Skip to content

Supported per-pod's annotation

The Wallarm Sidecar proxy solution can be configured via annotations on the per-pod's basis. The list of annotations supported in this solution are described in this document.

Priorities of global and per-pod's settings

Per-pod's annotations take precedence over Helm chart values.

Before using an annotation, please add the sidecar.wallarm.io/ prefix to it, e.g.:

sidecar.wallarm.io/wallarm-mode: block

Annotation list

Annotation and corresponding chart value Description
Annotation: sidecar-injection-schema

config.injectionStrategy.schema
Pattern of Wallarm container deployment: single (default) or split.
Annotation: sidecar-injection-iptables-enable

config.injectionStrategy.iptablesEnable
Whether to start the iptables init container: true (default) or false.
Annotation: wallarm-application

No chart value
Wallarm application ID.
Annotation: wallarm-block-page

No chart value
Blocking page and error code to return to blocked requests.
Annotation: wallarm-enable-libdetection

config.wallarm.enableLibDetection
Whether to additionally validate the SQL Injection attacks using the libdetection library: on or off (default).
Annotation: wallarm-fallback

config.wallarm.fallback
Wallarm fallback mode: on (default) or off.
Annotation: wallarm-mode

config.wallarm.mode
Traffic filtration mode: monitoring (default), safe_blocking, block or off.
Annotation: wallarm-mode-allow-override

config.wallarm.modeAllowOverride
Manages the ability to override the wallarm_mode values via settings in the Cloud: on (default), off or strict.
Annotation: wallarm-parser-disable

No chart value
Allows to disable parsers. The directive values correspond to the name of the parser to be disabled, e.g. json. Multiple parsers can be specified, dividing by semicolon, e.g. json;base64.
Annotation: wallarm-parse-response

config.wallarm.parseResponse
Whether to analyze the application responses for attacks: on (default) or off. Response analysis is required for vulnerability detection during passive detection and active threat verification.
Annotation: wallarm-parse-websocket

config.wallarm.parseWebsocket
Wallarm has full WebSockets support. By default, the WebSockets' messages are not analyzed for attacks. To force the feature, use this annotation: on or off (default).
Annotation: wallarm-unpack-response

config.wallarm.unpackResponse
Whether to decompress compressed data returned in the application response: on (default) or off.
Annotation: wallarm-upstream-connect-attempts

config.wallarm.upstream.connectAttempts
Defines the number of immediate reconnects to Tarantool or Wallarm API.
Annotation: wallarm-upstream-reconnect-interval

config.wallarm.upstream.reconnectInterval
Defines the interval between attempts to reconnect to Tarantool or Wallarm API after the number of unsuccessful attempts has exceeded the threshold for the number of immediate reconnects.
Annotation: application-port

config.nginx.applicationPort
Wallarm container awaits for incoming requests to go to this port if no exposed application pod ports were found.
Annotation: nginx-listen-port

config.nginx.listenPort
Port listened by the Wallarm container. This port is reserved for using by the Wallarm sidecar solution, in cannot be the same as application-port.
Annotation: nginx-http-include

No chart value
Array of paths to the NGINX configuration files that should be included on the http level of NGINX configuration. The file should be mounted to the container and this path should point to the file in the container.
Annotation: nginx-http-snippet

No chart value
Additional inline config that should be included on the http level of NGINX configuration.
Annotation: nginx-server-include

No chart value
Array of paths to the NGINX configuration files that should be included on the server level of NGINX configuration. The file should be mounted to the container and this path should point to the file in the container.
Annotation: nginx-server-snippet

No chart value
Additional inline config that should be included on the server level of NGINX configuration.
Annotation: nginx-location-include

No chart value
Array of paths to the NGINX configuration files that should be included on the location level of NGINX configuration. The file should be mounted to the container and this path should point to the file in the container.
Annotation: nginx-location-snippet

No chart value
Additional inline config that should be included on the location level of NGINX configuration.
Annotation: nginx-extra-modules

No chart value
Array of additional NGINX modules to be enabled.
Annotation: proxy-extra-volumes

No chart value
Custom volumes to be added to the Pod (array).
Annotation: proxy-extra-volume-mounts

No chart value
Custom volume mounts to be added to the sidecar-proxy container (JSON object).
Annotation: proxy-cpu

config.sidecar.containers.proxy.resources.requests.cpu
Requested CPU for the sidecar-proxy container.
Annotation: proxy-memory

config.sidecar.containers.proxy.resources.requests.memory
Requested memory for the sidecar-proxy container.
Annotation: proxy-cpu-limit

config.sidecar.containers.proxy.resources.limits.cpu
CPU limit for the sidecar-proxy container.
Annotation: proxy-memory-limit

config.sidecar.containers.proxy.resources.limits.memory
Memory limit for the sidecar-proxy container.
Annotation: helper-cpu

config.sidecar.containers.helper.resources.requests.cpu
Requested CPU for the sidecar-helper container.
Annotation: helper-memory

config.sidecar.containers.helper.resources.requests.memory
Requested memory for the sidecar-helper container.
Annotation: helper-cpu-limit

config.sidecar.containers.helper.resources.limits.cpu
CPU limit for the sidecar-helper container.
Annotation: helper-memory-limit

config.sidecar.containers.helper.resources.limits.memory
Memory limit for the sidecar-helper container.
Annotation: init-iptables-cpu

config.sidecar.initContainers.iptables.resources.requests.cpu
Requested CPU for the sidecar-init-iptables container.
Annotation: init-iptables-memory

config.sidecar.initContainers.iptables.resources.requests.memory
Requested memory for the sidecar-init-iptables container.
Annotation: init-iptables-cpu-limit

config.sidecar.initContainers.iptables.resources.limits.cpu
CPU limit for the sidecar-init-iptables container.
Annotation: init-iptables-memory-limit

config.sidecar.initContainers.iptables.resources.limits.memory
Memory limit for the sidecar-init-iptables container.
Annotation: init-helper-cpu

config.sidecar.initContainers.helper.resources.requests.cpu
Requested CPU for the sidecar-init-helper container.
Annotation: init-helper-memory

config.sidecar.initContainers.helper.resources.requests.memory
Requested memory for the sidecar-init-helper container.
Annotation: init-helper-cpu-limit

config.sidecar.initContainers.helper.resources.limits.cpu
CPU limit for the sidecar-init-helper container.
Annotation: init-helper-memory-limit

config.sidecar.initContainers.helper.resources.limits.memory
Memory limit for the sidecar-init-helper container.

There are more NGINX directives supported by Wallarm that are not covered by direct annotations. Nevertheless, you can configure them as well using the nginx-*-snippet and nginx-*-include annotations.

How to use annotations

To apply annotation to a pod, specify it in the Deployment object settings of the appropriate application config, e.g.:

kubectl edit deployment -n <KUBERNETES_NAMESPACE> <APP_LABEL_VALUE>
apiVersion: apps/v1
kind: Deployment
metadata:
  name: myapp
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: myapp
  template:
    metadata:
      labels:
        app: myapp
        wallarm-sidecar: enabled
      annotations:
        sidecar.wallarm.io/wallarm-mode: block
    spec:
      containers:
        - name: application
          image: kennethreitz/httpbin
          ports:
            - name: http
              containerPort: 80