Boost Kubernetes Security: Deploying SafeLine WAF with Ingress-nginx

Lulu - Aug 6 - - Dev Community

Preparation Steps:

Modify SafeLine Service

1.Follow the SafeLine documentation for installation

2.The community version of SafeLine's detection engine provides services via Unix socket by default. We need to change this to TCP mode.

  • Navigate to the SafeLine detector engine configuration directory:
cd /data/safeline/resources/detector/
Enter fullscreen mode Exit fullscreen mode
  • Open the detector.yml file with a text editor. We need to change the bind method from unix socket to tcp:
bind_addr: 0.0.0.0
listen_port: 8000
Enter fullscreen mode Exit fullscreen mode

3.The properties in the detector config will override the default properties in the container. This way, we have the SafeLine engine listening on port 8000.

  • We just need to map the container's port 8000 to the host. First, go to the SafeLine installation directory:
cd /data/safeline
Enter fullscreen mode Exit fullscreen mode
  • Next, open the compose.yaml file in the directory with a text editor. Add the ports field to the detector container to expose port 8000. Like this:
......
detect:
    ......
    ports:
    - 8000:8000
......
Enter fullscreen mode Exit fullscreen mode
  • Alright, restart SafeLine by running the following commands:
docker compose down
docker compose up -d
Enter fullscreen mode Exit fullscreen mode

Prepare SafeLine Configuration

1.Use a ConfigMap to configure the SafeLine plugin with the necessary detection engine host and port:

cat <<EOF | sudo tee safeline.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: safeline
  namespace: ingress-nginx
data:
  host: "detector_host" # Address of the SafeLine detection engine
  port: "8000"
EOF
Enter fullscreen mode Exit fullscreen mode

2.Create the SafeLine ConfigMap:

kubectl create namespace ingress-nginx
kubectl apply -f safeline.yaml
Enter fullscreen mode Exit fullscreen mode

Install Helm

Follow the instructions on the Helm documentation.

curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
Enter fullscreen mode Exit fullscreen mode

Install Ingress-nginx

1.Install Ingress-nginx using Helm

  • Use the following ingress-nginx-values.yaml file to replace the image and configure the plugin:
cat <<EOF | sudo tee ingress-nginx-values.yaml
controller:
  hostNetwork: true
  kind: DaemonSet
  image:
    registry: registry.cn-shanghai.aliyuncs.com
    image: kubesec/chaitin-ingress-nginx-controller
    tag: v1.10.1
    digest: ""
  extraEnvs:
    - name: SAFELINE_HOST
      valueFrom:
        configMapKeyRef:
          name: safeline
          key: host
    - name: SAFELINE_PORT
      valueFrom:
        configMapKeyRef:
          name: safeline
          key: port
  service:
    externalTrafficPolicy: Local # Allows getting the real client IP
  config:
    plugins: safeline
  admissionWebhooks:
    patch:
      image:
        registry: registry.cn-shanghai.aliyuncs.com
        image: kubesec/chaitin-ingress-nginx-kube-webhook-certgen
        tag: v1.4.1
        digest: ""
EOF
Enter fullscreen mode Exit fullscreen mode
  • Run the Installation Command
helm upgrade --install ingress-nginx ingress-nginx --repo https://kubernetes.github.io/ingress-nginx --namespace ingress-nginx --create-namespace -f ingress-nginx-values.yaml
Enter fullscreen mode Exit fullscreen mode

2.Test SafeLine Plugin

  • Deploy the nginx service using the following safeline-test.yaml file:
cat <<EOF | sudo tee safeline-test.yaml
apiVersion: v1
kind: Namespace
metadata:
  name: safeline-test

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
  namespace: safeline-test
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: registry.cn-shanghai.aliyuncs.com/kubesec/nginx:1.14.2
        ports:
        - containerPort: 80

---
apiVersion: v1
kind: Service
metadata:
  name: nginx
  namespace: safeline-test
spec:
  selector:
    app: nginx
  type: NodePort
  ports:
    - name: http
      protocol: TCP
      nodePort: 30080
      port: 80
      targetPort: 80

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx
  namespace: safeline-test
spec:
  ingressClassName: nginx
  rules:
  - host: www.safeline-test.org
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: ImplementationSpecific
EOF
Enter fullscreen mode Exit fullscreen mode
  • Run the Deployment Command
kubectl create -f safeline-test.yaml
Enter fullscreen mode Exit fullscreen mode
  • To test if the SafeLine plugin is working, construct a malicious request. (Set up local DNS resolution, then run)
curl http://www.safeline-test.org/ -H "Host: example.com" -H "User-Agent: () { :; }; echo; echo; /bin/bash -c 'echo hello'"
Enter fullscreen mode Exit fullscreen mode
  • You should see a 403 Forbidden response, indicating that the SafeLine plugin is active.
{
  "code": 403,
  "success": false,
  "message": "blocked by Chaitin SafeLine Web Application Firewall",
  "event_id": "009efd8d2bf44a07b5cb7ed4cf18fb84"
}
Enter fullscreen mode Exit fullscreen mode

In the SafeLine console, you can view the detailed attack information recorded by SafeLine.

Image description

Automate Testing of Protection Results

Use the blazehttp automation tool for batch testing:

docker pull registry.cn-shanghai.aliyuncs.com/kubesec/chaitin-blazehttp:v0.2.0
docker run --rm --net=host registry.cn-shanghai.aliyuncs.com/kubesec/chaitin-blazehttp:v0.2.0 /app/blazehttp -t http://www.safeline-test.org/
Enter fullscreen mode Exit fullscreen mode

The following output will be seen:

sending 100% |██████████████████████████████| (33677/33677, 1160 it/s) [29s:0s]
Total samples: 33677    Success: 33677    Errors: 0
Detection rate: 83.87% (Total malicious samples: 558, Correctly blocked: 468, Missed: 90)
False positive rate: 0.07% (Total benign samples: 33119, Correctly allowed: 33096, False positives: 23)
Accuracy: 99.66% (Correctly blocked + Correctly allowed) / Total samples
Average response time: 8.47 ms
Enter fullscreen mode Exit fullscreen mode

Check the SafeLine console for detailed attack events.

Image description

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .