To use Airlock Microgateway in your Kubernetes cluster, follow this guide to deploy the Airlock Microgateway Operator and its resources.
Prerequisites
- To use Airlock Microgateway, a valid license is required. Airlock Microgateway is available in a Premium and a free Community edition. To request and configure/change a license, see the article Licensing and license-dependent behavior.
- Deploy the
cert-managerin your Kubernetes cluster.
For an easy start in non-production environments, you may deploy the same cert-manager we are using for internal testing. Note that the files provided are not intended for production use! Consult the manual for productive environments (Kubernetes) Install cert-manager.
copy
# Deploy the cert-manager kubectl apply -k https://github.com/airlock/microgateway/examples/utilities/cert-manager/ # Wait for the cert-manager to be up and running kubectl -n cert-manager wait --for=condition=ready --timeout=600s pod -l app.kubernetes.io/instance=cert-manager
Deploy Airlock Microgateway CNI plugin
We recommend using the CNI Helm chart to install the Microgateway CNI Daemon Set and the necessary manifests described under method 1. If you want to customize the installation with the values.yaml file, follow the instructions of method 2.
After installation, follow the steps described in Verification to verify the correct installation of the CNI plugin.
If the Microgateway CNI plugin is not installed properly, the web application could be exposed unprotected.
- Method 1
- Choose the
<environment>and run the following command:
copy
kubectl kustomize --enable-helm https://github.com/airlock/microgateway/deploy/cni/<environment> | kubectl apply -f -
- Method 2
- Clone the git repository.
- Make your changes in the
values.yamlfile as required. - Choose the
<environment>and run the following command:
copy
git clone https://github.com/airlock/microgateway.git
copy
helm install -n kube-system airlock-microgateway-cni ./microgateway/deploy/charts/airlock-microgateway-cni -f ./microgateway/deploy/cni/<environment>/values.yaml
Verify the Airlock Microgateway CNI plugin installation
A proper installation of the Microgateway CNI plugin is crucial. If not installed properly, the web application could be exposed unprotected.
Follow the instructions below to verify that the Microgateway CNI plugin installation was successful.
- Check that the Airlock Microgateway CNI DaemonSet is in
Runningstate. - The log messages must show that the installation is up-to-date.
copy
kubectl -n kube-system get daemonsets.apps airlock-microgateway-cni
Example output:
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE airlock-microgateway-cni 1 1 1 1 1 kubernetes.io/os=linux 9m21s
copy
kubectl -n kube-system get pods -l app.kubernetes.io/name=airlock-microgateway-cni
Example output:
NAME READY STATUS RESTARTS AGE airlock-microgateway-cni-jbgp6 1/1 Running 0 11m
copy
kubectl logs -n kube-system -l "app.kubernetes.io/instance=airlock-microgateway-cni" --prefix=true
Example output:
details...
[pod/airlock-microgateway-cni-jbgp6/cni-installer] {"log":{"level":"info","logger":"airlock-microgateway-cni-installer"},"@timestamp":"2023-09-26T07:16:43.399Z","message":"Copied CNI Binary"}
[pod/airlock-microgateway-cni-jbgp6/cni-installer] {"log":{"level":"info","logger":"airlock-microgateway-cni-installer"},"@timestamp":"2023-09-26T07:16:43.400Z","message":"Written kubeconfig file"}
[pod/airlock-microgateway-cni-jbgp6/cni-installer] {"log":{"level":"info","logger":"airlock-microgateway-cni-installer"},"@timestamp":"2023-09-26T07:16:43.400Z","message":"Reconciled Airlock Microgateway CNI plugin Installation"}
[pod/airlock-microgateway-cni-jbgp6/cni-installer] {"log":{"level":"info","logger":"airlock-microgateway-cni-installer"},"@timestamp":"2023-09-26T07:16:43.416Z","message":"Reconciling Airlock Microgateway CNI plugin Installation"}
[pod/airlock-microgateway-cni-jbgp6/cni-installer] {"log":{"level":"info","logger":"airlock-microgateway-cni-installer"},"@timestamp":"2023-09-26T07:16:43.530Z","message":"Airlock Microgateway CNI plugin Installation is up-to-date"} 
Ensure that all Airlock Microgateway CNI Pods were successfully deployed.
Deploy Airlock Microgateway
- Deploy the Airlock Microgateway
CustomResourceDefinitions: - Deploy the Airlock Microgateway roles:
- Deploy the Airlock Microgateway Operator:
- Verify that the Airlock Microgateway Operator started successfully:
copy
kubectl apply -k https://github.com/airlock/microgateway/deploy/crds/
copy
kubectl apply -k https://github.com/airlock/microgateway/deploy/crd-rbac/
copy
kubectl apply -k https://github.com/airlock/microgateway/deploy/deployment/
copy
kubectl -n airlock-microgateway-system wait --for=condition=Available deployments --all --timeout=3m
ClusterRoles to interact with Airlock Microgateway CustomResources
The Kubernetes manifest file contains two ClusterRoles for each CRD. One with viewer and one with editor rights.
They follow the naming schema as described below:
airlock-microgateway-operator-<CRD name>-editor airlock-microgateway-operator-<CRD name>-viewer
As example for the CRD SidecarGateway:
airlock-microgateway-operator-sidecargateway-editor airlock-microgateway-operator-sidecargateway-viewer
Users who must be able to create and view Airlock Microgateway CRs need the required -editor ClusterRoles assigned to their user. Users who only need to view (read-only rights) Airlock Microgateway CRs need the required -viewer ClusterRoles assigned to their user.
Because each CRD has its own ClusterRoles, Administrators can grant access fine granular.
What's next
- After deploying the Airlock Microgateway Operator in your Cluster, the following steps are required:
- Annotate the web application Pods to protect as explained in Annotations for Microgateway Engine injection.
- Create the
CustomResourcesto configure the Airlock Microgateway as outlined in Configuration.