Enhancing the security of your Kubernetes applications doesn't have to be complicated. By integrating SafeLine WAF with Ingress-Nginx, you can block malicious traffic at the ingress level—without major overhead.
This guide walks you through integrating SafeLine into Ingress-Nginx using either Helm or a custom image, and covers both fresh installs and existing setups.
Prerequisites
- SafeLine version
>= 5.6.0 - Kubernetes cluster with access to Helm (for fresh installs)
- Basic understanding of Ingress-Nginx
1. Create a ConfigMap for SafeLine Settings
Before anything else, define your SafeLine detection engine address and port in a ConfigMap:
# safeline.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: safeline
namespace: ingress-nginx
data:
host: "detector_host" # Replace with your actual SafeLine detector host
port: "8000" # Default port
Apply it with:
kubectl create namespace ingress-nginx
kubectl apply -f safeline.yaml
2. Fresh Install of Ingress-Nginx with SafeLine via Helm
If you're starting from scratch, you can install Ingress-Nginx and enable SafeLine WAF in one go.
Here’s an example values.yaml with SafeLine configuration:
# values.yaml
controller:
kind: DaemonSet
image:
registry: docker.io
image: chaitin/ingress-nginx-controller
tag: v1.10.1
extraEnvs:
- name: SAFELINE_HOST
valueFrom:
configMapKeyRef:
name: safeline
key: host
- name: SAFELINE_PORT
valueFrom:
configMapKeyRef:
name: safeline
key: port
service:
externalTrafficPolicy: Local # Preserves client IPs
config:
plugins: safeline
admissionWebhooks:
patch:
image:
registry: docker.io
image: chaitin/ingress-nginx-kube-webhook-certgen
tag: v1.4.1
Install using Helm:
helm upgrade --install ingress-nginx ingress-nginx \
--repo https://kubernetes.github.io/ingress-nginx \
--namespace ingress-nginx --create-namespace \
-f values.yaml
3. Building a Custom Ingress-Nginx Image with SafeLine
Prefer to build the image yourself? Here’s a sample Dockerfile that installs the SafeLine plugin:
FROM registry.k8s.io/ingress-nginx/controller:v1.10.1
USER root
RUN apk add --no-cache make gcc unzip wget
# Install Luarocks
RUN wget https://luarocks.org/releases/luarocks-3.11.0.tar.gz && \
tar zxpf luarocks-3.11.0.tar.gz && \
cd luarocks-3.11.0 && \
./configure && \
make && \
make install && \
cd .. && \
rm -rf luarocks-3.11.0*
RUN luarocks install ingress-nginx-safeline && \
ln -s /usr/local/share/lua/5.1/safeline /etc/nginx/lua/plugins/safeline
USER www-data
4. Add SafeLine to an Existing Ingress-Nginx Setup
Already have Ingress-Nginx running? No problem. Here’s how to integrate SafeLine step by step.
➤ Step 1: Install the Plugin
Use the Dockerfile above to install the plugin with luarocks. Make sure it’s in your Nginx plugin path.
➤ Step 2: Create ConfigMap
Apply the same safeline.yaml as earlier:
kubectl apply -f safeline.yaml
➤ Step 3: Enable SafeLine in Ingress Config
Edit or create the controller config map:
# ingress-nginx-controller-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: ingress-nginx-controller
namespace: ingress-nginx
data:
plugins: "safeline"
➤ Step 4: Inject SafeLine Environment Variables
Add these to your Deployment or DaemonSet manifest:
env:
- name: SAFELINE_HOST
valueFrom:
configMapKeyRef:
name: safeline
key: host
- name: SAFELINE_PORT
valueFrom:
configMapKeyRef:
name: safeline
key: port
Testing the Integration
Send a test attack to check if SafeLine is intercepting it properly:
curl http://localhost:80/ -H "Host: example.com" \
-H "User-Agent: () { :; }; echo; echo; /bin/bash -c 'echo hello'"
If configured correctly, you should see:
{
"code": 403,
"success": false,
"message": "blocked by Chaitin SafeLine Web Application Firewall",
"event_id": "18e0f220f7a94127acb21ad3c1b4ac47"
}
More detailed logs will be available in the SafeLine dashboard.
Summary
With SafeLine WAF integrated into Ingress-Nginx, you're adding a powerful layer of security right at the entry point of your Kubernetes apps—helping block malicious requests before they hit your services.
Whether you're building from scratch or updating an existing cluster, SafeLine makes it easy to protect your apps with minimal effort.
Top comments (0)