CodeNewbie Community 🌱

Sharon428931
Sharon428931

Posted on

How to Add SafeLine WAF to Kubernetes Ingress-Nginx

Enhancing the security of your Kubernetes applications doesn't have to be complicated. By integrating SafeLine WAF with Ingress-Nginx, you can block malicious traffic at the ingress level—without major overhead.

This guide walks you through integrating SafeLine into Ingress-Nginx using either Helm or a custom image, and covers both fresh installs and existing setups.


Prerequisites

  • SafeLine version >= 5.6.0
  • Kubernetes cluster with access to Helm (for fresh installs)
  • Basic understanding of Ingress-Nginx

1. Create a ConfigMap for SafeLine Settings

Before anything else, define your SafeLine detection engine address and port in a ConfigMap:

# safeline.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: safeline
  namespace: ingress-nginx
data:
  host: "detector_host"  # Replace with your actual SafeLine detector host
  port: "8000"           # Default port
Enter fullscreen mode Exit fullscreen mode

Apply it with:

kubectl create namespace ingress-nginx
kubectl apply -f safeline.yaml
Enter fullscreen mode Exit fullscreen mode

2. Fresh Install of Ingress-Nginx with SafeLine via Helm

If you're starting from scratch, you can install Ingress-Nginx and enable SafeLine WAF in one go.

Here’s an example values.yaml with SafeLine configuration:

# values.yaml
controller:
  kind: DaemonSet
  image:
    registry: docker.io
    image: chaitin/ingress-nginx-controller
    tag: v1.10.1
  extraEnvs:
    - name: SAFELINE_HOST
      valueFrom:
        configMapKeyRef:
          name: safeline
          key: host
    - name: SAFELINE_PORT
      valueFrom:
        configMapKeyRef:
          name: safeline
          key: port
  service:
    externalTrafficPolicy: Local  # Preserves client IPs
  config:
    plugins: safeline
  admissionWebhooks:
    patch:
      image:
        registry: docker.io
        image: chaitin/ingress-nginx-kube-webhook-certgen
        tag: v1.4.1
Enter fullscreen mode Exit fullscreen mode

Install using Helm:

helm upgrade --install ingress-nginx ingress-nginx \
  --repo https://kubernetes.github.io/ingress-nginx \
  --namespace ingress-nginx --create-namespace \
  -f values.yaml
Enter fullscreen mode Exit fullscreen mode

3. Building a Custom Ingress-Nginx Image with SafeLine

Prefer to build the image yourself? Here’s a sample Dockerfile that installs the SafeLine plugin:

FROM registry.k8s.io/ingress-nginx/controller:v1.10.1
USER root

RUN apk add --no-cache make gcc unzip wget

# Install Luarocks
RUN wget https://luarocks.org/releases/luarocks-3.11.0.tar.gz && \
    tar zxpf luarocks-3.11.0.tar.gz && \
    cd luarocks-3.11.0 && \
    ./configure && \
    make && \
    make install && \
    cd .. && \
    rm -rf luarocks-3.11.0*

RUN luarocks install ingress-nginx-safeline && \
    ln -s /usr/local/share/lua/5.1/safeline /etc/nginx/lua/plugins/safeline

USER www-data
Enter fullscreen mode Exit fullscreen mode

4. Add SafeLine to an Existing Ingress-Nginx Setup

Already have Ingress-Nginx running? No problem. Here’s how to integrate SafeLine step by step.

➤ Step 1: Install the Plugin

Use the Dockerfile above to install the plugin with luarocks. Make sure it’s in your Nginx plugin path.

➤ Step 2: Create ConfigMap

Apply the same safeline.yaml as earlier:

kubectl apply -f safeline.yaml
Enter fullscreen mode Exit fullscreen mode

➤ Step 3: Enable SafeLine in Ingress Config

Edit or create the controller config map:

# ingress-nginx-controller-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: ingress-nginx-controller
  namespace: ingress-nginx
data:
  plugins: "safeline"
Enter fullscreen mode Exit fullscreen mode

➤ Step 4: Inject SafeLine Environment Variables

Add these to your Deployment or DaemonSet manifest:

env:
  - name: SAFELINE_HOST
    valueFrom:
      configMapKeyRef:
        name: safeline
        key: host
  - name: SAFELINE_PORT
    valueFrom:
      configMapKeyRef:
        name: safeline
        key: port
Enter fullscreen mode Exit fullscreen mode

Testing the Integration

Send a test attack to check if SafeLine is intercepting it properly:

curl http://localhost:80/ -H "Host: example.com" \
  -H "User-Agent: () { :; }; echo; echo; /bin/bash -c 'echo hello'"
Enter fullscreen mode Exit fullscreen mode

If configured correctly, you should see:

{
  "code": 403,
  "success": false,
  "message": "blocked by Chaitin SafeLine Web Application Firewall",
  "event_id": "18e0f220f7a94127acb21ad3c1b4ac47"
}
Enter fullscreen mode Exit fullscreen mode

More detailed logs will be available in the SafeLine dashboard.


Summary

With SafeLine WAF integrated into Ingress-Nginx, you're adding a powerful layer of security right at the entry point of your Kubernetes apps—helping block malicious requests before they hit your services.

Whether you're building from scratch or updating an existing cluster, SafeLine makes it easy to protect your apps with minimal effort.


Join SafeLine Community

Top comments (0)