To use Airlock Microgateway in your Kubernetes or OpenShift cluster with Istio, follow this guide to deploy the Airlock Microgateway Operator and its resources.
Prerequisites
- To use Airlock Microgateway, a valid license is required. Airlock Microgateway is available in a Premium and a free Community edition. To request and configure/change a license, see the article Licensing and license-dependent behavior.
- Istio has been deployed as described in their documentation (Istio) Documentation.
Deploy Airlock Microgateway
- Ensure that the Airlock Microgateway Operator and Airlock Microgateway CNI does not have Istio injected. Neither through labeling the namespace nor with the corresponding annotation.
For more information, consult (Istio) Sidecar injection. - Depending on which Kubernetes distribution you are using, complete the instructions in the corresponding installation guide:
- For Kubernetes, follow this guide: Kubernetes
- For OpenShift, follow this guide: OpenShift
- Airlock Microgateway should be up and running.
What's next
- After deploying the Airlock Microgateway Operator in your Kubernetes Cluster, the following steps are required:
- Configure/change the Airlock Microgateway license. See article Licensing and license-dependent behavior.
- Annotate the web application Pods to protect as explained in Labels and annotations for Airlock Microgateway.
- Create the
CustomResourcesto configure the Airlock Microgateway as outlined in Configuration. - If Istio
meshConfig.outboundTrafficPolicy.modeis set to the non-default valueREGISTRY_ONLY, create the resourcesServiceEntrywith the ports described in Network communication to allow network traffic to the services. - In case Istio is configured for mTLS and
rewriteAppHTTPProbersis disabled, exclude the Microgateway Engine probes and metrics endpoint. This can be achieved by annotating the Pod with:
Example:
copy
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: airlock-microgateway-operator-xds
namespace: airlock-microgateway-system
spec:
hosts:
- "airlock-microgateway-operator-xds.airlock-microgateway-system.svc.cluster.local"
location: MESH_EXTERNAL
ports:
- number: 13377
name: grpc
protocol: TLS
resolution: DNScopy
annotations: traffic.sidecar.istio.io/excludeInboundPorts: "19001, 19002"
Port 19001 is the probes' endpoint, while port 19002 is the metrics' endpoint.
When Istio is configured to rewrite the probes endpoints, it adds the environment variable ISTIO_KUBE_APP_PROBERS to the container. This variable contains the original probes' endpoint of the container. A missing environment variable ISTIO_KUBE_APP_PROBERS indicates that Istio couldn't rewrite the probes endpoint or is disabled at all.