Skip to content

Latest commit

 

History

History
164 lines (130 loc) · 10.9 KB

README.md

File metadata and controls

164 lines (130 loc) · 10.9 KB

Airlock Microgateway

Artifact Hub Artifact Hub

Airlock Microgateway is a Kubernetes native WAAP (Web Application and API Protection) solution to protect microservices.

Microgateway

Modern application security is embedded in the development workflow and follows DevSecOps paradigms. Airlock Microgateway is the perfect fit for these requirements. It is a lightweight alternative to the Airlock Gateway appliance, optimized for Kubernetes environments. Airlock Microgateway protects your applications and microservices with the tried-and-tested Airlock security features against attacks, while also providing a high degree of scalability.

Features

  • Kubernetes native integration with sidecar injection and Gateway API support
  • Reverse proxy functionality with request routing rules, TLS termination and remote IP extraction
  • Using native Envoy HTTP filters like Lua scripting, RBAC, ext_authz, JWT authentication
  • Content security filters for protecting against known attacks (OWASP Top 10)
  • Access control using OpenID Connect to allow only authenticated users to access the protected services
  • API security features like JSON parsing, OpenAPI specification enforcement or GraphQL schema validation

For a list of all features, view the comparison of the community and premium edition.

Labs

We offer a growing number of Airlock Microgateway labs that are designed to be easy-to-follow tutorials. All labs are fully guided and cover aspects of Airlock Microgateway from installation to configuration in a preconfigured cloud-based Kubernetes environment.

Airlock Microgateway labs

Learn the basics and expand existing knowledge without any administration effort in a secure environment.

Documentation and links

Check the official documentation at docs.airlock.com or the product website at airlock.com/microgateway. The links below point out the most interesting documentation sites when starting with Airlock Microgateway.

Quick start guide

The instructions below provide a quick start guide. Detailed information are provided in the manual.

Prerequisites

In order to use Airlock Microgateway you need a license and the cert-manager. You may either request a community license free of charge or purchase a premium license. For an easy start in non-production environments, you may deploy the same cert-manager we are using internally for testing.

Obtain Airlock Microgateway License

  1. Either request a community or premium license
  2. Check your inbox and save the license file microgateway-license.txt locally.

See Community vs. Premium editions in detail to choose the right license type.

Deploy cert-manager

helm repo add jetstack https://charts.jetstack.io
helm install cert-manager jetstack/cert-manager --version 'v1.16.1' -n cert-manager --create-namespace --set crds.enabled=true --wait

(Recommended) Deploy Airlock Microgateway CNI

Note: Installing Airlock Microgateway CNI is required for data plane mode sidecar.

See documentation for more information about data plane modes.

  1. Install the CNI Plugin with Helm.

    Note: Certain environments such as OpenShift or GKE require non-default configurations when installing the CNI plugin. For the most common setups, values files are provided in the chart folder.

    # Standard setup
    helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.4.2'
    kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
    # GKE setup
    helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.4.2' -f https://raw.githubusercontent.com/airlock/microgateway/4.4.2/deploy/charts/airlock-microgateway-cni/gke-values.yaml
    kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
    # OpenShift setup
    helm install airlock-microgateway-cni -n openshift-operators oci://quay.io/airlockcharts/microgateway-cni --version '4.4.2' -f https://raw.githubusercontent.com/airlock/microgateway/4.4.2/deploy/charts/airlock-microgateway-cni/openshift-values.yaml
    kubectl -n openshift-operators rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni

    Important: On OpenShift, all pods which should be protected by Airlock Microgateway must explicitly reference the Airlock Microgateway CNI NetworkAttachmentDefinition via the annotation k8s.v1.cni.cncf.io/networks (see documentation for details).

  2. (Recommended) You can verify the correctness of the installation with helm test.

    # Standard and GKE setup
    helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.2'
    helm test airlock-microgateway-cni -n kube-system --logs
    helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.2'
    # OpenShift setup
    helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.2'
    helm test airlock-microgateway-cni -n openshift-operators --logs
    helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.2'

    Consult our documentation in case of any installation error.

Deploy Airlock Microgateway Operator

This guide assumes a microgateway-license.txt file is present in the working directory.

  1. Install CRDs and Operator.

    # Create namespace
    kubectl create namespace airlock-microgateway-system
    
    # Install License
    kubectl -n airlock-microgateway-system create secret generic airlock-microgateway-license --from-file=microgateway-license.txt
    
    # Install Operator (CRDs are included via the standard Helm 3 mechanism, i.e. Helm will handle initial installation but not upgrades)
    helm install airlock-microgateway -n airlock-microgateway-system oci://quay.io/airlockcharts/microgateway --version '4.4.2' --wait
  2. (Recommended) You can verify the correctness of the installation with helm test.

    helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.4.2'
    helm test airlock-microgateway -n airlock-microgateway-system --logs
    helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.4.2'

Upgrading CRDs

The helm install/upgrade command currently does not support upgrading CRDs that already exist in the cluster. CRDs should instead be manually upgraded before upgrading the Operator itself via the following command:

kubectl apply -k https://github.com/airlock/microgateway/deploy/charts/airlock-microgateway/crds/?ref=4.4.2 --server-side --force-conflicts

Note: Certain GitOps solutions such as e.g. Argo CD or Flux CD have their own mechanisms for automatically upgrading CRDs included with Helm charts.

Support

Premium support

If you have a paid license, please follow the premium support process.

Community support

For the community edition, check our Airlock community forum for FAQs or register to post your question.

License

View the detailed license terms for the software contained in this image.

  • Decompiling or reverse engineering is not permitted.
  • Using any of the deny rules or parts of these filter patterns outside of the image is not permitted.

Airlock® is a security innovation by ergon

Airlock Secure Access Hub