search

Envoy Application Security

CloudGuard WAF for Envoy Gateway is deployed using a Helm chart that includes a namespace-level webhook. This webhook monitors changes to the Envoy Gateway deployment and automatically injects the required WAF agent and attachment into the gateway pods. The configuration of Envoy Gateway follows standard practices for defining gateway resources and routing traffic to your services.

hashtag
Prerequisites

  • Envoy Gateway deployed in your Kubernetes cluster

  • Envoy image must use: envoyproxy/envoy-contrib:<version>

  • Kubernetes cluster with RBAC enabled and cluster-admin permissions

  • Helm 3 installed on your local machine

  • kubectl installed and configured to access your cluster

  • A profile created in the CloudGuard UI with the agent token copied and policy set to Enforce

hashtag
Installation

hashtag
Step 1 – Create profile and copy token

Create any profile in the CloudGuard UI, copy the agent token, and ensure the policy is set to Enforce.

hashtag
Installation

hashtag
Step 1 – Create profile and copy token

Create any profile in the CloudGuard UI, copy the agent token, and ensure the policy is set to Enforce.

hashtag
Step 2 – Label the gateway namespace

hashtag
Step 3 – Label the Deployment

Ensure your Envoy Gateway Deployment includes the labels required by the webhook.objectSelector:

  • webhook.objectSelector.labelName

  • webhook.objectSelector.labelValue

Example:

hashtag
Step 4 – Install the webhook using Helm

circle-info

Replace <version> with the latest tag in this repository - https://hub.docker.com/r/checkpoint/cloudguard-waf-injector/tagsarrow-up-right

hashtag
Step 5 – Restart the gateway Deployment

PreviousNGINX Application SecurityNextDocker

Last updated

Was this helpful?