In the sidecar-based K8s Gateway API data plane mode, the Microgateway Operator monitors and reconfigures the Microgateway Engine Pods whenever a K8s Gateway API CRs (e.g. Gateway or HTTPRoute, etc.) changes. The same happens when a ContentSecurityPolicy with additional Microgateway CRs is deployed to customize/extend the built-in Airlock Microgateway security, e.g., by adding custom deny rules or additional limits.
Helm chart configuration in general
Helm Microgateway Operator chart configuration must take place before or with installation or upgrade. The configuration can be persistently adjusted in a local values.yaml
file or passed with every Helm installation using the --set
option.
You can find the Airlock Microgateway Helm charts here:
Configuration examples of K8s Gateway API CRs
Configured CR | Description |
---|---|
GatewayClass | Our example GatewayClass CR contains the Airlock Microgateway For more information about the GatewayClass CR, see the official documentation of the GatewayClass. |
Gateway | Our example Gateway CR contains the target namespace for the Microgateway Engine Pod and other details. , the name of the Microgateway Engine Pod, and the Namespace in which this Pod will be deployed. For another example, see the official example for a simple Gateway. |
HTTPRoute | The HTTPRoute CR configures the routing between the Microgateway Engine Pods and back-end application(s). As our example with different Namespaces for the Microgateway Engine Pod and the example application Pod demonstrates, cross-Namespace-routing can be configured. To secure your back-end application(s), you must configure the incoming traffic to be routed through the Microgateway Engine Pod. We strongly recommend testing your routing configuration by generating test requests and checking the Access Log. Airlock Microgateway does currently not support Listener Isolation. For more information, see the official documentation on Listener Isolation. For more information about the HTTPRoute CR, see the official documentation of the HTTPRoute. |
ReferenceGrant | Cross-namespace routing can be configured, for example, with a ReferenceGrant CR. In the For more information, see the official documentation of the ReferenceGrant. |
ContentSecurityPolicy CR example configuration
To implement custom deny rules, limits, etc., a ContentSecurityPolicy CR can be added. This CR is a Direct Policy Attachment for the K8s Gateway API. It allows adding Airlock Microgateway-specific CRs to secure web applications in a K8s Gateway API-based data plane mode. It does so by referencing various other CRs covering different customized web application security aspects.
Airlock Microgateway uses a security-by-default strategy and will apply the built-in security measures to traffic routed between the Microgateway Engine Pod and any back-end application. However, in some situations, such as initial application integration, it can be helpful to disable the built-in security measures temporarily. This can be done by setting up a ContentSecurityPolicy with unsecured: {}
.
Configured CR | Description |
---|---|
ContentSecurityPolicy | The following example is a copy from our CR ContentSecurityPolicy reference documentation. |
Grafana dashboard configuration
Airlock Microgateway offers several preconfigured Helm-based Grafana dashboard templates that can be enabled and individually disabled in the Operator Helm chart.
Configuration target | Description |
---|---|
Grafana dashboards | The following example makes the dashboard templates available for Grafana:
|
TLS certificate generation and renewal
Any communication between containers in the airlock-microgateway-system
namespace and, i.e., Microgateway Engine containers, is secured using TLS/mTLS.
During the Microgateway Operator startup, the following self-signed certificates are generated and stored as secrets in the airlock-microgateway-system
namespace:
airlock-microgateway-ca-cert
– the CA certificate to generate self-signed TLS certificates.webhook-server-cert
– the server certificate of the Microgateway Operator.
Each time an Airlock Microgateway Engine is deployed, an airlock-microgateway-bootstrap-secret
is generated and saved to the Namespace of the Engine Deployment. This secret holds the required certificates and keys for mTLS-based communication between the Microgateway Engine and the Operator. The TLS certificates of the bootstrap secret are renewed automatically every 48h.
Further information and links
- API reference:
- CR ContentSecurityPolicy reference documentation
- Internal links:
- Labels and annotations for Airlock Microgateway in sidecar-based data plane mode
- Monitored CRs, see chapter CR SidecarGateway and below.
- Using Microgateway Prometheus metrics
- Troubleshooting for network routing issues in the application pod (CNI plugin and Network Validator)
- External links:
- Airlock Microgateway Helm charts on Artifact Hub
- Airlock Microgateway Helm charts on GitHub
- Official K8s Gateway API documentation of the GatewayClass
- Official K8s Gateway API example for a simple Gateway
- Official K8s Gateway API documentation of the HTTPRoute
- Official K8s Gateway API documentation of the ReferenceGrant
- Official K8s Gateway API documentation on Listener Isolation