# Kong Application Security

The Kong Ingress controller and CloudGuard WAF for Kubernetes agent are deployed together with a single Helm chart. The configuration of the Kong Ingress controller is done with common methods for configuring Ingress using both Kubernetes Ingress resources or Kong Ingress resources.

This diagram shows an example of a Kubernetes service exposed outside the Kubernetes cluster with an Kong Ingress controller protected with CloudGuard WAF.

<figure><img src="/files/V5j29RUTjqAKqKL0CVoX" alt=""><figcaption></figcaption></figure>

## Prerequisites

* Kong version 1.22.0+ cluster with [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) enabled with Cluster admin permissions
* [Helm 3 Package Manager](https://helm.sh/docs/intro/install/) installed on your local machine
* The `kubectl` and `wget` command-line tools installed on your bastion or platform that you use to access the Kubernetes cluster

## Installation

#### Step 1: Download Helm chart

Run the following command depending on your Kubernetes version:

`wget https://github.com/CheckPointSW/Infinity-Next/raw/main/deployments/cp-k8s-appsec-kong-2.22.0.tgz -O cp-k8s-appsec-kong-2.22.0.tgz`

#### Step 2: Install Helm chart

Make sure you obtained the token from the [Enforcement Profile](/getting-started/deploy-enforcement-point.md) page first, you will need it in the command to deploy the Helm chart.

{% hint style="info" %}
Obtain the \<token> from the **Profile** page, **Authentication** section.

![](/files/tAyti9aG3utyFHls2McN)
{% endhint %}

Run the following command depending on your Kubernetes version (**Note** - package file names contain the name appsec - short for "Application Security" provided by CloudGuard WAF):

`helm install cp-k8s-appsec-kong-2.22.0.tgz --name-template cp-appsec --set appsec.agentToken="<token>" --create-namespace -n kong`

#### Step 3: Create SSL/TLS Secret (optional if the servers do not use HTTPS)

Kubernetes Secrets are used for TLS termination of the Ingress resource. The public/private key pair must already exist before creating the Secret. Read more about Kubernetes TLS Secrets in the [Official Kubernetes Documentation](https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets).&#x20;

Create a Kubernetes SSL/TLS Secret using the following command with the public key certificate for `--cert` .PEM-encoded and matching the private key for `--key`:&#x20;

`kubectl create secret tls <certificate-name> --key <private-key-file> --cert $<certificate-file>`

#### Step 4: Configure the Ingress resource

1. Edit your ingress.yaml with your favorite editor
2. If needed add the following annotation: `kubernetes.io/ingress.class: "nginx"`

<details>

<summary>ingress.yaml example</summary>

The ingress.yaml in this example exposes two Kubernetes Services in the 'applications-ns' namespace:

* portal-svc (port 8080) exposed through portal.acme.com on port 443
* api-svc (port 80) exposed through api.acme.com on port 80

```yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress
  namespace: applications-ns
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  tls:
  - hosts:
    - portal.acme.com
    secretName: tls
  rules:
  - host: portal.acme.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: portal-svc
            port:
              number: 8080
  - host: api.acme.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: api-svc
            port:
              number: 80
```

</details>

#### Step 5: Deploy the Ingress

In environments that can allow short downtime, uninstall the older ingress and install the new one.

`kubectl apply -f ingress.yaml`

In environments that require zero-downtime:

1. Redirect your DNS traffic from the old ingress to the new ingress
2. Log traffic from both controllers during this changeover
3. Uninstall the old ingress once traffic has fully drained from it


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes/kong-application-security.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.