Configuration

Within the Kubernetes cluster, the Microgateway Operator container injects and operates the Airlock Microgateway containers in the Web application Pod. This section shows how these pieces are connected together and what exactly is modified and done by the Microgateway Operator. It also covers the network configuration task of the Microgateway CNI plugin, which configures the network routing through Microgateway Engine sidecars within Web application Pods.

The following example illustrates the setup when no service mesh is used. The setup shows two namespaces, one for the Microgateway Operator Pod and a second one with the Web application Pod.

Airlock Microgateway configuration concept
  1. Initial Microgateway Operator configuration
  2. The Microgateway Operator reads its configuration from the Microgateway Operator Configuration at startup. The configuration contains settings like the templates used to inject the Microgateway containers.
  3. The Microgateway Operator watches for events such as Pod create, update , or delete.
  1. Steps to secure a Web application Pod in the Namespace X:
  2. Create a Custom Resource ContentSecurity in the namespace of the Web application with the required references to additional CRs such as DenyRules.
  3. Create a second Custom Resource of the kind SidecarGateway in the Web application's namespace and refer to the Custom Resource ContentSecurity created previously.
  4. Configure the container port in the Custom Resource SidecarGateway , which should be protected. Ensure that it is the same port as in the Pod specification.
  5. Configure the podSelector to match the Web application Pods, which should be protected in the Custom Resource SidecarGateway. Ensure that it corresponds to the labels in the Pod specification.
  6. Annotate the Web application Pod with sidecar.microgateway.airlock.com/inject: "true".
  7. The Microgateway Operator and the Microgateway CNI plugin are triggered by the creation of the Pod with the annotation set previously.
    • The Operator:
    • Injects the sidecar container Microgateway Engine with the bootstrap configuration. The exact content is retrieved from the Operator ConfigMap.
    • Adds the labels sidecar.microgateway.airlock.com/injected: "true" to the Web application Pod.
    • The Microgateway CNI plugin:
    • Configures the network inside the Web application Pod, so that all traffic is routed through the Microgateway Engine sidecar.
  8. The Microgateway Engine subscribes to the configuration from the Microgateway Operator. The Microgateway Operator generates the configuration based on the Custom Resources such as SidecarGateway and the referenced resources.
  • The example describes the most simple setup. Although not outlined explicitly, the following things are possible:
  • Create a Kubernetes Deployment, StatefulSet, or DaemonSet and annotate the Pod with Microgateway annotations in spec.template.metadata.annotations.
  • Configure other Microgateway annotations described in this manual.