Deploying a free and self-hosted WAF in Kubernetes to block real-world web attacks.
In a cloud-native world where Kubernetes rules the orchestration layer, security often becomes the weak link. If you're running apps behind Ingress-nginx, it's time to consider adding a Web Application Firewall (WAF) to your stack.
This post walks you through integrating SafeLine WAF—a free and powerful WAF—into your Kubernetes setup, enhancing your app's protection against real-world threats like RCE, XSS, and SQLi.
Why Your Kubernetes Needs a WAF
While Kubernetes offers flexibility and scalability, it’s not immune to:
- Exposed APIs and misconfigured services
- Sensitive data leaks within containers
- DDoS attacks causing downtime
- Misconfigurations that open security gaps
Ingress-nginx helps route external traffic, but it doesn’t come with built-in deep-layer WAF protections. That’s where SafeLine steps in.
Meet SafeLine WAF
SafeLine is a self-hosted WAF designed for modern web infrastructure. It offers:
- Protection against XSS, SQLi, RCE, and other common web exploits
- Real-time traffic monitoring and logging
- Custom rule sets for fine-grained control
- API and dashboard for managing policies easily
When combined with Ingress-nginx, it becomes a powerful layer of defense for any Kubernetes application.
How to Deploy SafeLine WAF with Ingress-nginx
Step 1: Prep Your Cluster
Make sure you have:
- A working Kubernetes cluster (any cloud or local)
- Ingress-nginx installed and running
You can follow the official Ingress-nginx setup guide if needed.
Step 2: Deploy SafeLine WAF
Create a Kubernetes Deployment and Service for SafeLine:
apiVersion: apps/v1
kind: Deployment
metadata:
name: safeline
spec:
replicas: 1
selector:
matchLabels:
app: safeline
template:
metadata:
labels:
app: safeline
spec:
containers:
- name: safeline
image: safeline:latest
ports:
- containerPort: 80
Then expose it via a service:
apiVersion: v1
kind: Service
metadata:
name: safeline
spec:
selector:
app: safeline
ports:
- port: 80
targetPort: 80
Step 3: Hook SafeLine into Ingress-nginx
Update your Ingress resource to send traffic through SafeLine:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-ingress
annotations:
nginx.ingress.kubernetes.io/default-backend: safeline
spec:
rules:
- host: myapp.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-app
port:
number: 80
This ensures all unmatched traffic hits SafeLine first, allowing it to inspect and block malicious requests.
Step 4: Test & Monitor
After deployment:
- Confirm traffic flows through SafeLine
- Simulate a few common attacks (like XSS or SQLi) to test detection
- Use SafeLine logs to observe blocked requests and tune rules if needed
Benefits of This Setup
Proactive Defense: Blocks threats before they reach your app
Traffic Visibility: View and analyze request logs
Easy Management: API + UI + custom rule sets
Compliance Ready: Helps meet security audit requirements
Final Thoughts
SafeLine + Ingress-nginx is a practical, cost-effective solution for adding real WAF protection in Kubernetes environments. It’s free, open-source, and designed for modern dev workflows.
If you're serious about securing your apps, now's the time to level up your ingress traffic with SafeLine.
Top comments (1)
Total Power provides high-quality and affordable rental generators in Dubai for homes, businesses, and construction sites. Whether you need a small generator rental for personal use or a portable power generator rental for events, we have the right solution. Our diesel generators are fuel-efficient and reliable, ensuring uninterrupted power. We offer flexible rental plans at competitive diesel generator distribution boxes rental costs to suit your needs. Trust Total Power for safe and efficient generator rental Dubai services. Contact us today to get the best power solution!