Skip to content

Pod's Annotations Supported by Wallarm Sidecar

The Wallarm Sidecar solution can be configured via annotations on the per-pod's basis. The list of annotations supported in this solution are described in this document.

Priorities of global and per-pod's settings

Per-pod's annotations take precedence over Helm chart values.

Annotation list

Annotation and corresponding chart value Description
Annotation: sidecar.wallarm.io/sidecar-injection-schema

config.injectionStrategy.schema
Pattern of Wallarm container deployment: single (default) or split.
Annotation: sidecar.wallarm.io/sidecar-injection-iptables-enable

config.injectionStrategy.iptablesEnable
Whether to start the iptables init container: true (default) or false.
Annotation: sidecar.wallarm.io/wallarm-application

No chart value
Wallarm application ID.
Annotation: sidecar.wallarm.io/wallarm-block-page

No chart value
Blocking page and error code to return to blocked requests.
Annotation: sidecar.wallarm.io/wallarm-enable-libdetection

config.wallarm.enableLibDetection
Whether to additionally validate the SQL Injection attacks using the libdetection library: on (default) or off.
Annotation: sidecar.wallarm.io/wallarm-fallback

config.wallarm.fallback
Wallarm fallback mode: on (default) or off.
Annotation: sidecar.wallarm.io/wallarm-mode

config.wallarm.mode
Traffic filtration mode: monitoring (default), safe_blocking, block or off.
Annotation: sidecar.wallarm.io/wallarm-mode-allow-override

config.wallarm.modeAllowOverride
Manages the ability to override the wallarm_mode values via settings in the Cloud: on (default), off or strict.
Annotation: sidecar.wallarm.io/wallarm-node-group

config.wallarm.api.nodeGroup
Specifies the name of the group of filtering nodes you want to add newly deployed nodes to. Node grouping this way is available only when you create and connect nodes to the Cloud using an API token with the Deploy role (its value is passed in the config.wallarm.api.token parameter).
This value does not take effect on the Tarantool pods, nodes for them are always linked to the node group specified in the config.wallarm.api.nodeGroup Helm chart value.
Annotation: sidecar.wallarm.io/wallarm-parser-disable

No chart value
Allows to disable parsers. The directive values correspond to the name of the parser to be disabled, e.g. json. Multiple parsers can be specified, dividing by semicolon, e.g. json;base64.
Annotation: sidecar.wallarm.io/wallarm-parse-response

config.wallarm.parseResponse
Whether to analyze the application responses for attacks: on (default) or off. Response analysis is required for vulnerability detection during passive detection and active threat verification.
Annotation: sidecar.wallarm.io/wallarm-acl-export-enable

config.wallarm.aclExportEnable
Enables on / disables off sending statistics about the requests from the denylisted IPs from node to the Cloud.
  • With the "on" value (default) the statistics on the requests from the denylisted IPs will be displayed in the Attacks section.
  • With the "off" value the statistics on the requests from the denylisted IPs will not be displayed.
Annotation: sidecar.wallarm.io/wallarm-parse-websocket

config.wallarm.parseWebsocket
Wallarm has full WebSockets support. By default, the WebSockets' messages are not analyzed for attacks. To force the feature, activate the API Security subscription plan and use this annotation: on or off (default).
Annotation: sidecar.wallarm.io/wallarm-unpack-response

config.wallarm.unpackResponse
Whether to decompress compressed data returned in the application response: on (default) or off.
Annotation: sidecar.wallarm.io/wallarm-upstream-connect-attempts

config.wallarm.upstream.connectAttempts
Defines the number of immediate reconnects to Tarantool or Wallarm API.
Annotation: sidecar.wallarm.io/wallarm-upstream-reconnect-interval

config.wallarm.upstream.reconnectInterval
Defines the interval between attempts to reconnect to Tarantool or Wallarm API after the number of unsuccessful attempts has exceeded the threshold for the number of immediate reconnects.
Annotation: sidecar.wallarm.io/application-port

config.nginx.applicationPort
Wallarm container awaits for incoming requests to go to this port if no exposed application pod ports were found.
Annotation: sidecar.wallarm.io/nginx-listen-port

config.nginx.listenPort
Port listened by the Wallarm container. This port is reserved for using by the Wallarm sidecar solution, in cannot be the same as application-port.
Annotation: sidecar.wallarm.io/nginx-http-include

No chart value
Array of paths to the NGINX configuration files that should be included on the http level of NGINX configuration. The file should be mounted to the container and this path should point to the file in the container.
Annotation: sidecar.wallarm.io/nginx-http-snippet

No chart value
Additional inline config that should be included on the http level of NGINX configuration.
Annotation: sidecar.wallarm.io/nginx-server-include

No chart value
Array of paths to the NGINX configuration files that should be included on the server level of NGINX configuration. The file should be mounted to the container and this path should point to the file in the container.
Annotation: sidecar.wallarm.io/nginx-server-snippet

No chart value
Additional inline config that should be included on the server level of NGINX configuration.
Annotation: sidecar.wallarm.io/nginx-location-include

No chart value
Array of paths to the NGINX configuration files that should be included on the location level of NGINX configuration. The file should be mounted to the container and this path should point to the file in the container.
Annotation: sidecar.wallarm.io/nginx-location-snippet

No chart value
Additional inline config that should be included on the location level of NGINX configuration.
Annotation: sidecar.wallarm.io/nginx-extra-modules

No chart value
Array of additional NGINX modules to be enabled.
Annotation: sidecar.wallarm.io/nginx-worker-connections

config.nginx.workerConnections
The maximum number of simultaneous connections that can be opened by an NGINX worker process. By default, the chart value is set to 4096.
Annotation: sidecar.wallarm.io/nginx-worker-processes

config.nginx.workerProcesses
NGINX worker process number. By default, the chart value is set to auto, which means the number of workers is set to the number of CPU cores.
Annotation: sidecar.wallarm.io/proxy-extra-volumes

No chart value
Custom volumes to be added to the Pod (array). Annotation value must be wrapped in single quotes ''.
Annotation: sidecar.wallarm.io/proxy-extra-volume-mounts

No chart value
Custom volume mounts to be added to the sidecar-proxy container (JSON object). Annotation value must be wrapped in single quotes ''.
Annotation: sidecar.wallarm.io/proxy-cpu

config.sidecar.containers.proxy.resources.requests.cpu
Requested CPU for the sidecar-proxy container.
Annotation: sidecar.wallarm.io/proxy-memory

config.sidecar.containers.proxy.resources.requests.memory
Requested memory for the sidecar-proxy container.
Annotation: sidecar.wallarm.io/proxy-cpu-limit

config.sidecar.containers.proxy.resources.limits.cpu
CPU limit for the sidecar-proxy container.
Annotation: sidecar.wallarm.io/proxy-memory-limit

config.sidecar.containers.proxy.resources.limits.memory
Memory limit for the sidecar-proxy container.
Annotation: sidecar.wallarm.io/helper-cpu

config.sidecar.containers.helper.resources.requests.cpu
Requested CPU for the sidecar-helper container.
Annotation: sidecar.wallarm.io/helper-memory

config.sidecar.containers.helper.resources.requests.memory
Requested memory for the sidecar-helper container.
Annotation: sidecar.wallarm.io/helper-cpu-limit

config.sidecar.containers.helper.resources.limits.cpu
CPU limit for the sidecar-helper container.
Annotation: sidecar.wallarm.io/helper-memory-limit

config.sidecar.containers.helper.resources.limits.memory
Memory limit for the sidecar-helper container.
Annotation: sidecar.wallarm.io/init-iptables-cpu

config.sidecar.initContainers.iptables.resources.requests.cpu
Requested CPU for the sidecar-init-iptables container.
Annotation: sidecar.wallarm.io/init-iptables-memory

config.sidecar.initContainers.iptables.resources.requests.memory
Requested memory for the sidecar-init-iptables container.
Annotation: sidecar.wallarm.io/init-iptables-cpu-limit

config.sidecar.initContainers.iptables.resources.limits.cpu
CPU limit for the sidecar-init-iptables container.
Annotation: sidecar.wallarm.io/init-iptables-memory-limit

config.sidecar.initContainers.iptables.resources.limits.memory
Memory limit for the sidecar-init-iptables container.
Annotation: sidecar.wallarm.io/init-helper-cpu

config.sidecar.initContainers.helper.resources.requests.cpu
Requested CPU for the sidecar-init-helper container.
Annotation: sidecar.wallarm.io/init-helper-memory

config.sidecar.initContainers.helper.resources.requests.memory
Requested memory for the sidecar-init-helper container.
Annotation: sidecar.wallarm.io/init-helper-cpu-limit

config.sidecar.initContainers.helper.resources.limits.cpu
CPU limit for the sidecar-init-helper container.
Annotation: sidecar.wallarm.io/init-helper-memory-limit

config.sidecar.initContainers.helper.resources.limits.memory
Memory limit for the sidecar-init-helper container.
Annotation: sidecar.wallarm.io/profile

No chart value
The annotation is used to assign a specific TLS profile to an application pod for TLS/SSL termination.

This annotation and the TLS/SSL termination are supported starting from the Helm chart 4.6.1.

There are more NGINX directives supported by Wallarm that are not covered by direct annotations. Nevertheless, you can configure them as well using the nginx-*-snippet and nginx-*-include annotations.

How to use annotations

To apply annotation to a pod, specify it in the Deployment object settings of the appropriate application config, e.g.:

kubectl edit deployment -n <APPLICATION_NAMESPACE> <APP_LABEL_VALUE>
apiVersion: apps/v1
kind: Deployment
metadata:
  name: myapp
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: myapp
  template:
    metadata:
      labels:
        app: myapp
        wallarm-sidecar: enabled
      annotations:
        sidecar.wallarm.io/wallarm-mode: block
    spec:
      containers:
        - name: application
          image: kennethreitz/httpbin
          ports:
            - name: http
              containerPort: 80