This article shows the architecture of a small Cilium setup with only one Airlock Microgateway-protected web application deployed in a Kubernetes cluster. Cilium is deployed to bring their features for the lower OSI layers (routing, observability, ...) with eBPF. Meanwhile, Airlock Microgateway brings security on layer 7 as a WAAP (web application and API protection, formerly known as WAF - web application firewall.
The simple example shows a setup with a single web application, the Microgateway Operator and the Cilium agent in a single Node. In the Web application Pod the Microgateway Engine is injected as sidecar.
The Microgateway Operator container injects the Microgateway Engine Container into Web application Pods, labeled with sidecar.microgateway.airlock.com/inject: "true"
.
- The Operator configures the Engine based on Custom Resources that contain the Engine configuration.
- The Microgateway CNI plugin of the Node configures the network routing between Engine and Web application container.
- The Cilium CNI plugin of the Node is used to bring the network capabilities provided by Cilium.