Labels and annotations for Airlock Microgateway

Label to inject Microgateway Engine in application Pods

The Microgateway Operator injects the Microgateway Engine containers to the upstream application Pods triggered by the label following label:

copy

sidecar.microgateway.airlock.com/inject: "true"

See also example manifests w/o Istio mesh configuration at the end of this article.

Adding the label to an existing, running Pod has no effect. Use kubectl apply -f <deployment.yaml> to apply the configuration changes and to have the Microgateway Engine injected with a Deployment.

Annotations for the Microgateway Operator

Annotations can be added to configure some general behavior of the container. The table below lists and explains the annotations the Microgateway Operator is aware of.

Annotation	Default	Possible values	Description
`sidecar.microgateway.airlock.com/excludeInboundPorts`	""	"<int>, ..."	Comma-separated list of inbound ports to be excluded from redirection to the Microgateway Engine by the Microgateway CNI plugin. The Istio default ports for the Istio sidecar proxy are automatically excluded when setting the annotation `sidecar.microgateway.airlock.com/serviceMesh: istio`. This means ports: `15000`, `15001` `15004` `15006` `15008`, `15009` `15020`, `15021` `15053` `15090`
`sidecar.microgateway.airlock.com/serviceMesh`	`none`	`none, istio`	Annotation to set which service mesh should be used. This annotation is relevant info for the Microgateway CNI plugin to configure the redirection of the traffic to the Microgateway Engine correctly.
`sidecar.microgateway.airlock.com/engineLogLevel`	`info`	`trace`, `debug`, `info`, `warn`, `error`, `critical`, `off`	Annotation to set the Microgateway Engine log level.
`sidecar.microgateway.airlock.com/engineCpuRequests`	absent, the defaults specified in the engineContainerTemplate are used	1, 100m, 0.5, ...	Sets the CPU requests for the Microgateway engine by replacing the template value for `spec.containers['microgateway-engine'].resources.requests.cpu`. Requested CPU resources are reserved when starting the Microgateway Engine and are guaranteed to be granted.
`sidecar.microgateway.airlock.com/engineCpuLimits`	absent, the defaults specified in the engineContainerTemplate are used	1, 100m, 0.5, ... Any CPU resource unit can be used.	Sets the CPU limit for the Microgateway engine by replacing the template value for `spec.containers['microgateway-engine'].resources.limits.cpu`. CPU requests by the Microgateway Engine exceeding theconfigure limit will result in throttling.
`sidecar.microgateway.airlock.com/engineMemoryRequests`	absent, the defaults specified in the engineContainerTemplate are used	64Mi, 1G, ... Any Kubernetes memory resource unit can be used.	Sets the memory requests for the Microgateway engine by replacing the template value for `spec.containers['microgateway-engine'].resources.requests.memory`. Requested Memory resources are reserved when starting the Microgateway Engine and are guaranteed to be granted.
`sidecar.microgateway.airlock.com/engineMemoryLimits`	absent, the defaults specified in the engineContainerTemplate are used	128Mi, 1G, ... Any Kubernetes memory resource unit can be used.	Sets the memory limit for the Microgateway Engine by replacing the template value for `spec.containers['microgateway-engine'].resources.limits.memory`. If the Microgateway Engine tries to use more memory, the pod will be terminated. If the Cluster Node runs out of memory and the Microgateway Engine uses more than the configured requested amount of memory the pod will be terminated.

Example configuration for a web application without Istio

The following example Kubernetes manifest file contains annotations to protect the web application with Airlock Microgateway.

copy

apiVersion: apps/v1  
kind: Deployment  
metadata:  
  labels:  
    app: echo-server  
  name: echo-server  
spec:  
  selector:  
    matchLabels:  
      app: echo-server  
  template:  
    metadata:  
      annotations:  
        sidecar.microgateway.airlock.com/excludeInboundPorts: "9998,9999" 
        sidecar.microgateway.airlock.com/serviceMesh: "none" 
       labels:  
        sidecar.microgateway.airlock.com/inject: "true"  
        app: echo-server  
        version: 1.0.0
    spec: 
      containers: 
        - image: ealen/echo-server:latest 
          name: echo-server 
          ports: 
            - containerPort: 5051

Ensure that in such a setup the annotation sidecar.microgateway.airlock.com/serviceMesh is set to none or not set at all.

SidecarGateway configuration to protect a web application:
Our example uses a simple web application Pod with the label app: example-app.
The spec.applications.containerPort is the container port of the web application that has to be secured by Airlock Microgateway. The default 8080 can be overridden to connect to the application's HTTP port. In our example, the example-app Pod listens for requests on port 5051.
The security settings to be applied are referenced in the CR ContentSecurity named content-security-example.

This setup is still possible if Istio is deployed in your Kubernetes cluster. The important thing is, that the web application Pod does not have Istio injected. Neither through labeling the namespace nor with the corresponding annotation. For more information consult (Istio) Sidecar injection.

Example for a web application with Istio

The following example Kubernetes manifest file contains annotations to protect the web application with Airlock Microgateway alongside Istio service mesh:

copy

apiVersion: apps/v1  
kind: Deployment  
metadata:  
  labels:  
    app: echo-server  
  name: echo-server  
spec:  
  selector:  
    matchLabels:  
      app: echo-server  
  template:  
    metadata:  
      annotations:  
        sidecar.microgateway.airlock.com/excludeInboundPorts: "9998,9999" 
        sidecar.microgateway.airlock.com/serviceMesh: "istio" 
        sidecar.istio.io/inject: "true"  
      labels:  
        sidecar.microgateway.airlock.com/inject: "true"  
        app: echo-server  
        version: 1.0.0
    spec: 
      containers: 
        - image: ealen/echo-server:latest 
          name: echo-server 
          ports: 
            - containerPort: 5051

Ensure that in such a setup the annotation sidecar.microgateway.airlock.com/serviceMesh is set to istio.

SidecarGateway configuration to protect a web application:
Our example uses a simple web application Pod with the label app: example-app.
The spec.applications.containerPort is the container port of the web application that has to be secured by Airlock Microgateway. The default 8080 can be overridden to connect to the application's HTTP port. In our example, the example-app Pod listens for requests on port 5051.
The security settings to be applied are referenced in the CR ContentSecurity named content-security-example.

The web application Pod has Istio injected. The example illustrates the way by annotating the Pod. For more information consult (Istio) Sidecar injection.

Further information and links

Internal links:
Architecture with injected sidecars: Kubernetes cluster without a service mesh
Architecture with injected sidecars and Istio service mesh: Kubernetes cluster with an Istio service mesh