DEV Community

Lulu
Lulu

Posted on

How to Secure Your Kubernetes with Ingress-Nginx and SafeLine

Integrating Ingress-Nginx with SafeLine Community Edition

Prerequisites:

  • SafeLine version β‰₯ 5.6.0

Preparing SafeLine Configuration

First, configure SafeLine by using a ConfigMap to define the detection engine's host and port. Below is an example configuration:

# safeline.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: safeline
  namespace: ingress-nginx
data:
  host: "detector_host"  # Replace with your SafeLine detection engine address
  port: "8000"           # Default port for SafeLine
Enter fullscreen mode Exit fullscreen mode

To create the ConfigMap in Ingress-Nginx, run the following commands:

kubectl create namespace ingress-nginx
kubectl apply -f safeline.yaml
Enter fullscreen mode Exit fullscreen mode

Fresh Installation with Helm

If you don't have Ingress-Nginx installed yet, you can install it using Helm. For detailed instructions, refer to the Ingress-Nginx official documentation.
Once ready, replace the image and configure the SafeLine plugin by using the following values.yaml:

# values.yaml
controller:
  kind: DaemonSet
  image:
    registry: docker.io
    image: chaitin/ingress-nginx-controller
    tag: v1.10.1
  extraEnvs:
    - name: SAFELINE_HOST
      valueFrom:
        configMapKeyRef:
          name: safeline
          key: host
    - name: SAFELINE_PORT
      valueFrom:
        configMapKeyRef:
          name: safeline
          key: port
  service:
    externalTrafficPolicy: Local  # To capture real client IPs
  config:
    plugins: safeline
  admissionWebhooks:
    patch:
      image:
        registry: docker.io
        image: chaitin/ingress-nginx-kube-webhook-certgen
        tag: v1.4.1
Enter fullscreen mode Exit fullscreen mode

To install the controller, use this command:

helm upgrade --install ingress-nginx ingress-nginx \
  --repo https://kubernetes.github.io/ingress-nginx \
  --namespace ingress-nginx --create-namespace \
  -f values.yaml
Enter fullscreen mode Exit fullscreen mode

Build Your Own Ingress-Nginx Image

If you'd prefer to build the image yourself, here’s a sample Dockerfile that adds the SafeLine plugin:

FROM registry.k8s.io/ingress-nginx/controller:v1.10.1
USER root
RUN apk add --no-cache make gcc unzip wget
# Install Luarocks
RUN wget https://luarocks.org/releases/luarocks-3.11.0.tar.gz && \
    tar zxpf luarocks-3.11.0.tar.gz && \
    cd luarocks-3.11.0 && \
    ./configure && \
    make && \
    make install && \
    cd .. && \
    rm -rf luarocks-3.11.0 luarocks-3.11.0.tar.gz
RUN luarocks install ingress-nginx-safeline && \
    ln -s /usr/local/share/lua/5.1/safeline /etc/nginx/lua/plugins/safeline
USER www-data
Enter fullscreen mode Exit fullscreen mode

Adding SafeLine to Existing Ingress-Nginx Installations

Step 1: Install the SafeLine Plugin

Refer to the Dockerfile above and use luarocks to install the SafeLine plugin in your default Nginx plugin directory.

Step 2: Configure the SafeLine Plugin

Use the safeline.yaml file to create the necessary ConfigMap:

kubectl apply -f safeline.yaml
Enter fullscreen mode Exit fullscreen mode

In your Ingress-Nginx configuration, enable the SafeLine plugin:

# ingress-nginx-controller-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: ingress-nginx-controller
  namespace: ingress-nginx
data:
  plugins: "safeline"
Enter fullscreen mode Exit fullscreen mode

Step 3: Inject SafeLine Environment Variables

Add the environment variables to your Ingress-Nginx Deployment or DaemonSet so the SafeLine plugin can read them:

# ingress-nginx-controller-deployment.yaml
...
env:
  - name: SAFELINE_HOST
    valueFrom:
      configMapKeyRef:
        name: safeline
        key: host
  - name: SAFELINE_PORT
    valueFrom:
      configMapKeyRef:
        name: safeline
        key: port
Enter fullscreen mode Exit fullscreen mode

Step 4: (Optional) Capture Real Client IP

To capture real client IP addresses, ensure that the externalTrafficPolicy in your Nginx service is set to Local.

Testing SafeLine Plugin

You can test if the SafeLine plugin is working by simulating a malicious request:

curl http://localhost:80/ -H "Host: example.com" -H "User-Agent: () { :; }; echo; echo; /bin/bash -c 'echo hello'"
Enter fullscreen mode Exit fullscreen mode

If everything is configured correctly, you should receive a 403 Forbidden response, indicating that the request was blocked by SafeLine:

{
  "code": 403,
  "success": false,
  "message": "blocked by Chaitin SafeLine Web Application Firewall",
  "event_id": "18e0f220f7a94127acb21ad3c1b4ac47"
}
Enter fullscreen mode Exit fullscreen mode

You can check the SafeLine dashboard for more detailed attack logs.


By following this guide, you'll have Ingress-Nginx integrated with SafeLine, helping you enhance the security of your Kubernetes clusters with minimal effort.

Top comments (0)