Pod's Annotations Supported by Wallarm Sidecar¶
The Wallarm Sidecar solution can be configured via annotations on the per-pod's basis. The list of annotations supported in this solution are described in this document.
Priorities of global and per-pod's settings
Per-pod's annotations take precedence over Helm chart values.
Annotation list¶
Annotation and corresponding chart value | Description |
---|---|
Annotation: sidecar.wallarm.io/sidecar-injection-schema config.injectionStrategy.schema | Pattern of Wallarm container deployment: single (default) or split . |
Annotation: sidecar.wallarm.io/sidecar-injection-iptables-enable config.injectionStrategy.iptablesEnable | Whether to start the iptables init container: true (default) or false . |
Annotation: sidecar.wallarm.io/wallarm-application No chart value | Wallarm application ID. |
Annotation: sidecar.wallarm.io/wallarm-block-page No chart value | Blocking page and error code to return to blocked requests. |
Annotation: sidecar.wallarm.io/wallarm-enable-libdetection config.wallarm.enableLibDetection | Whether to additionally validate the SQL Injection attacks using the libdetection library: on (default) or off . |
Annotation: sidecar.wallarm.io/wallarm-fallback config.wallarm.fallback | Wallarm fallback mode: on (default) or off . |
Annotation: sidecar.wallarm.io/wallarm-mode config.wallarm.mode | Traffic filtration mode: monitoring (default), safe_blocking , block or off . |
Annotation: sidecar.wallarm.io/wallarm-mode-allow-override config.wallarm.modeAllowOverride | Manages the ability to override the wallarm_mode values via settings in the Cloud: on (default), off or strict . |
Annotation: sidecar.wallarm.io/wallarm-node-group config.wallarm.api.nodeGroup | Specifies the name of the group of filtering nodes you want to add newly deployed nodes to. Node grouping this way is available only when you create and connect nodes to the Cloud using an API token with the Deploy role (its value is passed in the config.wallarm.api.token parameter).This value does not take effect on the Tarantool pods, nodes for them are always linked to the node group specified in the config.wallarm.api.nodeGroup Helm chart value. |
Annotation: sidecar.wallarm.io/wallarm-parser-disable No chart value | Allows to disable parsers. The directive values correspond to the name of the parser to be disabled, e.g. json . Multiple parsers can be specified, dividing by semicolon, e.g. json;base64 . |
Annotation: sidecar.wallarm.io/wallarm-parse-response config.wallarm.parseResponse | Whether to analyze the application responses for attacks: on (default) or off . Response analysis is required for vulnerability detection during passive detection and active threat verification. |
Annotation: sidecar.wallarm.io/wallarm-acl-export-enable config.wallarm.aclExportEnable | Enables on / disables off sending statistics about the requests from the denylisted IPs from node to the Cloud.
|
Annotation: sidecar.wallarm.io/wallarm-parse-websocket config.wallarm.parseWebsocket | Wallarm has full WebSockets support. By default, the WebSockets' messages are not analyzed for attacks. To force the feature, activate the API Security subscription plan and use this annotation: on or off (default). |
Annotation: sidecar.wallarm.io/wallarm-unpack-response config.wallarm.unpackResponse | Whether to decompress compressed data returned in the application response: on (default) or off . |
Annotation: sidecar.wallarm.io/wallarm-upstream-connect-attempts config.wallarm.upstream.connectAttempts | Defines the number of immediate reconnects to Tarantool or Wallarm API. |
Annotation: sidecar.wallarm.io/wallarm-upstream-reconnect-interval config.wallarm.upstream.reconnectInterval | Defines the interval between attempts to reconnect to Tarantool or Wallarm API after the number of unsuccessful attempts has exceeded the threshold for the number of immediate reconnects. |
Annotation: sidecar.wallarm.io/application-port config.nginx.applicationPort | Wallarm container awaits for incoming requests to go to this port if no exposed application pod ports were found. |
Annotation: sidecar.wallarm.io/nginx-listen-port config.nginx.listenPort | Port listened by the Wallarm container. This port is reserved for using by the Wallarm sidecar solution, in cannot be the same as application-port . |
Annotation: sidecar.wallarm.io/nginx-http-include No chart value | Array of paths to the NGINX configuration files that should be included on the http level of NGINX configuration. The file should be mounted to the container and this path should point to the file in the container. |
Annotation: sidecar.wallarm.io/nginx-http-snippet No chart value | Additional inline config that should be included on the http level of NGINX configuration. |
Annotation: sidecar.wallarm.io/nginx-server-include No chart value | Array of paths to the NGINX configuration files that should be included on the server level of NGINX configuration. The file should be mounted to the container and this path should point to the file in the container. |
Annotation: sidecar.wallarm.io/nginx-server-snippet No chart value | Additional inline config that should be included on the server level of NGINX configuration. |
Annotation: sidecar.wallarm.io/nginx-location-include No chart value | Array of paths to the NGINX configuration files that should be included on the location level of NGINX configuration. The file should be mounted to the container and this path should point to the file in the container. |
Annotation: sidecar.wallarm.io/nginx-location-snippet No chart value | Additional inline config that should be included on the location level of NGINX configuration. |
Annotation: sidecar.wallarm.io/nginx-extra-modules No chart value | Array of additional NGINX modules to be enabled. |
Annotation: sidecar.wallarm.io/nginx-worker-connections config.nginx.workerConnections | The maximum number of simultaneous connections that can be opened by an NGINX worker process. By default, the chart value is set to 4096 . |
Annotation: sidecar.wallarm.io/nginx-worker-processes config.nginx.workerProcesses | NGINX worker process number. By default, the chart value is set to auto , which means the number of workers is set to the number of CPU cores. |
Annotation: sidecar.wallarm.io/proxy-extra-volumes No chart value | Custom volumes to be added to the Pod (array). Annotation value must be wrapped in single quotes '' . |
Annotation: sidecar.wallarm.io/proxy-extra-volume-mounts No chart value | Custom volume mounts to be added to the sidecar-proxy container (JSON object). Annotation value must be wrapped in single quotes '' . |
Annotation: sidecar.wallarm.io/proxy-cpu config.sidecar.containers.proxy.resources.requests.cpu | Requested CPU for the sidecar-proxy container. |
Annotation: sidecar.wallarm.io/proxy-memory config.sidecar.containers.proxy.resources.requests.memory | Requested memory for the sidecar-proxy container. |
Annotation: sidecar.wallarm.io/proxy-cpu-limit config.sidecar.containers.proxy.resources.limits.cpu | CPU limit for the sidecar-proxy container. |
Annotation: sidecar.wallarm.io/proxy-memory-limit config.sidecar.containers.proxy.resources.limits.memory | Memory limit for the sidecar-proxy container. |
Annotation: sidecar.wallarm.io/helper-cpu config.sidecar.containers.helper.resources.requests.cpu | Requested CPU for the sidecar-helper container. |
Annotation: sidecar.wallarm.io/helper-memory config.sidecar.containers.helper.resources.requests.memory | Requested memory for the sidecar-helper container. |
Annotation: sidecar.wallarm.io/helper-cpu-limit config.sidecar.containers.helper.resources.limits.cpu | CPU limit for the sidecar-helper container. |
Annotation: sidecar.wallarm.io/helper-memory-limit config.sidecar.containers.helper.resources.limits.memory | Memory limit for the sidecar-helper container. |
Annotation: sidecar.wallarm.io/init-iptables-cpu config.sidecar.initContainers.iptables.resources.requests.cpu | Requested CPU for the sidecar-init-iptables container. |
Annotation: sidecar.wallarm.io/init-iptables-memory config.sidecar.initContainers.iptables.resources.requests.memory | Requested memory for the sidecar-init-iptables container. |
Annotation: sidecar.wallarm.io/init-iptables-cpu-limit config.sidecar.initContainers.iptables.resources.limits.cpu | CPU limit for the sidecar-init-iptables container. |
Annotation: sidecar.wallarm.io/init-iptables-memory-limit config.sidecar.initContainers.iptables.resources.limits.memory | Memory limit for the sidecar-init-iptables container. |
Annotation: sidecar.wallarm.io/init-helper-cpu config.sidecar.initContainers.helper.resources.requests.cpu | Requested CPU for the sidecar-init-helper container. |
Annotation: sidecar.wallarm.io/init-helper-memory config.sidecar.initContainers.helper.resources.requests.memory | Requested memory for the sidecar-init-helper container. |
Annotation: sidecar.wallarm.io/init-helper-cpu-limit config.sidecar.initContainers.helper.resources.limits.cpu | CPU limit for the sidecar-init-helper container. |
Annotation: sidecar.wallarm.io/init-helper-memory-limit config.sidecar.initContainers.helper.resources.limits.memory | Memory limit for the sidecar-init-helper container. |
Annotation: sidecar.wallarm.io/profile No chart value | The annotation is used to assign a specific TLS profile to an application pod for TLS/SSL termination. This annotation and the TLS/SSL termination are supported starting from the Helm chart 4.6.1. |
There are more NGINX directives supported by Wallarm that are not covered by direct annotations. Nevertheless, you can configure them as well using the nginx-*-snippet
and nginx-*-include
annotations.
How to use annotations¶
To apply annotation to a pod, specify it in the Deployment
object settings of the appropriate application config, e.g.:
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: myapp
template:
metadata:
labels:
app: myapp
wallarm-sidecar: enabled
annotations:
sidecar.wallarm.io/wallarm-mode: block
spec:
containers:
- name: application
image: kennethreitz/httpbin
ports:
- name: http
containerPort: 80