Curiefense WAF + Emissary Ingress POC
Clone the repository with the following command:
git clone --recurse-submodules https://github.com/sagikazarmark/curiefense-emissary-poc.git
Preparations
Build container image:
docker build .
If you use Kind (proceed to the instructions below if you are here for the first time), you can build a local image and load into Kind:
docker build -t curiefense-emissary .
kind load docker-image curiefense-emissary:latest
Setup
Gain access to a Kubernetes cluster. Check out the Using Kind section for a local setup.
Using Kind
- Create a new Kind cluster:
kind create cluster --config kind/kind.yaml
- Run the setup script to install required components:
./kind/setup.sh
Deploy Curiefense
Deploy Curiefense:
kubectl create namespace curiefense
kubectl apply -f curiefense/secret.yaml
cd curiefense/curiefense-helm/curiefense-helm
DOCKER_TAG=v1.5.0 ./deploy.sh -f curiefense/use-minio.yaml --set "global.proxy.frontend=envoy" --set "global.settings.curiefense_minio_insecure=true"
cd -
TODO: quality of life improvement: push (prod) chart to a chart repo? Use Kustomize to install components (uiserver, confserver) separately?
Deploy Emissary Ingress
Deploy Emissary:
# If you run into any error, run it again
kustomize build emissary | k apply -f -
kubectl -n emissary wait --for condition=available --timeout=90s deploy emissary-ingress
Deploy the echo app
kubectl apply -f app/app.yaml
Usage
First, you might want to create some configuration that proves the system works.
For example, you could create a Global Filter that matches requests with a specific header (eg. breakme: true
).
Check out the documentation to learn about the vast number of features Curiefense has.
First, port-forward into the Curiefense UI server:
kubectl -n curiefense port-forward deploy/uiserver 8080:80
Then follow these steps to setup a simple deny rule:
- Go to Policies & Rules
- Choose Global Filters
- Click the + (plus) sign in the right upper corner
- Give the new filter a name
- Add a new match for a Header (eg.
breakme: true
) - Choose 503 Service Unavailable as action
- Hit save (floppy icon)
- Go to Publish Changes
- Hit Publish configuration
Next, port-forward into Emissary Ingress:
kubectl -n emissary port-forward deploy/emissary-ingress 8888:8080
Finally, send a request to the ingress:
curl -H "Host: host2.example.com" -H "breakme: true" localhost:8888
You should get an 503 from the server.
Cleanup
Ideally, delete the cluster.
In case of Kind:
kind delete cluster
Best effort attempt to delete resources:
kubectl delete namespace emissary
kubectl delete namespace curiefense