This repository was archived on 2023-07-27. It is no longer maintained because there is now a cloud-native alternative to protect your Kubernetes workload: Airlock Microgateway If you continue to use Airlock Gateway, consider automating its configuration using the Airlock Gateway REST API.
To use Airlock WAF as Reverse Proxy without human interaction in a Kubernetes or OpenShift environment, our recommendations are:
- place Airlock WAF in front of a Kubernetes or OpenShift environment
- use Ingress in case of Kubernetes or Route in case of OpenShift
- listen on Ingress or Route events and create an Airlock WAF configuration via REST API
- use metadata annotations and ConfigMap for parameterization
The demo application listens to Ingress and Route events. It builds and activates a new Airlock WAF configuration using the Airlock WAF REST API and lives inside a Pod in a Kubernetes Worker Node.
This Proof of Concept application is NOT for production use.
- Airlock WAF 7.1 or newer
- Airlock WAF JWT token (API Key)
- Kubernetes or OpenShift
- Airlock WAF and Kubernetes/OpenShift need to be in the same sub network
- Based on Spring Boot
- Application Entry Point is in case of
- Kuberentes: IngressEventWatcher.java
- Openshift: RouteEventWatcher.java
- The official Kubernetes Java Client is used to communicate with the API Server
- The OpenShift Route REST API has been implemented in OpenShiftV1Api.java
- It uses a client certificate to authenticate against the Kubernetes API Server
Under examples you will find some tutorials and detail description.