Installation in Kubernetes

To use Airlock Microgateway in your Kubernetes cluster, follow this guide to deploy the Airlock Microgateway Operator and its resources in sidecarless (K8s Gateway API) data plane mode.

Prerequisites

  • To use Airlock Microgateway, a valid license is required. Airlock Microgateway is available in a Premium and a free Community edition. To request and configure/change a license, see the article Configuration and monitoring of licenses.
  • Install a cert-manager in your Kubernetes cluster.

Install a cert-manager

You can install the cert-manager with the commands below in the 'VERSION' you wish to install. You may use the latest cert-manager version (see official cert-manager Helm installation instructions), which should work fine in most cases.

copy
# Add the cert-manager repository and perform a Helm-based installation
helm repo add jetstack https://charts.jetstack.io 
helm install cert-manager jetstack/cert-manager --version 'VERSION' -n cert-manager --create-namespace --set crds.enabled=true --wait

Deploy K8s Gateway API resources

The sidecarless data plane mode installation of Airlock Microgateway requires installing the K8s Gateway API standard channel v1.1.0.

  1. Run the following command:
  2. copy
    kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/standard-install.yaml
  3. Wait until the required CRDs for K8s Gateway API usage have been installed.
    Example:
  4. copy
    customresourcedefinition.apiextensions.k8s.io/gatewayclasses.gateway.networking.k8s.io created 
    customresourcedefinition.apiextensions.k8s.io/gateways.gateway.networking.k8s.io created 
    customresourcedefinition.apiextensions.k8s.io/grpcroutes.gateway.networking.k8s.io created 
    customresourcedefinition.apiextensions.k8s.io/httproutes.gateway.networking.k8s.io created 
    customresourcedefinition.apiextensions.k8s.io/referencegrants.gateway.networking.k8s.io created

More details, including release notes and upgrade information, can be found in the official Kubernetes Gateway API installation documentation.

Install the Airlock Microgateway Operator

In order to complete the Airlock Microgateway Operator installation and to run the below helm test successfully, you need to deploy a valid license. See article Configuration and monitoring of licenses for more information.

  1. Create the airlock-microgateway-system namespace
  2. copy
    kubectl create namespace airlock-microgateway-system
  3. Store the license in the Microgateway Operator namespace, in a Kubernetes secret with the name airlock-microgateway-license and the key microgateway-license.txt. Use the following command:
  4. copy
    kubectl -n airlock-microgateway-system create secret generic airlock-microgateway-license  
    --from-file=microgateway-license.txt=<my-local-microgateway-license.txt>
  5. Adapt and run the following command with the current Airlock Microgateway Operator Helm chart version. This will install airlock-microgateway in the airlock-microgateway-system namespace and activate the K8s Gateway API support.
  6. copy
    helm install -n airlock-microgateway-system airlock-microgateway oci://quay.io/airlockcharts/microgateway --wait --version 4.4.0 --set=operator.gatewayAPI.enabled=true
  7. Verify that the Airlock Microgateway Operator started successfully:
  8. copy
    kubectl -n airlock-microgateway-system wait --for=condition=Available deployments --all --timeout=3m

    During installation, the installation status is echoed – i.e., the preliminary cleanup task and scaling the test installation to only 1 replica (to ensure no pods from previous runs are present).

  9. The logs should show the message Thank you for installing Airlock Microgateway​. ... including further information on successful installation. Note that the Microgateway CNI-Plugin is not required for the sidecarless data plane mode installation described in this article.

What's next

  1. Configure an Ingress controller to route the incoming traffic to the Microgateway Service as required.
  2. Deploy one or more Microgateway Engine Pods to secure your application(s):
    • Configure a Gateway CR deploys two Microgateway Engine Pods.
    • To secure an application with Airlock Microgateway, configure an HTTPRoute CR to route traffic through the Microgateway Engine Pods to your web application Pod(s).
  3. Optional: Customizing of the default Airlock Microgateway security settings:
    Create and configure a ContentSecurityPolicy CR and the respective customizations, e.g., custom deny rules in a DenyRules CR.

The Custom Resource ContentSecurityPolicy is a Direct Policy Attachment for the K8s Gateway API. It specifies the options to secure an upstream web application with an Airlock Microgateway. It does so by referencing various other CRs covering different customized web application security aspects.
If references are not explicitly configured, default settings designed to secure web application services will be applied.