Kubernetes

To use Airlock Microgateway in your Kubernetes cluster, follow this guide to deploy the Airlock Microgateway Operator and its resources.

Prerequisites

  • Deploy the cert-manager in your Kubernetes cluster.

For an easy start in non-production environments, you may deploy the same cert-manager we are use for internal testing. Note that the files provided are not intended for production use! Consult the manual for productive environments (Kubernetes) Install cert-manager.

copy
# Deploy the cert-manager
kubectl apply -k https://github.com/airlock/microgateway/examples/utilities/cert-manager/

# Wait for the cert-manager to be up and running
kubectl -n cert-manager wait --for=condition=ready --timeout=600s pod -l app.kubernetes.io/instance=cert-manager

Deploy Airlock Microgateway

  1. Deploy the Airlock Microgateway CustomResourceDefinitions:
    2. copy
    kubectl apply -k https://github.com/airlock/microgateway/deploy/crds/
  2. Deploy the Airlock Microgateway roles:
    3. copy
    kubectl apply -k https://github.com/airlock/microgateway/deploy/crd-rbac/
  3. Deploy the Airlock Microgateway Operator:
    4. copy
    kubectl apply -k https://github.com/airlock/microgateway/deploy/deployment/
  4. Verify that the Airlock Microgateway Operator started successfully:
    5. copy
    kubectl -n airlock-microgateway-system wait --for=condition=Available deployments --all --timeout=3m

As mentioned in Requirements and Limitations, the serviceAccount used for the web application Pod requires the capability NET_ADMIN and must run in privileged mode. Ensure that this is not restricted by PodSecurityPolicy, Open Policy Agent Gatekeeper, Kyverno, or any other solution to enforce policies.

ClusterRoles to interact with Airlock Microgateway CustomResources

The Kubernetes manifest file contains two ClusterRoles for each CRD. One with viewer and one with editor rights.
They follow the naming schema as described below:

airlock-microgateway-operator-<CRD name>-editor 
airlock-microgateway-operator-<CRD name>-viewer

As example for the CRD SidecarGateway:

airlock-microgateway-operator-sidecargateway-editor 
airlock-microgateway-operator-sidecargateway-viewer

Users who must be able to create and view Airlock Microgateway CRs need the required -editor ClusterRoles assigned to their user. Users who only need to view (read-only rights) Airlock Microgateway CRs need the required -viewer ClusterRoles assigned to their user.

Because each CRD comes with its own ClusterRoles, Administrators can grant access fine granular.

What's next

  1. After deploying the Airlock Microgateway Operator in your Kubernetes Cluster, the following steps are required:
  2. Annotate the web application Pods to protect as explained in Annotations for Microgateway Engine injection.
  3. Create the CustomResources to configure the Airlock Microgateway as outlined in Configuration.