Preface

Recently, I've been learning about Kubernetes (k8s) and wanted to deploy some applications on it to practice. I gave SafeLine a try and have compiled a simple guide outlining the configuration process I followed.

GitHub Repository: SafeLine on GitHub
Official Website: SafeLine Website
Live Demo: SafeLine Demo

Runtime Environment

System: Ubuntu 22.04
Configuration: 2 CPU cores, 8GB RAM
Disk: 40GB
Tools: minikube v1.31.1
SafeLine v2.4.0

Configuration Files and Related Settings

The configuration files were obtained by making certain modifications to the YAML files generated by the kompose tool. They are divided into two parts: the main operating module configuration file for the WAF, and the configuration file for the storage database. Since the database configuration does not specifically include persistence settings, if you have your own database cluster, you can refer to steps 1 and 2 in the second section to make corresponding changes to the configuration.

After downloading the configuration files, move them to the appropriate directory and unzip them manually:

tar -xzvf safeline-k8s-configs.tar.gz
tar -xzvf safeline-k8s-db.tar.gz

Step 1: Upload Images

First, you need to upload the offline images to a Docker registry. Then, use the following script to load them into the minikube cluster. (You can find the offline images for download on the official website.)

minikube image load chaitin/safeline-tengine \
                    chaitin/safeline-mgt-api \
                    chaitin/safeline-mario \
                    chaitin/safeline-detector \

After the process is completed, you can run minikube image ls to see the corresponding images listed.

Step 2: Modify Database Information

• Open the file management-deployment.yaml. Replace safeline-ce:${POSTGRES_PASSWORD}with your database user and password, and change the part after @ in@safeline-postgresto the domain name of your postgres database service in your Kubernetes cluster.

• Open the file mario-deployment.yaml. Similarly, replacesafeline-ce:${POSTGRES_PASSWORD}and ${REDIS_PASSWORD}with the corresponding database information. Also, replace the part after @ with the appropriate domain name.

• If there is no corresponding database in the cluster yet, you can use the provided database configuration file for simple testing. (Please consider carefully for long-term use.) When using a test database, you only need to change the password for the first two steps. First, you need to run the following script to generate a random password:

echo "POSTGRES_PASSWORD=$(LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom | head -c 32)" >> .env
echo "REDIS_PASSWORD=$(LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom | head -c 32)" >> .env
cat .env

Then, open postgres-deployment.yamland redis-deployment.yamlrespectively, and copy the generated password to the corresponding locations.
postgres-deployment:

redis-deployment:

Step 3:Starting Containers

First, ensure that the database is up and running, and then proceed to start the WAF. The script for quickly using all configuration files is:

First, cd into the directory containing the configuration files
kubectl apply -f .

I've also written a simple script undersafeline-k8s-configs to start the process. You can run it by executing bash ./start.sh.

To check the specific running status, you can use kubectl get all to view the pods after starting. Here's an example of the pod status after starting:

Step 4:Testing

Firstly, you can run kubectl apply -f test-server.yamlin the directory containing the SafeLine (a hypothetical WAF or security product) configuration files to deploy a server. This server runs python3 -m http.server 8089, and in the configuration, it also opens a nodePort on port 30007.

Open management-deployment.yaml to view the nodePort under the user-port section. This item can be changed, or Kubernetes can automatically assign one for you.

After that, run kubectl get nodes -o wide to obtain the IP address of the running node. You can then access the WAF management interface by appending the nodePort to the IP address, for example, accessing 192.168.49.2:30018 in this case.

P.S.

The above is the access method via nodePort. If you need to directly access the internal port, such as the 9443 port for the management service, you can run the script:kubectl port-forward service/safeline-management 9440:9443. Then, open a new terminal to access it through localhost:9440.

For more access methods, you can check out kubectl proxy and related Kubernetes documentation:Link

After opening the SafeLine(WAF) management page, you can configure websites:

At this point, you can access the server by using curl 192.168.49.2:30080. This is because the configuration has mapped port 80 of the Tengine container to node port 30080, allowing successful forwarding through Tengine.