Airlock Microgateway is a Kubernetes native WAAP (Web Application and API Protection) solution to protect microservices.
Modern application security is embedded in the development workflow and follows DevSecOps paradigms. Airlock Microgateway is the perfect fit for these requirements. It is a lightweight WAAP solution (formerly known as WAF), optimized for Kubernetes environments. Airlock Microgateway protects your applications and microservices with the tried-and-tested Airlock security features against attacks, while also providing a high degree of scalability.
This repository contains a running example of Airlock Microgateway in Kubernetes. It shows how to protect a backend application with Airlock Microgateway. The source code is available under the MIT license.
This topology diagram illustrates the deployment architecture of a Kubernetes cluster with focus on Secure access to web applications using the Airlock Microgateway.
- Users access the cluster from devices (e.g., laptops or smartphones).
- Requests are routed through an Ingress managed by Traefik, which serves as the cluster's entry point.
- Traefik handles traffic forwarding based on routing rules.
- The Juice Shop will be Protected by the Airlock Microgateway via GatewayAPI.
- Nextcloud will be Protected by the Airlock Microgateway via Sidecar.
- Prometheus Collects metrics from the cluster, including all Airlock Microgateway instances.
- PromTail is used to forward logs from the Microgateway to Loki for analysis and storage.
- Grafana Visualizes metrics and logs collected from Prometheus and Loki.
Links to access the applications
- Grafana via http://grafana-127-0-0-1.nip.io/
- Prometheus via http://prometheus-127-0-0-1.nip.io/
- Nextcloud via http://nextcloud-127-0-0-1.nip.io/
- Username: admin
- Password: changeme
- Juice Shop unprotected via http://juice-shop-127-0-0-1.nip.io/
- Juice Shop protected via http://juice-shop-127-0-0-1.nip.io:8080/
Airlock Microgateway is available as community and premium edition. See Community vs. Premium editions in detail to choose the right license type. Anyway, this example setup can be deployed with Airlock Microgateway both editions.
Warning
Be aware that this is an example and some security settings are disabled to make this demo as simple as possible (e.g. authentication enforcement, restrictive deny rule configuration and other security settings).
- Install Rancher Desktop.
Note
This example is built for Rancher Desktop with containerd as container engine. Nevertheless, it should also work with any other Kubernetes distributions. Simply ensure the following:
- Ensure the Airlock Microgateway requirements are met.
- kubectl is installed.
- helm is installed.
- kustomize >= 5.2.1 is installed.
- An Ingress Controller (e.g. Traefik, Ingress Nginx, ...) is deployed.
- Either request a community license free of charge or purchase a premium license.
- Community license: airlock.com/microgateway-community
- Premium license: airlock.com/microgateway-premium
- Check your mailbox and save the license file
microgateway-license.txtlocally (replace the existing file). - Deploy the Airlock Microgateway license
# Create the airlock-microgateway-system namespace
kubectl create ns airlock-microgateway-system --dry-run=client -o yaml | kubectl apply -f -
# Deploy the Airlock Microgateway license
kubectl -n airlock-microgateway-system create secret generic airlock-microgateway-license --from-file=microgateway-license.txt --dry-run=client -o yaml | kubectl apply -f -Note
See Community vs. Premium editions in detail to choose the right license type.
For an easy start in non-production environments, you may deploy the same cert-manager we are using internally for testing.
# Deploy the cert-manager
kubectl kustomize --enable-helm manifests/cert-manager | kubectl apply --server-side -f -
# Wait until the cert-manager is up and running
kubectl -n cert-manager rollout status deployment# Deploy Promtail, Loki, Prometheus and Grafana
kubectl kustomize --enable-helm manifests/logging-and-reporting | kubectl apply --server-side -f -
# Wait until Promtail, Loki, Prometheus and Grafana are up and running
kubectl -n monitoring rollout status deployment,daemonset,statefulsetNote
You can now access
- Prometheus via http://prometheus-127-0-0-1.nip.io/
- Grafana via http://grafana-127-0-0-1.nip.io/
Tip
Certain environments such as OpenShift or GKE require non-default configurations when installing the CNI plugin. In case that the CNI plugin does not start properly consult the Troubleshooting Microgateway CNI article.
Note
In case this example is not deployed in Rancher Desktop, most likely the cniBinDirand cniNetDirin the file manifests/airlock-microgateway/microgateway-cni-values.yaml must be adjusted.
Example:
config:
cniBinDir: "/usr/libexec/cni/"
cniNetDir: "/etc/cni/net.d"
# Deploy Airlock Microgateway including the CNI plugin
kubectl kustomize --enable-helm manifests/airlock-microgateway | kubectl apply --server-side -f -
# Wait until Airlock Microgateway is up and running
kubectl -n kube-system rollout status daemonset airlock-microgateway-microgateway-cni
kubectl -n airlock-microgateway-system rollout status deployment# Deploy Nextcloud
kubectl kustomize --enable-helm manifests/nextcloud | kubectl apply --server-side -f -
# Wait until Nextcloud is up and running
kubectl -n nextcloud rollout status deployment,statefulsetNote
You can now access Nextcloud via http://nextcloud-127-0-0-1.nip.io/
- Username: admin
- Password: changeme
Important
The web application is not yet protected by Airlock Microgateway. Protection will be enabled later (see Protect the web application).
# Deploy Juice Shop
kubectl kustomize --enable-helm manifests/juice-shop | kubectl apply --server-side -f -
# Wait until Juice Shop is up and running
kubectl -n juice-shop rollout status deploymentNote
You can now access Juice Shop via http://juice-shop-127-0-0-1.nip.io/
Important
The web application is not yet protected by Airlock Microgateway. Protection will be enabled later (see Protect the web application).
# Deploy the Airlock Microgateway configuration
kubectl kustomize --enable-helm manifests/nextcloud-microgateway-config | kubectl apply --server-side -f -
# Label the Nextcloud deployment to be protected
kubectl -n nextcloud patch deployment nextcloud -p '{
"spec":{ "template": {"metadata": {"labels": {
"sidecar.microgateway.airlock.com/inject":"true"
} } } } }'
# Wait until the Nextcloud is rolled out with Microgateway
kubectl -n nextcloud rollout status deployment# Deploy the Airlock Microgateway configuration
kubectl kustomize --enable-helm manifests/juice-shop-microgateway-config | kubectl apply --server-side -f -
# The Ingress ressource can be deleted as it is no longer needed.
kubectl -n juice-shop delete ingress juice-shopNote
You can now access the protected Juice Shop via http://juice-shop-127-0-0-1.nip.io:8080/
| Sidecar | Sidecareless (Kubernetes Gateway API) | |
|---|---|---|
| Total resource consumption (CPU/Memory) | Low | Even lower |
| 3rd party solutions licensing number of containers | Higher 3rd party license costs | Lower 3rd party license costs |
| Airlock Microgateway CNI plugin | Required | Not required |
| Supported service mesh compatibility | Istio and Cilium | No special compatibility requirements |
| Update Microgateway Engine | Rollover of the application Pod | Rollover of Microgateway (no impact on the application) |
| Traffic filtering with Airlock Microgateway | Automatically in-line (traffic is redirected first to Microgateway) | Filtering ensured with routing and NetworkPolicies in Kubernetes |
| Protected web application | Runs inside of Kubernetes | Runs inside or outside of Kubernetes |
| North-South traffic | Yes, for the protected Pod | Yes |
| East-West traffic | Yes | Yes, by routing the traffic accordingly |
View the detailed license terms for the software contained in this image.
- Decompiling or reverse engineering is not permitted.
- Using any of the deny rules or parts of these filter patterns outside of the image is not permitted.
Airlock® is a security innovation by ergon
