Microgateway CNI

The Microgateway CNI DaemonSet should be installed in the kube-system Namespace. This should be done using our CNI Helm chart.
The CNI Helm chart also installs a ServiceAccount with the ClusterRole, ClusterRoleBinding and a ConfigMap. Additionally, it can install Role and RoleBinding used for SCC and a NetworkAttachmentDefinition needed in OpenShift.

After the installation, the airlock-microgateway-cni DaemonSet is installed in the kube-system Namespace and will deploy one Microgateway CNI plugin to every Node. Once a Microgateway CNI plugin is installed on a Node, it handles the network configuration inside containers with Microgateway Engine Pods every time an Engine is created.

Customizing the installation

The default installation values like the image registry and image name can be looked up and modified to your needs in the values.yaml file of the CNI Helm chart. For detailed information about the default configuration values and their meanings, see the explanations in the values.yaml file.

  • Ensure that the replaced Airlock Microgateway images are always specified in the Kubernetes manifest files with a tag and a digest.

Preset environments

Different preset environments are available for the CNI Helm chart. When choosing one of the presets, the Helm chart installs the CNI plugin with working default configurations. Check the folder /microgateway/deploy/cni/ for the available presets.

These presets are tested in our environments. Depending on your setup they could vary.

Installation

We recommend using the CNI Helm chart to install the Microgateway CNI DaemonSet and the necessary manifests described under method 1. If you want to customize the installation with the values.yaml file, follow the instructions of method 2.
After installation, follow the steps described in Verification to verify the correct installation of the CNI plugin.

If the Microgateway CNI plugin is not installed properly, the web application could be exposed unprotected.

  1. Method 1
  2. Choose the <environment> and run the following command:
    3. copy
    kubectl kustomize --enable-helm https://github.com/airlock/microgateway/deploy/cni/<environment> | kubectl apply -f -
  1. Method 2
  2. Clone the git repository.
    3. copy
    git clone https://github.com/airlock/microgateway.git
  3. Make your changes in the values.yaml file as required.
  4. Choose the <environment> and run the following command:
    5. copy
    helm install -n kube-system airlock-microgateway-cni ./microgateway/deploy/charts/airlock-microgateway-cni -f ./microgateway/deploy/cni/<environment>/values.yaml

Verification

A proper installation of the Microgateway CNI plugin is crucial. If not installed properly, the web application could be exposed unprotected.

Follow the instructions below to verify that the Microgateway CNI plugin installation was successful.

  1. Check that the Airlock Microgateway CNI DaemonSet is in Running state.
    2. copy
    kubectl -n kube-system get daemonsets.apps airlock-microgateway-cni

    Example output:

    NAME                       DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR            AGE 
airlock-microgateway-cni   1         1         1       1            1           kubernetes.io/os=linux   9m21s
    copy
    kubectl -n kube-system get pods -l app.kubernetes.io/name=airlock-microgateway-cni

    Example output:

    NAME                             READY   STATUS    RESTARTS   AGE 
airlock-microgateway-cni-jbgp6   1/1     Running   0          11m
  2. The log messages must show that the installation is up-to-date.
    3. copy
    kubectl logs -n kube-system -l "app.kubernetes.io/instance=airlock-microgateway-cni" --prefix=true

    Example output:

    details...
    [pod/airlock-microgateway-cni-jbgp6/cni-installer] {"log":{"level":"info","logger":"airlock-microgateway-cni-installer"},"@timestamp":"2023-09-26T07:16:43.399Z","message":"Copied CNI Binary"} 
[pod/airlock-microgateway-cni-jbgp6/cni-installer] {"log":{"level":"info","logger":"airlock-microgateway-cni-installer"},"@timestamp":"2023-09-26T07:16:43.400Z","message":"Written kubeconfig file"} 
[pod/airlock-microgateway-cni-jbgp6/cni-installer] {"log":{"level":"info","logger":"airlock-microgateway-cni-installer"},"@timestamp":"2023-09-26T07:16:43.400Z","message":"Reconciled Airlock Microgateway CNI plugin Installation"} 
[pod/airlock-microgateway-cni-jbgp6/cni-installer] {"log":{"level":"info","logger":"airlock-microgateway-cni-installer"},"@timestamp":"2023-09-26T07:16:43.416Z","message":"Reconciling Airlock Microgateway CNI plugin Installation"} 
[pod/airlock-microgateway-cni-jbgp6/cni-installer] {"log":{"level":"info","logger":"airlock-microgateway-cni-installer"},"@timestamp":"2023-09-26T07:16:43.530Z","message":"Airlock Microgateway CNI plugin Installation is up-to-date"}

    Ensure that all Airlock Microgateway CNI Pods were successfully deployed.

  1. After installing the Airlock Microgateway Operator
  2. Secure a web application with Airlock Microgateway and check the annotations. It should contain an annotation microgateway.airlock.com/network-ready with value "true":
    3. copy
    kubectl get pod <POD> -o jsonpath='{.metadata.annotations}'
  3. Check whether it is filtered or not:
    • Send a request to the web application.
    • Check the Microgateway logs to see whether the request has been logged.
    copy
    kubectl logs <POD> -c airlock-microgateway-engine

    Example output:

    details...
    { 
  "@timestamp": "2023-09-26T07:30:33.653+0000", 
  "ecs": { 
    "version": "8.5" 
  }, 
  "observer": { 
    "version": "4.0.2", 
    "product": "Airlock Microgateway", 
    "type": "waap", 
    "vendor": "Ergon Informatik AG" 
  }, 
  "log": { 
    "logger": "access", 
    "level": "info" 
  }, 
  "http": { 
    "version": "1.1", 
    "response": { 
      "status_code": 302, 
      "body": { 
        "bytes": 359 
      }, 
      "mime_type": "text/html", 
      "bytes": 1614 
    }, 
    "request": { 
      "id": "eaf65c64e9df3dbd07d32d211a58df71", 
      "bytes": 913, 
      "method": "GET", 
      "referrer": "https://myapp.com/", 
      "body": { 
        "bytes": 0 
      } 
    } 
  }, 
  "airlock": { 
    "response": { 
      "details": "ext_authz_denied", 
      "flags": "UAEX" 
    }, 
    "log_correlation": "[C1734][S14010283080019998636]", 
    "http": { 
      "response": { 
        "redirect_url": "" 
      }, 
      "request": { 
        "accept_language": "en-US,en;q=0.9,de-CH;q=0.8,de-DE;q=0.7,de;q=0.6" 
      } 
    } 
  }, 
  ...
  ...   
}