LuluIntegrating Ingress-Nginx with SafeLine Community Edition
Prerequisites:
- SafeLine version ≥ 5.6.0
Preparing SafeLine Configuration
First, configure SafeLine by using a ConfigMap to define the detection engine's host and port. Below is an example configuration:
# safeline.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: safeline
namespace: ingress-nginx
data:
host: "detector_host" # Replace with your SafeLine detection engine address
port: "8000" # Default port for SafeLine
To create the ConfigMap in Ingress-Nginx, run the following commands:
kubectl create namespace ingress-nginx
kubectl apply -f safeline.yaml
Fresh Installation with Helm
If you don't have Ingress-Nginx installed yet, you can install it using Helm. For detailed instructions, refer to the Ingress-Nginx official documentation.
Once ready, replace the image and configure the SafeLine plugin by using the following values.yaml:
# values.yaml
controller:
kind: DaemonSet
image:
registry: docker.io
image: chaitin/ingress-nginx-controller
tag: v1.10.1
extraEnvs:
- name: SAFELINE_HOST
valueFrom:
configMapKeyRef:
name: safeline
key: host
- name: SAFELINE_PORT
valueFrom:
configMapKeyRef:
name: safeline
key: port
service:
externalTrafficPolicy: Local # To capture real client IPs
config:
plugins: safeline
admissionWebhooks:
patch:
image:
registry: docker.io
image: chaitin/ingress-nginx-kube-webhook-certgen
tag: v1.4.1
To install the controller, use this command:
helm upgrade --install ingress-nginx ingress-nginx \
--repo https://kubernetes.github.io/ingress-nginx \
--namespace ingress-nginx --create-namespace \
-f values.yaml
Build Your Own Ingress-Nginx Image
If you'd prefer to build the image yourself, here’s a sample Dockerfile that adds the SafeLine plugin:
FROM registry.k8s.io/ingress-nginx/controller:v1.10.1
USER root
RUN apk add --no-cache make gcc unzip wget
# Install Luarocks
RUN wget https://luarocks.org/releases/luarocks-3.11.0.tar.gz && \
tar zxpf luarocks-3.11.0.tar.gz && \
cd luarocks-3.11.0 && \
./configure && \
make && \
make install && \
cd .. && \
rm -rf luarocks-3.11.0 luarocks-3.11.0.tar.gz
RUN luarocks install ingress-nginx-safeline && \
ln -s /usr/local/share/lua/5.1/safeline /etc/nginx/lua/plugins/safeline
USER www-data
Adding SafeLine to Existing Ingress-Nginx Installations
Step 1: Install the SafeLine Plugin
Refer to the Dockerfile above and use luarocks to install the SafeLine plugin in your default Nginx plugin directory.
Step 2: Configure the SafeLine Plugin
Use the safeline.yaml file to create the necessary ConfigMap:
kubectl apply -f safeline.yaml
In your Ingress-Nginx configuration, enable the SafeLine plugin:
# ingress-nginx-controller-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: ingress-nginx-controller
namespace: ingress-nginx
data:
plugins: "safeline"
Step 3: Inject SafeLine Environment Variables
Add the environment variables to your Ingress-Nginx Deployment or DaemonSet so the SafeLine plugin can read them:
# ingress-nginx-controller-deployment.yaml
...
env:
- name: SAFELINE_HOST
valueFrom:
configMapKeyRef:
name: safeline
key: host
- name: SAFELINE_PORT
valueFrom:
configMapKeyRef:
name: safeline
key: port
Step 4: (Optional) Capture Real Client IP
To capture real client IP addresses, ensure that the externalTrafficPolicy in your Nginx service is set to Local.
Testing SafeLine Plugin
You can test if the SafeLine plugin is working by simulating a malicious request:
curl http://localhost:80/ -H "Host: example.com" -H "User-Agent: () { :; }; echo; echo; /bin/bash -c 'echo hello'"
If everything is configured correctly, you should receive a 403 Forbidden response, indicating that the request was blocked by SafeLine:
{
"code": 403,
"success": false,
"message": "blocked by Chaitin SafeLine Web Application Firewall",
"event_id": "18e0f220f7a94127acb21ad3c1b4ac47"
}
You can check the SafeLine dashboard for more detailed attack logs.
By following this guide, you'll have Ingress-Nginx integrated with SafeLine, helping you enhance the security of your Kubernetes clusters with minimal effort.
