# Envoy Application Security

CloudGuard WAF for Envoy Gateway is deployed using a Helm chart that includes a namespace-level webhook. This webhook monitors changes to the Envoy Gateway deployment and automatically injects the required WAF agent and attachment into the gateway pods. The configuration of Envoy Gateway follows standard practices for defining gateway resources and routing traffic to your services.

<figure><img src="https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2FKrpF3V4AoHN3Pyj1YnD6%2Fimage.png?alt=media&#x26;token=9aa83989-b236-4a7a-9475-2003fae0abac" alt=""><figcaption></figcaption></figure>

### Prerequisites

* Envoy Gateway deployed in your Kubernetes cluster
* Envoy image must use: `envoyproxy/envoy-contrib:<version>`
* Kubernetes cluster with RBAC enabled and cluster-admin permissions
* Helm 3 installed on your local machine
* kubectl installed and configured to access your cluster
* A profile created in the CloudGuard UI with the agent token copied and policy set to **Enforce**

### Installation

#### Step 1 – Create profile and copy token

Create any profile in the CloudGuard UI, copy the agent token, and ensure the policy is set to **Enforce**.

### Installation

#### Step 1 – Create profile and copy token

Create any profile in the CloudGuard UI, copy the agent token, and ensure the policy is set to **Enforce**.

#### Step 2 – Label the gateway namespace

```
kubectl label namespace <envoy gateway namespace> inject-waf-attachment="true" --overwrite
```

#### Step 3 – Label the Deployment

Ensure your Envoy Gateway Deployment includes the labels required by the webhook.objectSelector:

* webhook.objectSelector.labelName
* webhook.objectSelector.labelValue

Example:

```
kubectl label deployment <envoy gateway deployment name> <label name>=<label value> -n <envoy gateway namespace> --overwrite
```

#### Step 4 – Install the webhook using Helm

```
helm install cloudguard-webhook \
oci://registry-1.docker.io/checkpoint/cloudguard-waf-injector \
--version <version>\
--set webhook.objectSelector.labelValue=<label value> \
--set webhook.objectSelector.labelName=<label name> \
--set appsec.persistence.enabled=false \
--set kind=envoy_gateway \
--set webhook.envoyGatewayImageName=envoy \
--set webhook.gatewayResourceNamespace=<gateway resource namespace> \
--set webhook.gatewayResourceName=<gateway resource name> \
--set appsec.agentToken=<token> \
-n <envoy gateway namespace>
```

{% hint style="info" %}
Replace \<version> with the latest tag in this repository - <https://hub.docker.com/r/checkpoint/cloudguard-waf-injector/tags>
{% endhint %}

#### Step 5 – Restart the gateway Deployment

```
kubectl rollout restart deployment/<envoy gateway deployment name> -n <envoy gateway namespace>
```