Boost Kubernetes Security: Deploying SafeLine WAF with Ingress-nginx
Lulu
Posted on August 6, 2024
Preparation Steps:
Modify SafeLine Service
1.Follow the SafeLine documentation for installation
2.The community version of SafeLine's detection engine provides services via Unix socket by default. We need to change this to TCP mode.
- Navigate to the SafeLine detector engine configuration directory:
cd /data/safeline/resources/detector/
- Open the
detector.yml
file with a text editor. We need to change thebind
method fromunix socket
totcp
:
bind_addr: 0.0.0.0
listen_port: 8000
3.The properties in the detector config will override the default properties in the container. This way, we have the SafeLine engine listening on port 8000.
- We just need to map the container's port 8000 to the host. First, go to the SafeLine installation directory:
cd /data/safeline
- Next, open the
compose.yaml
file in the directory with a text editor. Add theports
field to thedetector
container to expose port 8000. Like this:
......
detect:
......
ports:
- 8000:8000
......
- Alright, restart SafeLine by running the following commands:
docker compose down
docker compose up -d
Prepare SafeLine Configuration
1.Use a ConfigMap to configure the SafeLine plugin with the necessary detection engine host and port:
cat <<EOF | sudo tee safeline.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: safeline
namespace: ingress-nginx
data:
host: "detector_host" # Address of the SafeLine detection engine
port: "8000"
EOF
2.Create the SafeLine ConfigMap:
kubectl create namespace ingress-nginx
kubectl apply -f safeline.yaml
Install Helm
Follow the instructions on the Helm documentation.
curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
Install Ingress-nginx
1.Install Ingress-nginx using Helm
- Use the following ingress-nginx-values.yaml file to replace the image and configure the plugin:
cat <<EOF | sudo tee ingress-nginx-values.yaml
controller:
hostNetwork: true
kind: DaemonSet
image:
registry: registry.cn-shanghai.aliyuncs.com
image: kubesec/chaitin-ingress-nginx-controller
tag: v1.10.1
digest: ""
extraEnvs:
- name: SAFELINE_HOST
valueFrom:
configMapKeyRef:
name: safeline
key: host
- name: SAFELINE_PORT
valueFrom:
configMapKeyRef:
name: safeline
key: port
service:
externalTrafficPolicy: Local # Allows getting the real client IP
config:
plugins: safeline
admissionWebhooks:
patch:
image:
registry: registry.cn-shanghai.aliyuncs.com
image: kubesec/chaitin-ingress-nginx-kube-webhook-certgen
tag: v1.4.1
digest: ""
EOF
- Run the Installation Command
helm upgrade --install ingress-nginx ingress-nginx --repo https://kubernetes.github.io/ingress-nginx --namespace ingress-nginx --create-namespace -f ingress-nginx-values.yaml
2.Test SafeLine Plugin
- Deploy the nginx service using the following
safeline-test.yaml
file:
cat <<EOF | sudo tee safeline-test.yaml
apiVersion: v1
kind: Namespace
metadata:
name: safeline-test
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: safeline-test
labels:
app: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: registry.cn-shanghai.aliyuncs.com/kubesec/nginx:1.14.2
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: nginx
namespace: safeline-test
spec:
selector:
app: nginx
type: NodePort
ports:
- name: http
protocol: TCP
nodePort: 30080
port: 80
targetPort: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx
namespace: safeline-test
spec:
ingressClassName: nginx
rules:
- host: www.safeline-test.org
http:
paths:
- backend:
service:
name: nginx
port:
number: 80
path: /
pathType: ImplementationSpecific
EOF
- Run the Deployment Command
kubectl create -f safeline-test.yaml
- To test if the SafeLine plugin is working, construct a malicious request. (Set up local DNS resolution, then run)
curl http://www.safeline-test.org/ -H "Host: example.com" -H "User-Agent: () { :; }; echo; echo; /bin/bash -c 'echo hello'"
- You should see a
403 Forbidden
response, indicating that the SafeLine plugin is active.
{
"code": 403,
"success": false,
"message": "blocked by Chaitin SafeLine Web Application Firewall",
"event_id": "009efd8d2bf44a07b5cb7ed4cf18fb84"
}
In the SafeLine console, you can view the detailed attack information recorded by SafeLine.
Automate Testing of Protection Results
Use the blazehttp
automation tool for batch testing:
docker pull registry.cn-shanghai.aliyuncs.com/kubesec/chaitin-blazehttp:v0.2.0
docker run --rm --net=host registry.cn-shanghai.aliyuncs.com/kubesec/chaitin-blazehttp:v0.2.0 /app/blazehttp -t http://www.safeline-test.org/
The following output will be seen:
sending 100% |██████████████████████████████| (33677/33677, 1160 it/s) [29s:0s]
Total samples: 33677 Success: 33677 Errors: 0
Detection rate: 83.87% (Total malicious samples: 558, Correctly blocked: 468, Missed: 90)
False positive rate: 0.07% (Total benign samples: 33119, Correctly allowed: 33096, False positives: 23)
Accuracy: 99.66% (Correctly blocked + Correctly allowed) / Total samples
Average response time: 8.47 ms
Check the SafeLine console for detailed attack events.
Posted on August 6, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.