To use Airlock Microgateway in your Kubernetes cluster, follow this guide to deploy the Airlock Microgateway Operator and its resources in sidecarless (K8s Gateway API) data plane mode.
Prerequisites
- To use Airlock Microgateway, a valid license is required. Airlock Microgateway is available in a Premium and a free Community edition. To request and configure/change a license, see the article Configuration and monitoring of licenses.
- Install a
cert-manager
in your Kubernetes cluster.
Install a cert-manager
You can install the cert-manager with the commands below in the 'VERSION'
you wish to install. You may use the latest cert-manager version (see official cert-manager Helm installation instructions), which should work fine in most cases.
Deploy K8s Gateway API resources
The sidecarless data plane mode installation of Airlock Microgateway requires installing the K8s Gateway API standard channel v1.1.0
.
- Run the following command:
- Wait until the required CRDs for K8s Gateway API usage have been installed.
Example:
More details, including release notes and upgrade information, can be found in the official Kubernetes Gateway API installation documentation.
Install the Airlock Microgateway Operator
In order to complete the Airlock Microgateway Operator installation and to run the below helm test
successfully, you need to deploy a valid license. See article Configuration and monitoring of licenses for more information.
- Create the
airlock-microgateway-system
namespace - Store the license in the Microgateway Operator namespace, in a Kubernetes secret with the name
airlock-microgateway-license
and the keymicrogateway-license.txt
. Use the following command: - Adapt and run the following command with the current Airlock Microgateway Operator Helm chart version. This will install
airlock-microgateway
in theairlock-microgateway-system
namespace and activate the K8s Gateway API support. - Verify that the Airlock Microgateway Operator started successfully:
- The logs should show the message
Thank you for installing Airlock Microgateway. ...
including further information on successful installation. Note that the Microgateway CNI-Plugin is not required for the sidecarless data plane mode installation described in this article.
During installation, the installation status is echoed – i.e., the preliminary cleanup task and scaling the test installation to only 1 replica (to ensure no pods from previous runs are present).
What's next
- Configure an Ingress controller to route the incoming traffic to the Microgateway Service as required.
- Deploy one or more Microgateway Engine Pods to secure your application(s):
- Configure a Gateway CR deploys two Microgateway Engine Pods.
- To secure an application with Airlock Microgateway, configure an HTTPRoute CR to route traffic through the Microgateway Engine Pods to your web application Pod(s).
- Optional: Customizing of the default Airlock Microgateway security settings:
Create and configure a ContentSecurityPolicy CR and the respective customizations, e.g., custom deny rules in a DenyRules CR.
The Custom Resource ContentSecurityPolicy is a Direct Policy Attachment for the K8s Gateway API. It specifies the options to secure an upstream web application with an Airlock Microgateway. It does so by referencing various other CRs covering different customized web application security aspects.
If references are not explicitly configured, default settings designed to secure web application services will be applied.