Within the Kubernetes cluster, the Microgateway Operator container injects and operates the Airlock Microgateway containers in the Web application Pod. This section shows how these pieces are connected together and what exactly is modified and done by the Microgateway Operator. It also covers the network configuration task of the Microgateway CNI plugin, which configures the network routing through Microgateway Engine sidecars within Web application Pods.
The following example illustrates the setup when no service mesh is used. The setup shows two namespaces, one for the Microgateway Operator Pod and a second one with the Web application Pod.
- Initial Microgateway Operator configuration
- The Microgateway Operator reads its configuration from the Microgateway Operator Configuration at startup. The configuration contains settings like the templates used to inject the Microgateway containers.
- The Microgateway Operator watches for events such as Pod create, update , or delete.
- Steps to secure a Web application Pod in the Namespace X:
- Create a Custom Resource
ContentSecurity
in the namespace of the Web application with the required references to additional CRs such asDenyRules
. - Create a second Custom Resource of the kind
SidecarGateway
in the Web application's namespace and refer to the Custom ResourceContentSecurity
created previously. - Configure the container port in the Custom Resource
SidecarGateway
, which should be protected. Ensure that it is the same port as in the Pod specification. - Configure the
podSelector
to match the Web application Pods, which should be protected in the Custom ResourceSidecarGateway
. Ensure that it corresponds to the labels in the Pod specification. - Label the Web application Pod with
sidecar.microgateway.airlock.com/inject: "true"
. - The Microgateway Operator and the Microgateway CNI plugin are triggered by the creation of the Pod with the sidecar label previously.
- The Operator:
- Injects the sidecar container Microgateway Engine with the bootstrap configuration. The exact content is retrieved from the Operator ConfigMap.
- The Microgateway CNI plugin:
- Configures the network inside the Web application Pod, so that all traffic is routed through the Microgateway Engine sidecar.
- The Microgateway Engine subscribes to the configuration from the Microgateway Operator. The Microgateway Operator generates the configuration based on the Custom Resources such as
SidecarGateway
and the referenced resources.
- The example describes the most simple setup. Although not outlined explicitly, the following things are possible:
- Create a Kubernetes Deployment, StatefulSet, or DaemonSet and annotate the Pod with Microgateway annotations in
spec.template.metadata.annotations
and set theinject
label. - Configure other Microgateway annotations described in this manual.