To use Airlock Microgateway in your Kubernetes cluster, follow this guide to deploy the Airlock Microgateway Operator and its resources.


  • To use Airlock Microgateway, a valid license is required. Airlock Microgateway is available in a Premium and a free Community edition. To request and configure/change a license, see the article Licensing and license-dependent behavior.
  • Deploy the cert-manager in your Kubernetes cluster.

For an easy start in non-production environments, you may deploy the same cert-manager we are using for internal testing. Note that the files provided are not intended for production use! Consult the manual for productive environments (Kubernetes) Install cert-manager.

# Deploy the cert-manager
kubectl apply -k https://github.com/airlock/microgateway/examples/utilities/cert-manager/

# Wait for the cert-manager to be up and running
kubectl -n cert-manager wait --for=condition=ready --timeout=600s pod -l app.kubernetes.io/instance=cert-manager

Deploy Airlock Microgateway CNI plugin

We recommend using the CNI Helm chart to install the Microgateway CNI Daemon Set and the necessary manifests described under method 1. If you want to customize the installation with the values.yaml file, follow the instructions of method 2.
After installation, follow the steps described in Verification to verify the correct installation of the CNI plugin.

If the Microgateway CNI plugin is not installed properly, the web application could be exposed unprotected.

  1. Method 1
  2. Choose the <environment> and run the following command:
  3. copy
    kubectl kustomize --enable-helm https://github.com/airlock/microgateway/deploy/cni/<environment> | kubectl apply -f -
  1. Method 2
  2. Clone the git repository.
  3. copy
    git clone https://github.com/airlock/microgateway.git
  4. Make your changes in the values.yaml file as required.
  5. Choose the <environment> and run the following command:
  6. copy
    helm install -n kube-system airlock-microgateway-cni ./microgateway/deploy/charts/airlock-microgateway-cni -f ./microgateway/deploy/cni/<environment>/values.yaml

Verify the Airlock Microgateway CNI plugin installation

A proper installation of the Microgateway CNI plugin is crucial. If not installed properly, the web application could be exposed unprotected.

Follow the instructions below to verify that the Microgateway CNI plugin installation was successful.

  1. Check that the Airlock Microgateway CNI DaemonSet is in Running state.
  2. copy
    kubectl -n kube-system get daemonsets.apps airlock-microgateway-cni

    Example output:

    NAME                       DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR            AGE 
    airlock-microgateway-cni   1         1         1       1            1           kubernetes.io/os=linux   9m21s
    kubectl -n kube-system get pods -l app.kubernetes.io/name=airlock-microgateway-cni

    Example output:

    NAME                             READY   STATUS    RESTARTS   AGE 
    airlock-microgateway-cni-jbgp6   1/1     Running   0          11m
  3. The log messages must show that the installation is up-to-date.
  4. copy
    kubectl logs -n kube-system -l "app.kubernetes.io/instance=airlock-microgateway-cni" --prefix=true

    Example output:

    [pod/airlock-microgateway-cni-jbgp6/cni-installer] {"log":{"level":"info","logger":"airlock-microgateway-cni-installer"},"@timestamp":"2023-09-26T07:16:43.399Z","message":"Copied CNI Binary"} 
    [pod/airlock-microgateway-cni-jbgp6/cni-installer] {"log":{"level":"info","logger":"airlock-microgateway-cni-installer"},"@timestamp":"2023-09-26T07:16:43.400Z","message":"Written kubeconfig file"} 
    [pod/airlock-microgateway-cni-jbgp6/cni-installer] {"log":{"level":"info","logger":"airlock-microgateway-cni-installer"},"@timestamp":"2023-09-26T07:16:43.400Z","message":"Reconciled Airlock Microgateway CNI plugin Installation"} 
    [pod/airlock-microgateway-cni-jbgp6/cni-installer] {"log":{"level":"info","logger":"airlock-microgateway-cni-installer"},"@timestamp":"2023-09-26T07:16:43.416Z","message":"Reconciling Airlock Microgateway CNI plugin Installation"} 
    [pod/airlock-microgateway-cni-jbgp6/cni-installer] {"log":{"level":"info","logger":"airlock-microgateway-cni-installer"},"@timestamp":"2023-09-26T07:16:43.530Z","message":"Airlock Microgateway CNI plugin Installation is up-to-date"}  

    Ensure that all Airlock Microgateway CNI Pods were successfully deployed.

Deploy Airlock Microgateway

  1. Deploy the Airlock Microgateway CustomResourceDefinitions:
  2. copy
    kubectl apply -k https://github.com/airlock/microgateway/deploy/crds/
  3. Deploy the Airlock Microgateway roles:
  4. copy
    kubectl apply -k https://github.com/airlock/microgateway/deploy/crd-rbac/
  5. Deploy the Airlock Microgateway Operator:
  6. copy
    kubectl apply -k https://github.com/airlock/microgateway/deploy/deployment/
  7. Verify that the Airlock Microgateway Operator started successfully:
  8. copy
    kubectl -n airlock-microgateway-system wait --for=condition=Available deployments --all --timeout=3m

ClusterRoles to interact with Airlock Microgateway CustomResources

The Kubernetes manifest file contains two ClusterRoles for each CRD. One with viewer and one with editor rights.
They follow the naming schema as described below:

airlock-microgateway-operator-<CRD name>-editor 
airlock-microgateway-operator-<CRD name>-viewer

As example for the CRD SidecarGateway:


Users who must be able to create and view Airlock Microgateway CRs need the required -editor ClusterRoles assigned to their user. Users who only need to view (read-only rights) Airlock Microgateway CRs need the required -viewer ClusterRoles assigned to their user.

Because each CRD has its own ClusterRoles, Administrators can grant access fine granular.

What's next

  1. After deploying the Airlock Microgateway Operator in your Cluster, the following steps are required:
  2. Annotate the web application Pods to protect as explained in Annotations for Microgateway Engine injection.
  3. Create the CustomResources to configure the Airlock Microgateway as outlined in Configuration.