Supercharge K8s Security: SafeLine WAF + Ingress-nginx

Preparation Steps:

Modify SafeLine Service

1.Follow the SafeLine documentation for installation

2.The community version of SafeLine’s detection engine provides services via Unix socket by default. We need to change this to TCP mode.

Navi…


This content originally appeared on DEV Community and was authored by SherbertIll6

Preparation Steps:

Modify SafeLine Service

1.Follow the SafeLine documentation for installation

2.The community version of SafeLine's detection engine provides services via Unix socket by default. We need to change this to TCP mode.

  • Navigate to the SafeLine detector engine configuration directory:
cd /data/safeline/resources/detector/
  • Open the detector.yml file with a text editor. We need to change the bind method from unix socket to tcp:
bind_addr: 0.0.0.0
listen_port: 8000

3.The properties in the detector config will override the default properties in the container. This way, we have the SafeLine engine listening on port 8000.

  • We just need to map the container's port 8000 to the host. First, go to the SafeLine installation directory:
cd /data/safeline
  • Next, open the compose.yaml file in the directory with a text editor. Add the ports field to the detector container to expose port 8000. Like this:
......
detect:
    ......
    ports:
    - 8000:8000
......
  • Alright, restart SafeLine by running the following commands:
docker compose down
docker compose up -d

Prepare SafeLine Configuration

1.Use a ConfigMap to configure the SafeLine plugin with the necessary detection engine host and port:

cat <<EOF | sudo tee safeline.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: safeline
  namespace: ingress-nginx
data:
  host: "detector_host" # Address of the SafeLine detection engine
  port: "8000"
EOF

2.Create the SafeLine ConfigMap:

kubectl create namespace ingress-nginx
kubectl apply -f safeline.yaml

Install Helm

Follow the instructions on the Helm documentation.

curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash

Install Ingress-nginx

1.Install Ingress-nginx using Helm

  • Use the following ingress-nginx-values.yaml file to replace the image and configure the plugin:
cat <<EOF | sudo tee ingress-nginx-values.yaml
controller:
  hostNetwork: true
  kind: DaemonSet
  image:
    registry: registry.cn-shanghai.aliyuncs.com
    image: kubesec/chaitin-ingress-nginx-controller
    tag: v1.10.1
    digest: ""
  extraEnvs:
    - name: SAFELINE_HOST
      valueFrom:
        configMapKeyRef:
          name: safeline
          key: host
    - name: SAFELINE_PORT
      valueFrom:
        configMapKeyRef:
          name: safeline
          key: port
  service:
    externalTrafficPolicy: Local # Allows getting the real client IP
  config:
    plugins: safeline
  admissionWebhooks:
    patch:
      image:
        registry: registry.cn-shanghai.aliyuncs.com
        image: kubesec/chaitin-ingress-nginx-kube-webhook-certgen
        tag: v1.4.1
        digest: ""
EOF
  • Run the Installation Command
helm upgrade --install ingress-nginx ingress-nginx --repo https://kubernetes.github.io/ingress-nginx --namespace ingress-nginx --create-namespace -f ingress-nginx-values.yaml

2.Test SafeLine Plugin

  • Deploy the nginx service using the following safeline-test.yaml file:
cat <<EOF | sudo tee safeline-test.yaml
apiVersion: v1
kind: Namespace
metadata:
  name: safeline-test

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
  namespace: safeline-test
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: registry.cn-shanghai.aliyuncs.com/kubesec/nginx:1.14.2
        ports:
        - containerPort: 80

---
apiVersion: v1
kind: Service
metadata:
  name: nginx
  namespace: safeline-test
spec:
  selector:
    app: nginx
  type: NodePort
  ports:
    - name: http
      protocol: TCP
      nodePort: 30080
      port: 80
      targetPort: 80

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx
  namespace: safeline-test
spec:
  ingressClassName: nginx
  rules:
  - host: www.safeline-test.org
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: ImplementationSpecific
EOF
  • Run the Deployment Command
kubectl create -f safeline-test.yaml
  • To test if the SafeLine plugin is working, construct a malicious request. (Set up local DNS resolution, then run)
curl http://www.safeline-test.org/ -H "Host: example.com" -H "User-Agent: () { :; }; echo; echo; /bin/bash -c 'echo hello'"
  • You should see a 403 Forbidden response, indicating that the SafeLine plugin is active.
{
  "code": 403,
  "success": false,
  "message": "blocked by Chaitin SafeLine Web Application Firewall",
  "event_id": "009efd8d2bf44a07b5cb7ed4cf18fb84"
}

In the SafeLine console, you can view the detailed attack information recorded by SafeLine.

Image description

Automate Testing of Protection Results

Use the blazehttp automation tool for batch testing:

docker pull registry.cn-shanghai.aliyuncs.com/kubesec/chaitin-blazehttp:v0.2.0
docker run --rm --net=host registry.cn-shanghai.aliyuncs.com/kubesec/chaitin-blazehttp:v0.2.0 /app/blazehttp -t http://www.safeline-test.org/

The following output will be seen:

sending 100% |██████████████████████████████| (33677/33677, 1160 it/s) [29s:0s]
Total samples: 33677    Success: 33677    Errors: 0
Detection rate: 83.87% (Total malicious samples: 558, Correctly blocked: 468, Missed: 90)
False positive rate: 0.07% (Total benign samples: 33119, Correctly allowed: 33096, False positives: 23)
Accuracy: 99.66% (Correctly blocked + Correctly allowed) / Total samples
Average response time: 8.47 ms

Check the SafeLine console for detailed attack events.

Image description

Website: https://waf.chaitin.com
GitHub: https://github.com/chaitin/SafeLine


This content originally appeared on DEV Community and was authored by SherbertIll6


Print Share Comment Cite Upload Translate Updates
APA

SherbertIll6 | Sciencx (2024-08-09T03:08:39+00:00) Supercharge K8s Security: SafeLine WAF + Ingress-nginx. Retrieved from https://www.scien.cx/2024/08/09/supercharge-k8s-security-safeline-waf-ingress-nginx/

MLA
" » Supercharge K8s Security: SafeLine WAF + Ingress-nginx." SherbertIll6 | Sciencx - Friday August 9, 2024, https://www.scien.cx/2024/08/09/supercharge-k8s-security-safeline-waf-ingress-nginx/
HARVARD
SherbertIll6 | Sciencx Friday August 9, 2024 » Supercharge K8s Security: SafeLine WAF + Ingress-nginx., viewed ,<https://www.scien.cx/2024/08/09/supercharge-k8s-security-safeline-waf-ingress-nginx/>
VANCOUVER
SherbertIll6 | Sciencx - » Supercharge K8s Security: SafeLine WAF + Ingress-nginx. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2024/08/09/supercharge-k8s-security-safeline-waf-ingress-nginx/
CHICAGO
" » Supercharge K8s Security: SafeLine WAF + Ingress-nginx." SherbertIll6 | Sciencx - Accessed . https://www.scien.cx/2024/08/09/supercharge-k8s-security-safeline-waf-ingress-nginx/
IEEE
" » Supercharge K8s Security: SafeLine WAF + Ingress-nginx." SherbertIll6 | Sciencx [Online]. Available: https://www.scien.cx/2024/08/09/supercharge-k8s-security-safeline-waf-ingress-nginx/. [Accessed: ]
rf:citation
» Supercharge K8s Security: SafeLine WAF + Ingress-nginx | SherbertIll6 | Sciencx | https://www.scien.cx/2024/08/09/supercharge-k8s-security-safeline-waf-ingress-nginx/ |

Please log in to upload a file.




There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.