Istio Application Security
Last updated
Last updated
This feature is currently in Early Availability and is available only upon request from the local Check Point team.
CloudGuard WAF for Istio is deployed using a Helm chart that includes a namespace-level webhook. This webhook monitors changes to the Istio IngressGateway deployment and automatically adds the necessary agent and attachment to the deployment. The configuration of the Istio Ingress controller follows standard practices for setting up gateway and virtual service resources to expose your applications.
This diagram shows an example of a Kubernetes service exposed outside the Kubernetes cluster with an Istio Ingress controller protected with CloudGuard WAF.
Istio version 1.20.0+ cluster
Helm 3 Package Manager installed on your local machine
The kubectl and wget command-line tools installed on your bastion or platform that you use to access the Kubernetes cluster
Run the following command:
wget https://cloudguard-waf.i2.checkpoint.com/downloads/helm/cloudguard-waf-istio.tgz
The webhook only manages deployment in the same namespace where it is installed, so it should be deployed on the relevant istio-ingressgateway namespace.
Not to change the <ingress-gateway namespcae> to the relevant one.
Make sure you obtained the token from the Enforcement Profile page first, you will need it in the command to deploy the Helm chart.
Obtain the <token> from the Profile page, Authentication section.
Run the following command:
helm install cloudguard-waf-istio.tgz --name-template cloudguard-waf-istio --set token=<token> -n <ingress-gateway namespace>
CloudGuard WAF webhook will function only when this flag is added to the Istio Ingress Controller environment. To add the flag, run the following command:
kubectl label namespace <ingress-gateway namespcae> inject-waf-attachment="true" --overwrite
Run the following command:
kubectl rollout restart deployment <gateway deployment> -n <ingress-gateway namespcae>
In order to remove the CloudGuard WAF Nano Agent from your Istio Ingress Controller, follow these steps.
Run the following command:
helm upgrade --reuse-values --set removeWaf=true cloudguard-waf-istio ./cloudguard-waf-istio.tgz -n istio-system
Run the following command:
kubectl label namespace istio-system inject-waf-attachment="true" --overwrite
Run the following command:
kubectl rollout restart deployment istio-ingressgateway -n istio-system
