> For the complete documentation index, see [llms.txt](https://waf-doc.inext.checkpoint.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes/kong-application-security-using-lua-plugin.md).

# Kong Application Security Using Lua PlugIn

CloudGuard WAF for Kong is deployed using a Helm chart that includes a namespace-level webhook. This webhook monitors changes to the Kong IngressGateway deployment and automatically adds the necessary agent and attachment to the deployment. The configuration of the Kong Ingress controller follows standard practices for setting up gateway and virtual service resources to expose your applications.

This diagram shows an example of a Kubernetes service exposed outside the Kubernetes cluster with an Istio Ingress controller protected with CloudGuard WAF.

<figure><img src="/files/V5j29RUTjqAKqKL0CVoX" alt=""><figcaption></figcaption></figure>

## Prerequisites

* Kong version 1.22.0+ cluster with [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) enabled with Cluster admin permissions
* [Helm 3 Package Manager](https://helm.sh/docs/intro/install/) installed on your local machine
* The `kubectl` and `wget` command-line tools installed on your bastion or platform that you use to access the Kubernetes cluster

## Installation

#### Step 1: Update your Helm chart to use the Kong image that includes the open-appsec plugin:

Add the following section to your helm install or upgrade command, do update your Kong helm chart.&#x20;

For Kong OSS:

```
--set image.repository=checkpoint/infinity-next-kong-k8s-plugin 
--set image.tag=latest
```

For Kong Enterprise Gateway:

```
--set image.repository=checkpoint/infinity-next-kong-gateway-k8s-plugin \
--set image.tag=latest
```

#### Step 2: Create a Kong Plugin and apply a resource to activate the plugin:

```
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: cloudguard-waf-kong-plugin
config: {}
plugin: cloudguard-waf-kong-plugin
```

```
kubectl apply -f cloudguard-waf-kong-plugin.yaml -n <your-kong-namespace>
```

#### Step 3: Deploy the CloudGuard WAF Helm Chart:

```
helm install cloudguard-waf-injector \
oci://registry-1.docker.io/checkpoint/cloudguard-waf-injector \
--version <version>\ 
--set webhook.objectSelector.labelName="app.kubernetes.io/name" \
--set webhook.objectSelector.labelValue=kong \
--set kind=kong \
--set appsec.persistence.enabled=false \
--set appsec.agentToken=<TOKEN> \
-n <your-kong-namespace>
```

Make sure you obtained the token from the [Enforcement Profile](/getting-started/deploy-enforcement-point.md) page first, you will need it in the command to deploy the Helm chart.

{% hint style="info" %}
Replace \<version> with the latest tag in this repository - <https://hub.docker.com/r/checkpoint/cloudguard-waf-injector/tags>
{% endhint %}

{% hint style="info" %}
Obtain the \<token> from the **Profile** page, **Authentication** section.

![](/files/tAyti9aG3utyFHls2McN)
{% endhint %}

#### Step 4: Label your namespace and deployment:

CloudGuard WAF webhook will function only when this flag is added to the Kong Ingress Controller environment. To add the flag, run the following command:

```
kubectl label namespace <your-kong-namespace> inject-waf-attachment="true" --overwrite
kubectl label deployment <your-kong-deployment> app.kubernetes.io/name=kong --overwrite
```

Restart your ingress gateway deployment:&#x20;

```
kubectl rollout restart deployment <your-kong-deployment> -n <your-kong-namespace>
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes/kong-application-security-using-lua-plugin.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.