Kubernetes Injector for API Firewall

Kubernetes Injector for API Firewall is a Kubernetes Admission Controller that allows you to automatically protect APIs exposed by your microservices deployed in Kubernetes. The injector automatically injects an API Firewall instance in sidecar mode into Kubernetes pods marked with a specific label.

  • API Protection uses a positive security model based on strict conformity to the API contract spelled out in the OpenAPI definition of the protected API.
  • API Firewall executes that security by blocking unwanted requests and preventing hackers from sending random requests to your APIs to fish for information.
  • Kubernetes Injector automatically deploys API Firewall within the Kubernetes pods to enforce security on all calls and responses, with less than a millisecond overhead.

Kubernetes Injector is installed using a Helm 3 chart, and by default installs a pre-built version of the injector published as 42crunch/kubernetes-injector:latest to our Docker Hub registry. For more details and to get the related resources, see our GitHub repository.

Labels and annotations for Kubernetes Injector

Kubernetes uses labels and annotations to identify objects or to add metadata to them. The main difference between these is that labels are for internal use in Kubernetes and as such constrained in their structure and values, while annotations attach metadata that is external to Kubernetes and there are less constraints for them. However, with both there are some that you must add to the Kubernetes deployment files for the APIs you want to protect. Otherwise the firewall injection fails.

Kubernetes Injector uses the label firewall-injection: enabled to identify the pods into which it should inject the API Firewall instance. Once installed, the injector keeps running as part of your deployment, listening to deployment events. Pods with the label firewall-injection: enabled trigger the webhook on Kubernetes Injector, and it injects an API Firewall instance into the deployed pod.

The webhook of Kubernetes Injector has been configured to only get triggered on pods with the label firewall-injection: enabled. If the label is missing or has any other value, the injection is not done.

Annotations on the other hand control the runtime configuration of the API Firewall instances that Kubernetes Injector injects into pods. By adding annotations to the deployment files for the APIs that you want to protect, you can define which values Kubernetes Injector uses in the environment variables for API Firewall. The naming convention for these annotations is xliic.com/ (a 42Crunch domain), followed by the annotation name.

Some annotation are mandatory and correspond to mandatory environment variables for API Firewall, which each instance needs for successful running:

Annotation Description Matching API Firewall variable
xliic.com/protection-token The name of the Kubernetes secret that contains the protection token. PROTECTION_TOKEN
xliic.com/tls-secret-name The name of the Kubernetes secret that contains the TLS secret for configuring firewall SSL. TLS secret is required unless you want to use only HTTP connections to API Firewall (see Switch API Firewall to use HTTP connections). LISTEN_SSL_CERT, LISTEN_SSL_KEY
xliic.com/server-name The hostname where your API endpoint is exposed and that your clients will call to invoke your API. This is the address that the API Firewall instance listens on. SERVER_NAME
xliic.com/container-port The container port of the API Firewall container. LISTEN_PORT
xliic.com/target-url The backend URL where the API Firewall instance proxies requests to. TARGET_URL

If these annotations are not defined in the deployment file for the API to be protected, Kubernetes Injector cannot successfully inject an API Firewall instance into the pod.

Other annotations are optional, and give you further control over the deployment of the firewall instances:

Annotation Description
xliic.com/http-only This annotation sets the environment variable LISTEN_NO_TLS in the firewall configuration, meaning that the TLS configuration is ignored. Set to enabled if you want to use only HTTP connections.
xliic.com/log-to-volume The name of the Kubernetes persistent volume claim, if you want the firewall instance to write logs to persistent storage.
xliic.com/env-configmap The name of the Kubernetes ConfigMap object.
xliic.com/debug Trace level for the Kubernetes Injector. Set to enabled if you want to increase trace level to debug for firewall startup.
xliic.com/inject-secret-env-jwk The name of the Kubernetes secret and secret key separated by / (for example jwk/key) that populate the data for the JWK environment variable. This annotation is required you are applying protections for JWT validation to API Firewall.