Deploy API Firewall with Kubernetes Injector

Kubernetes Injector for API Firewall is a Kubernetes Admission Controller that allows you to automatically protect APIs exposed by your microservices deployed in Kubernetes. The injector automatically injects an API Firewall instance in sidecar mode into Kubernetes pods marked with a specific label.

Before you start, make sure you have Helm installed and configured. For more details on Helm charts, see Helm documentation.

Install the injector with Helm chart

Kubernetes Injector is installed using a Helm 3 chart, and by default installs a pre-built version of the injector published as 42crunch/kubernetes-injector:latest to our Docker Hub registry.

  1. Clone our GitHub repository to get the required resources to run Kubernetes Injector.
  2. Run the Helm install command:
    • Most users: The following installs the Kubernetes Injector with default configuration:
      helm install injector ./helm/xliic-injector --namespace injector-ns --create-namespace
    • Enterprise users: If you are an enterprise customer not accessing 42Crunch Platform at https://platform.42crunch.com, add the flag --set and point the parameter apifirewall.platform to the correct endpoint: 
      helm install injector ./helm/xliic-injector --set apifirewall.platform=protection.<your hostname>.com:8001 --namespace injector-ns --create-namespace

      This is optional and most users do not have to do this. If you are not sure what your platform URL is, contact our support.

Helm pulls the Kubernetes Injector Docker image from the registry and installs it as part of your Kubernetes ecosystem.

The injector keeps running until you uninstall it:

helm uninstall injector --namespace injector-ns

Define parameters for the injector

In most cases, running Kubernetes Injector is perfectly fine. However, if you want, you can define the parameters that Kubernetes Injector uses in the file values.yaml , so that the injector always runs with the same values.

  1. Open the file /helm/xliic-injector/values.yaml, and configure the values for parameters that Kubernetes Injector uses when injecting API Firewall. Otherwise, the injector uses the default values:
    ParameterDescriptionDefault value
    apifirewall.imageThe API Firewall image tag, which version of API Firewall image Kubernetes Injector injects into pods. Defaults to latest, see the registry for available firewall image versions.42crunch/apifirewall:latest
    apifirewall.maxCpuThe maximum amount of allowed CPU consumption that Kubernetes Injector sets for API Firewall.500m
    apifirewall.maxMemoryThe maximum amount of allowed memory consumption that Kubernetes Injector sets for API Firewall.500Mi
    apifirewall.platformThe URL that API Firewall instances in your organization must use to establish connection to 42Crunch Platform. See Platform URL. The port is always 8001.protection.42crunch.com:8001
  2. Use the Helm upgrade command to upgrade the configuration of Kubernetes Injector, see Helm documentation.

You can also use the flag --set in your Helm install command to specify the values for all parameters. Parameter values specified in the command override the parameters specified in values.yaml.

Configure pods to trigger firewall injection

The webhook of Kubernetes Injector has been configured to only to be triggered on pods with the label firewall-injection, so you need add this to the deployment files for applications that you want to protect with API Firewall. You must also include certain annotations before the injector can successfully inject API Firewall instance into the pods.

  1. In 42Crunch Platform, make sure you have created a protection configuration that API Firewall can use and stored it as a Kubernetes secret. See Create a protection configuration.
  2. Make sure you have created a TLS keypair secret that API Firewall can use and stored it as a Kubernetes secret. TLS secret is required unless you want to use only HTTP connections to API Firewall (see Switch API Firewall to use HTTP connections).
  3. Go edit the Kubernetes deployment file for the API you want.
  4. Add the label firewall-injection: enabled. 
    #...
 template:
    metadata:
      labels:
        app: pixiapp
        firewall-injection: enabled
# ...

    The webhook of Kubernetes Injector has been configured to only get triggered on pods with the label firewall-injection: enabled. If the label is missing or has any other value, the injection is not done.

  5. Define the following mandatory annotations to set the values Kubernetes Injector uses to populate the mandatory environment variables for API Firewall:
    AnnotationDescriptionMatching API Firewall variable
    xliic.com/protection-tokenThe name of the Kubernetes secret that contains the protection token.PROTECTION_TOKEN
    xliic.com/tls-secret-nameThe name of the Kubernetes secret that contains the TLS secret for configuring firewall SSL. TLS secret is required unless you want to use only HTTP connections to API Firewall (see Switch API Firewall to use HTTP connections).LISTEN_SSL_CERT, LISTEN_SSL_KEY
    xliic.com/server-nameThe hostname where your API endpoint is exposed and that your clients will call to invoke your API. This is the address that the API Firewall instance listens on. SERVER_NAME
    xliic.com/container-portThe container port of the API Firewall container. LISTEN_PORT
    xliic.com/target-urlThe backend URL where the API Firewall instance proxies requests to.TARGET_URL

    For more details, see API Firewall variables

  6. If you want, define the following optional annotations:
    AnnotationDescription
    xliic.com/http-onlyThis annotation sets the environment variable LISTEN_NO_TLS in the firewall configuration, meaning that the TLS configuration is ignored. Set to enabled if you want to use only HTTP connections.
    xliic.com/log-to-volumeThe name of the Kubernetes persistent volume claim, if you want the firewall instance to write logs to persistent storage.
    xliic.com/env-configmapThe name of the Kubernetes ConfigMap object.
    xliic.com/debugTrace level for the Kubernetes Injector. Set to enabled if you want to increase trace level to debug for firewall startup.
    xliic.com/inject-secret-env-jwkThe name of the Kubernetes secret and secret key separated by / (for example jwk/key) that populate the data for the JWK environment variable. This annotation is required you are applying protections for JWT validation to API Firewall.
    #...
 template:
    metadata:
      labels:
        app: pixiapp
        firewall-injection: enabled
        # ...
      annotations:
        xliic.com/protection-token: "apifirewall-protection-token"
        xliic.com/tls-secret-name: "ssl-secret"
        xliic.com/server-name: pixi-api.company.com
        xliic.com/container-port: "8443"
        xliic.com/target-url: "http://localhost:80"
        xliic.com/debug: enabled
# ..
  7. When ready, save your deployment file.

Once you have added the required label and annotations in your deployment files, the deployed pods will include the label firewall-injection: enabled. Whenever such a pod is deployed this triggers the webhook on Kubernetes Injector and an API Firewall instance is injected in the pod to protect the API.

What is...

API Protection

API Firewall

API Firewall deployment architecture

Kubernetes Injector for API Firewall

Protections and security extensions

How to...

Protect APIs

Manage API Firewall configuration

Apply additional protections

Deactivate automatic contract enforcement in API Firewall

Learn more...

How API Firewall validates API traffic

API Firewall variables

x-42c extensions

Protections

Automatic contract enforcement

API Firewall log line format for standard output