# Kong Application Security Using Lua PlugIn CloudGuard WAF for Kong is deployed using a Helm chart that includes a namespace-level webhook. This webhook monitors changes to the Kong IngressGateway deployment and automatically adds the necessary agent and attachment to the deployment. The configuration of the Kong Ingress controller follows standard practices for setting up gateway and virtual service resources to expose your applications. This diagram shows an example of a Kubernetes service exposed outside the Kubernetes cluster with an Istio Ingress controller protected with CloudGuard WAF.
## Prerequisites * Kong version 1.22.0+ cluster with [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) enabled with Cluster admin permissions * [Helm 3 Package Manager](https://helm.sh/docs/intro/install/) installed on your local machine * The `kubectl` and `wget` command-line tools installed on your bastion or platform that you use to access the Kubernetes cluster ## Installation #### Step 1: Update your Helm chart to use the Kong image that includes the open-appsec plugin: Add the following section to your helm install or upgrade command, do update your Kong helm chart. For Kong OSS: ``` --set image.repository=checkpoint/infinity-next-kong-k8s-plugin --set image.tag=latest ``` For Kong Enterprise Gateway: ``` --set image.repository=checkpoint/infinity-next-kong-gateway-k8s-plugin \ --set image.tag=latest ``` #### Step 2: Create a Kong Plugin and apply a resource to activate the plugin: ``` apiVersion: configuration.konghq.com/v1 kind: KongPlugin metadata: name: cloudguard-waf-kong-plugin config: {} plugin: cloudguard-waf-kong-plugin ``` ``` kubectl apply -f cloudguard-waf-kong-plugin.yaml -n ``` #### Step 3: Deploy the CloudGuard WAF Helm Chart: ``` helm install cloudguard-waf-injector \ oci://registry-1.docker.io/checkpoint/cloudguard-waf-injector \ --version \ --set webhook.objectSelector.labelName="app.kubernetes.io/name" \ --set webhook.objectSelector.labelValue=kong \ --set kind=kong \ --set appsec.persistence.enabled=false \ --set appsec.agentToken= \ -n ``` Make sure you obtained the token from the [Enforcement Profile](/getting-started/deploy-enforcement-point.md) page first, you will need it in the command to deploy the Helm chart. {% hint style="info" %} Replace \ with the latest tag in this repository - {% endhint %} {% hint style="info" %} Obtain the \ from the **Profile** page, **Authentication** section. ![](/files/tAyti9aG3utyFHls2McN) {% endhint %} #### Step 4: Label your namespace and deployment: CloudGuard WAF webhook will function only when this flag is added to the Kong Ingress Controller environment. To add the flag, run the following command: ``` kubectl label namespace inject-waf-attachment="true" --overwrite kubectl label deployment app.kubernetes.io/name=kong --overwrite ``` Restart your ingress gateway deployment: ``` kubectl rollout restart deployment -n ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://waf-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/kubernetes/kong-application-security-using-lua-plugin.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.