Istio Application Security
Last updated
Was this helpful?
Last updated
Was this helpful?
This feature is currently in Early Availability and is available only upon request from the local Check Point team.
CloudGuard WAF for Istio is deployed using a Helm chart that includes a namespace-level webhook. This webhook monitors changes to the Istio IngressGateway deployment and automatically adds the necessary agent and attachment to the deployment. The configuration of the Istio Ingress controller follows standard practices for setting up gateway and virtual service resources to expose your applications.
This diagram shows an example of a Kubernetes service exposed outside the Kubernetes cluster with an Istio Ingress controller protected with CloudGuard WAF.
Istio version 1.20.0+ cluster
The kubectl
and wget
command-line tools installed on your bastion or platform that you use to access the Kubernetes cluster
Run the following command:
wget https://cloudguard-waf.i2.checkpoint.com/downloads/helm/cloudguard-waf-istio.tgz
Run the following command:
helm install cloudguard-waf-istio.tgz --name-template cloudguard-waf-istio --set token=<token> -n <ingress-gateway namespace>
CloudGuard WAF webhook will function only when this flag is added to the Istio Ingress Controller environment. To add the flag, run the following command:
kubectl label namespace <ingress-gateway namespcae> inject-waf-attachment="true" --overwrite
Run the following command:
kubectl rollout restart deployment <gateway deployment> -n <ingress-gateway namespcae>
In order to remove the CloudGuard WAF Nano Agent from your Istio Ingress Controller, follow these steps.
Run the following command:
helm upgrade --reuse-values --set removeWaf=true cloudguard-waf-istio ./cloudguard-waf-istio.tgz -n <istio-gateway-namespace>
Run the following command:
kubectl label namespace <istio-gateway-namespace> inject-waf-attachment-
Run the following command:
kubectl rollout restart deployment istio-ingressgateway -n <istio-gateway-namespace>
installed on your local machine
Make sure you obtained the token from the page first, you will need it in the command to deploy the Helm chart.