# Installation on Kubernetes

This guide use minikube as Kubernetes cluster. Read how to install minikube (opens new window) for more information on how to install it.

Deploy the backend application with:

cat <<EOF | kubectl apply -f -
apiVersion: apps/v1
kind: Deployment
metadata:
  name: backend-deployment
spec:
  selector:
    matchLabels:
      app: backend
  replicas: 2
  template:
    metadata:
      labels:
        app: backend
    spec:
      containers:
        - name: hello
          image: nginxdemos/hello:plain-text
          ports:
            - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: backend
spec:
  selector:
    app: backend
  ports:
    - protocol: TCP
      port: 80
      targetPort: 80
EOF
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

Add a configmap that will contains the WAF configuration in configmap.yaml:

apiVersion: v1
kind: ConfigMap
metadata:
  name: waf-settings
data:
  config.yaml: |
    apiVersion: core/v1beta
    kind: App
    metadata:
      name: my-api
    spec:
      name: myserver
      alias: myserver:8080
      log_level: warn
      workflow: my-workflow
      workflow_params:
        exceptions: my-exceptions
    ---
    apiVersion: core/v1beta
    kind: Workflow
    metadata:
      name: my-workflow
    spec:
      entrypoint: main
      source: |-
        package main

        func main(icx_policy ICXConfiguration, exceptions SecurityExceptionConfiguration) {
            ActionICXSecurityEngine(Args{"configuration": "${params.icx_policy}"})
            ActionSecurityExceptionManagement(Args{"configuration": "${params.exceptions}"})
            ActionLogSecurity()
            if security.exception.blocked == true {
                ActionGenerateResponse(Args{"status": "403", "content": "<html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access ${http.request.path} on this server.</p></body></html>"})
            } else {
                ActionProxyRequest()
            }
        }
    ---
    apiVersion: core/v1beta
    kind: SecurityException
    metadata:
      name: my-exceptions
    spec:
      rules:
        - name: "Exception for ICX Engine: Cross-Site Scripting (XSS) in Var_GET 'content'"
          filters:
            - uri == "/webmail/message"
            - token.matchingParts.Contains(token.part == "Var_GET" && token.partKey == "content" && token.partValuePatternName == "Html Injection")
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

And apply it:

kubectl apply -f configmap.yaml

In order to be able to pull the container image from our registry, please read Pull an Image from a Private Registry (opens new window).

Create a new deployment for the WAF contrainers with k8s.appsec.yaml:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: waf-deployment
spec:
  selector:
    matchLabels:
      app: waf
  replicas: 1
  template:
    metadata:
      labels:
        app: waf
    spec:
      volumes:
        - name: waf-settings
          configMap:
            name: waf-settings
      containers:
        - name: waf
          image: cr.trustedapphub.io/appsec-runtime:0.3.0
          ports:
            - containerPort: 8080
          volumeMounts:
            - name: waf-settings
              mountPath: /etc/appsec/config.yaml
              subPath: config.yaml
          env:
            - name: APPSEC_BACKEND
              value: "http://$(BACKEND_SERVICE_HOST):$(BACKEND_SERVICE_PORT)/"
          livenessProbe:
            httpGet:
              path: /healthz
              port: 8042
            initialDelaySeconds: 5
            periodSeconds: 10
---
apiVersion: v1
kind: Service
metadata:
  name: waf
spec:
  type: NodePort
  selector:
    app: waf
  ports:
    - protocol: TCP
      port: 80
      targetPort: 8080
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

Then, deploy the WAF:

kubectl apply -f k8s.appsec.yaml

You can now request the WAF with:

curl $(minikube service waf --url) 
# return 200 OK with the backend response
curl $(minikube service waf --url)'/?q=cmd.exe' 
# return 403 Forbidden
curl $(minikube service waf --url)"/webmail/message?content=&lt;html&gt;&lt;header&gt;&lt;/header&gt;&lt;body&gt;Hello&nbsp;i'm&nbsp;the&nbsp;mail&nbsp;content&lt;/body&gt;&lt;/html&gt;" 
# return 200 OK
1
2
3
4
5
6
Last Updated: 3/24/2022, 9:55:47 AM