# Kong Application Security Using Lua PlugIn

CloudGuard WAF for Kong is deployed using a Helm chart that includes a namespace-level webhook. This webhook monitors changes to the Kong IngressGateway deployment and automatically adds the necessary agent and attachment to the deployment. The configuration of the Kong Ingress controller follows standard practices for setting up gateway and virtual service resources to expose your applications.

This diagram shows an example of a Kubernetes service exposed outside the Kubernetes cluster with an Istio Ingress controller protected with CloudGuard WAF.

<figure><img src="https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2Fae8IamAHizG4bPpJDgRY%2Fdownload%20(1).svg?alt=media&#x26;token=d779471a-8e28-43ef-8dec-7d0f82cd9bfe" alt=""><figcaption></figcaption></figure>

## Prerequisites

* Kong version 1.22.0+ cluster with [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) enabled with Cluster admin permissions
* [Helm 3 Package Manager](https://helm.sh/docs/intro/install/) installed on your local machine
* The `kubectl` and `wget` command-line tools installed on your bastion or platform that you use to access the Kubernetes cluster

## Installation

#### Step 1: Update your Helm chart to use the Kong image that includes the open-appsec plugin:

Add the following section to your helm install or upgrade command, do update your Kong helm chart.&#x20;

For Kong OSS:

```
--set image.repository=checkpoint/infinity-next-kong-k8s-plugin 
--set image.tag=latest
```

For Kong Enterprise Gateway:

```
--set image.repository=checkpoint/infinity-next-kong-gateway-k8s-plugin \
--set image.tag=latest
```

#### Step 2: Create a Kong Plugin and apply a resource to activate the plugin:

```
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: cloudguard-waf-kong-plugin
config: {}
plugin: cloudguard-waf-kong-plugin
```

```
kubectl apply -f cloudguard-waf-kong-plugin.yaml -n <your-kong-namespace>
```

#### Step 3: Deploy the CloudGuard WAF Helm Chart:

```
helm install cloudguard-waf-injector \
oci://registry-1.docker.io/checkpoint/cloudguard-waf-injector \
--version <version>\ 
--set webhook.objectSelector.labelName="app.kubernetes.io/name" \
--set webhook.objectSelector.labelValue=kong \
--set kind=kong \
--set appsec.persistence.enabled=false \
--set appsec.agentToken=<TOKEN> \
-n <your-kong-namespace>
```

Make sure you obtained the token from the [Enforcement Profile](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point) page first, you will need it in the command to deploy the Helm chart.

{% hint style="info" %}
Replace \<version> with the latest tag in this repository - <https://hub.docker.com/r/checkpoint/cloudguard-waf-injector/tags>
{% endhint %}

{% hint style="info" %}
Obtain the \<token> from the **Profile** page, **Authentication** section.

![](https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2FodEuUgaIWcxkuTtYrJ2n%2Fappsec-profiles-authentication-token.PNG?alt=media\&token=aaa5d4ad-7a5b-4986-9378-7ec39b22aadd)
{% endhint %}

#### Step 4: Label your namespace and deployment:

CloudGuard WAF webhook will function only when this flag is added to the Kong Ingress Controller environment. To add the flag, run the following command:

```
kubectl label namespace <your-kong-namespace> inject-waf-attachment="true" --overwrite
kubectl label deployment <your-kong-deployment> app.kubernetes.io/name=kong --overwrite
```

Restart your ingress gateway deployment:&#x20;

```
kubectl rollout restart deployment <your-kong-deployment> -n <your-kong-namespace>
```