Configuration

Within the Kubernetes cluster, the Microgateway Operator container injects and operates the Airlock Microgateway containers in the Web application Pod. This section shows how these pieces are connected together and what exactly is modified and done by the Microgateway Operator.

The following example illustrates the setup when no service mesh is used. The setup shows two namespaces, one for the Microgateway Operator Pod and a second one with the Web application Pod.

Airlock Microgateway configuration concept

The Microgateway Operator reads its configuration from the Microgateway Operator Configuration at startup. The configuration contains settings like the templates that are used to inject the Microgateway containers. The Microgateway Operator watches for events such as Pod create, update or delete.

  1. Steps to secure a Web application Pod:
  2. Create a Custom Resource ContentSecurity in the Web application namespace with the required references to additional CRs such as DenyRules.
  3. Create a Custom Resource SidecarGateway in the Web application namespace and refer to the Custom Resource ContentSecurity created previously.
  4. Configure the container port in the Custom Resource SidecarGateway , which should be protected. Ensure that it is the same port as in the Pod specification.
  5. Configure the podSelector to match the Web application Pods, which should be protected in the Custom Resource SidecarGateway. Ensure that it corresponds to the labels in the Pod specification.
  6. Annotate the Web application Pod with sidecar.microgateway.airlock.com/inject: "true".
  7. The Microgateway Operator is triggered by the annotation set previously and does the following:
    • It injects the initContainer for the Microgateway Network Manager. The exact content is retrieved from the files in green font color.
    • It injects the sidecar container Microgateway Engine with the bootstrap configuration. The exact content is retrieved from the files in green font color.
    • It adds the labels sidecar.microgateway.airlock.com/injected: "true" to the Web application Pod.
  8. The Microgateway Engine subscribes to the configuration from the Microgateway Operator. The Microgateway Operator generates the configuration based on the Custom Resources such as SidecarGateway and the referenced resources.
  • The example describes the most simple setup. Although not outlined explicitly, the following things are possible:
  • Create a Kubernetes Deployment, StatefulSet, or DaemonSet and annotate the Pod with Microgateway annotations in spec.template.metadata.annotations.
  • Configure other Microgateway annotations described in this manual.