-limit`
`config.sidecar.initContainers.helper.resources.limits.cpu` | [CPU limit](https://docs.wallarm.com/installation/kubernetes/sidecar-proxy/customization.md#per-pod-settings) for the `sidecar-init-helper` container. |
| **Annotation:** `sidecar.wallarm.io/init-helper-memory-limit`
`config.sidecar.initContainers.helper.resources.limits.memory` | [Memory limit](https://docs.wallarm.com/installation/kubernetes/sidecar-proxy/customization.md#per-pod-settings) for the `sidecar-init-helper` container. |
| **Annotation:** `sidecar.wallarm.io/profile`
No chart value | The annotation is used to assign a specific TLS profile to an application pod for [TLS/SSL termination](https://docs.wallarm.com/installation/kubernetes/sidecar-proxy/customization.md#ssltls-termination).
This annotation and the TLS/SSL termination are supported starting from the Helm chart 4.6.1. |
There are more [NGINX directives supported by Wallarm](https://docs.wallarm.com/admin-en/configure-parameters-en.md) that are not covered by direct annotations. Nevertheless, you can configure them as well using the [`nginx-*-snippet` and `nginx-*-include` annotations](https://docs.wallarm.com/installation/kubernetes/sidecar-proxy/customization.md#using-custom-nginx-configuration).
## How to use annotations
To apply annotation to a pod, specify it in the `Deployment` object settings of the appropriate application config, e.g.:
```bash
kubectl edit deployment -n
```
```yaml hl_lines="17"
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: myapp
template:
metadata:
labels:
app: myapp
wallarm-sidecar: enabled
annotations:
sidecar.wallarm.io/wallarm-mode: block
spec:
containers:
- name: application
image: kennethreitz/httpbin
ports:
- name: http
containerPort: 80
```