Deploying a free and self-hosted WAF in Kubernetes to block real-world web attacks.
In a cloud-native world where Kubernetes rules the orchestration layer, security often becomes the weak link. If you're running apps behind Ingress-nginx, it's time to consider adding a Web Application Firewall (WAF) to your stack.
This post walks you through integrating SafeLine WAF—a free and powerful WAF—into your Kubernetes setup, enhancing your app's protection against real-world threats like RCE, XSS, and SQLi.
Why Your Kubernetes Needs a WAF
While Kubernetes offers flexibility and scalability, it’s not immune to:
- Exposed APIs and misconfigured services
- Sensitive data leaks within containers
- DDoS attacks causing downtime
- Misconfigurations that open security gaps
Ingress-nginx helps route external traffic, but it doesn’t come with built-in deep-layer WAF protections. That’s where SafeLine steps in.
Meet SafeLine WAF
SafeLine is a self-hosted WAF designed for modern web infrastructure. It offers:
- Protection against XSS, SQLi, RCE, and other common web exploits
- Real-time traffic monitoring and logging
- Custom rule sets for fine-grained control
- API and dashboard for managing policies easily
When combined with Ingress-nginx, it becomes a powerful layer of defense for any Kubernetes application.
How to Deploy SafeLine WAF with Ingress-nginx
Step 1: Prep Your Cluster
Make sure you have:
- A working Kubernetes cluster (any cloud or local)
- Ingress-nginx installed and running
You can follow the official Ingress-nginx setup guide if needed.
Step 2: Deploy SafeLine WAF
Create a Kubernetes Deployment and Service for SafeLine:
apiVersion: apps/v1
kind: Deployment
metadata:
name: safeline
spec:
replicas: 1
selector:
matchLabels:
app: safeline
template:
metadata:
labels:
app: safeline
spec:
containers:
- name: safeline
image: safeline:latest
ports:
- containerPort: 80
Then expose it via a service:
apiVersion: v1
kind: Service
metadata:
name: safeline
spec:
selector:
app: safeline
ports:
- port: 80
targetPort: 80
Step 3: Hook SafeLine into Ingress-nginx
Update your Ingress resource to send traffic through SafeLine:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-ingress
annotations:
nginx.ingress.kubernetes.io/default-backend: safeline
spec:
rules:
- host: myapp.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-app
port:
number: 80
This ensures all unmatched traffic hits SafeLine first, allowing it to inspect and block malicious requests.
Step 4: Test & Monitor
After deployment:
- Confirm traffic flows through SafeLine
- Simulate a few common attacks (like XSS or SQLi) to test detection
- Use SafeLine logs to observe blocked requests and tune rules if needed
Benefits of This Setup
Proactive Defense: Blocks threats before they reach your app
Traffic Visibility: View and analyze request logs
Easy Management: API + UI + custom rule sets
Compliance Ready: Helps meet security audit requirements
Final Thoughts
SafeLine + Ingress-nginx is a practical, cost-effective solution for adding real WAF protection in Kubernetes environments. It’s free, open-source, and designed for modern dev workflows.
If you're serious about securing your apps, now's the time to level up your ingress traffic with SafeLine.
Top comments (0)