Kong Application Security Using Lua PlugIn

CloudGuard WAF for Kong is deployed using a Helm chart that includes a namespace-level webhook. This webhook monitors changes to the Kong IngressGateway deployment and automatically adds the necessary agent and attachment to the deployment. The configuration of the Kong Ingress controller follows standard practices for setting up gateway and virtual service resources to expose your applications.

This diagram shows an example of a Kubernetes service exposed outside the Kubernetes cluster with an Istio Ingress controller protected with CloudGuard WAF.

Prerequisites

Kong version 1.22.0+ cluster with RBAC enabled with Cluster admin permissions
Helm 3 Package Manager installed on your local machine
The kubectl and wget command-line tools installed on your bastion or platform that you use to access the Kubernetes cluster

Installation

Step 1: Update your Helm chart to use the Kong image that includes the open-appsec plugin:

Add the following section to your helm install or upgrade command, do update your Kong helm chart.

For Kong OSS:

--set image.repository=checkpoint/kong-k8s-attachment-plugin 
--set image.tag=latest

For Kong Enterprise Gateway:

--set image.repository=checkpoint/kong-gateway-k8s-attachment-plugin \
--set image.tag=latest

Step 2: Create a KongPlugin and apply a resource to activate the plugin:

apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: cloud-guard-waf-kong-plugin
config: {}
plugin: cloud-guard-waf-kong-plugin

kubectl apply -f cloud-guard-KongPlugin.yaml -n <your-kong-namespace>

Step 3: Deploy the CloudGuard WAF Helm Chart:

helm repo add cloudguardwaf https://cloudguard-waf.i2.checkpoint.com/downloads/helm

helm install cloudguard-waf-injector  
--set webhook.objectSelector.labelName="app.kubernetes.io/name" \
--set webhook.objectSelector.labelValue=kong \
--set kind=kong \
--set appsec.persistence.enabled=false \
--set appsec.agentToken= <TOKEN>
-n <your-kong-namespace>

Make sure you obtained the token from the Enforcement Profile page first, you will need it in the command to deploy the Helm chart.

Obtain the <token> from the Profile page, Authentication section.

Step 4: Label your namespace and deployment:

CloudGuard WAF webhook will function only when this flag is added to the Kong Ingress Controller environment. To add the flag, run the following command:

kubectl label namespace <your-kong-namespace> inject-waf-attachment="true" --overwrite
kubectl label deployment <your-kong-deployment> app.kubernetes.io/name=kong --overwrite

Restart your ingress gateway deployment:

kubectl rollout restart deployment <your-kong-deployment> -n <your-kong-namespace>

PreviousKubernetes NextIstio Application Security

Last updated 14 days ago

Was this helpful?

hashtagPrerequisites

hashtagInstallation

hashtagStep 1: Update your Helm chart to use the Kong image that includes the open-appsec plugin:

hashtagStep 2: Create a KongPlugin and apply a resource to activate the plugin:

hashtagStep 3: Deploy the CloudGuard WAF Helm Chart:

hashtagStep 4: Label your namespace and deployment: