Requirements and Limitations

Ensure the following requirements are met in order to run Airlock Microgateway successfully. Note that in addition to the following requirements, a valid license is required to operate Airlock Microgateway.

Platform requirements

Airlock Microgateway runs on Kubernetes version >= 1.25 and Istio >= 1.14.5. To ensure compatibility, we run automated tests with the following Kubernetes distributions:

Kubernetes distribution

Version

Description

Google Kubernetes Engine

1.25

Anthos Service Mesh on Google Kubernetes Engine

1.15.7-asm.8

Istio version 1.15.7

OpenShift

4.12.13

Red Hat OpenShift Service Mesh

2.3.3

Istio version 1.14.5

Pod requirements

  • To protect the web application Pod, the following requirements must be satisfied:
  • The injected Microgateway Network Manager sidecar requires NET_ADMIN capabilities and must run in privileged mode. Ensure that the serviceAccount of your web application Pod is running with sufficient rights.

Kubernetes resource requirements

The Airlock Microgateway default installation defines the following Kubernetes resource requirements:

Deployment

Airlock Microgateway container image

Kubernetes resource

CPU

Memory

airlock-microgateway-operator-controller-manager

Airlock Microgateway Operator

requests

10m

128Mi

limits

500m

1Gi

Protected web application

Airlock Microgateway Network Manager
(Init container)

requests

10m

40Mi

limits

200m

256Mi

Airlock Microgateway Engine
(Sidecar container)

requests

10m

40Mi

limits

2000m

1Gi

airlock-microgateway-license-guard

Microgateway License Guard

requests

limits

StatsD Exporter

requests

limits

airlock-microgateway-license-guard-redis

Redis

requests

limits

Network communication

The following network communication is required:

From Pod

To service

To namespace

To port

To protocol

Protected web application Pod

airlock-microgateway-operator-xds

airlock-microgateway-system

13377

TCP

airlock-microgateway-license-guard

airlock-microgateway-system

13378

TCP

Additional components

Airlock Microgateway requires the following components in order to run:

Component

Tested version

Description

cert-manager

1.11.0

The cert-manager is required to secure the connection between Kubernetes API server to the Microgateway Operator Webhook.

To install the cert-manager, follow the manual: (Kubernetes) Install cert-manager

Limitations

  • Airlock Microgateway is only available for x64 CPU architectures.
  • The Airlock Microgateway Operator can run only in AllNamespaces mode. The Operator watches and operates the Microgateway containers in all Kubernetes namespaces. Therefore, only one Airlock Microgateway version can be deployed and operated in the whole Kubernetes cluster.
  • The Airlock Microgateway Operator injects the Microgateway Network Manager as init container in the protected web application Pod. The Microgateway Network Manager sets up the Pod network traffic redirection to/from the Microgateway Engine container. We currently do not have an Airlock Microgateway CNI plugin that could be used instead of the init container Microgateway Network Manager.