Istio Application Security

CloudGuard WAF for Istio is deployed using a Helm chart that includes a namespace-level webhook. This webhook monitors changes to the Istio IngressGateway deployment and automatically adds the necessary agent and attachment to the deployment. The configuration of the Istio Ingress controller follows standard practices for setting up gateway and virtual service resources to expose your applications.

This diagram shows an example of a Kubernetes service exposed outside the Kubernetes cluster with an Istio Ingress controller protected with CloudGuard WAF.

Prerequisites

  • Istio version 1.20.0+ cluster

  • Helm 3 Package Manager installed on your local machine

  • The kubectl and wget command-line tools installed on your bastion or platform that you use to access the Kubernetes cluster

Installation

Step 1: Download Helm chart

Run the following command:

wget https://cloudguard-waf.i2.checkpoint.com/downloads/helm/cloudguard-waf-istio.tgz

The webhook only manages deployment in the same namespace where it is installed, so it should be deployed on the relevant istio-ingressgateway namespace.

Note to change the <ingress-gateway namespcae> to the relevant one.

Step 2: Install Helm chart

Make sure you obtained the token from the Enforcement Profile page first, you will need it in the command to deploy the Helm chart.

Obtain the <token> from the Profile page, Authentication section.

Run the following command:

helm install cloudguard-waf-istio.tgz --name-template cloudguard-waf-istio --set token=<token> -n <ingress-gateway namespace>

For adding labels which the helm will select for, use:

--set webhook.objectSelector.labelName="app" --set webhook.objectSelector.labelValue="<usually namespace name>"

Step 3: Add the CloudGuard WAF label to your ingress-gateway namespace

CloudGuard WAF webhook will function only when this flag is added to the Istio Ingress Controller environment. To add the flag, run the following command:

kubectl label namespace <ingress-gateway namespcae> inject-waf-attachment="true" --overwrite

Step 4: Restart your ingress gateway deployment

Run the following command:

kubectl rollout restart deployment <gateway deployment> -n <ingress-gateway namespcae>

Un-Installation

In order to remove the CloudGuard WAF Nano Agent from your Istio Ingress Controller, follow these steps.

Step 1: Remove Helm chart

Run the following command:

helm upgrade --reuse-values --set removeWaf=true cloudguard-waf-istio ./cloudguard-waf-istio.tgz -n <istio-gateway-namespace>

Step 2: Remove the CloudGuard WAF label from your ingress-gateway namespace

Run the following command:

kubectl label namespace <istio-gateway-namespace> inject-waf-attachment-

Step 3: Restart your ingress gateway deployment

Run the following command:

kubectl rollout restart deployment istio-ingressgateway -n <istio-gateway-namespace>

Last updated

Was this helpful?