https://networking-incubator.github.io/coraza-kubernetes-operator/dev/howto/Recent content in How-to Guides on Coraza Kubernetes OperatorHugoen-ushttps://networking-incubator.github.io/coraza-kubernetes-operator/dev/howto/install-kubernetes-helm/Mon, 01 Jan 0001 00:00:00 +0000https://networking-incubator.github.io/coraza-kubernetes-operator/dev/howto/install-kubernetes-helm/<p>This guide covers installing the Coraza Kubernetes Operator using Helm on a standard Kubernetes cluster.</p> <h2 id="prerequisites">Prerequisites</h2> <ul> <li>Kubernetes cluster running <strong>v1.32 or later</strong></li> <li><a href="https://istio.io/latest/docs/setup/">Istio</a> installed with <a href="https://gateway-api.sigs.k8s.io/">Gateway API CRDs</a></li> <li><a href="https://helm.sh/docs/intro/install/">Helm 3</a> installed</li> </ul> <h2 id="install-from-the-helm-repository">Install from the Helm Repository</h2> <p>Add the Helm repository hosted on GitHub Pages and install:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">helm repo add coraza-kubernetes-operator <span class="se">\ </span></span></span><span class="line"><span class="cl"> https://networking-incubator.github.io/coraza-kubernetes-operator/ </span></span><span class="line"><span class="cl">helm repo update </span></span></code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">helm upgrade --install coraza-kubernetes-operator <span class="se">\ </span></span></span><span class="line"><span class="cl"> coraza-kubernetes-operator/coraza-kubernetes-operator <span class="se">\ </span></span></span><span class="line"><span class="cl"> --namespace coraza-system <span class="se">\ </span></span></span><span class="line"><span class="cl"> --create-namespace </span></span></code></pre></div><h3 id="pin-a-specific-version">Pin a Specific Version</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">helm upgrade --install coraza-kubernetes-operator <span class="se">\ </span></span></span><span class="line"><span class="cl"> coraza-kubernetes-operator/coraza-kubernetes-operator <span class="se">\ </span></span></span><span class="line"><span class="cl"> --namespace coraza-system <span class="se">\ </span></span></span><span class="line"><span class="cl"> --create-namespace <span class="se">\ </span></span></span><span class="line"><span class="cl"> --version &lt;chart-version&gt; </span></span></code></pre></div><p>Replace <code>&lt;chart-version&gt;</code> with the desired version (e.g. <code>0.1.0</code>). Available versions are listed on the <a href="https://github.com/networking-incubator/coraza-kubernetes-operator/releases">releases page</a>.</p>https://networking-incubator.github.io/coraza-kubernetes-operator/dev/howto/install-openshift-operatorhub/Mon, 01 Jan 0001 00:00:00 +0000https://networking-incubator.github.io/coraza-kubernetes-operator/dev/howto/install-openshift-operatorhub/<p>This guide covers installing the Coraza Kubernetes Operator on OpenShift Container Platform.</p> <h2 id="prerequisites">Prerequisites</h2> <ul> <li>OpenShift Container Platform <strong>v4.20 or later</strong></li> <li>Cluster administrator privileges</li> <li>Gateway API enabled on your cluster (see <a href="https://networking-incubator.github.io/coraza-kubernetes-operator/dev/howto/install-openshift-operatorhub/#enable-gateway-api">Enable Gateway API</a> below)</li> <li><a href="https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.0/html-single/gateways/index">OpenShift Service Mesh</a> or Istio installed with Gateway API support</li> </ul> <h3 id="enable-gateway-api">Enable Gateway API</h3> <p>On OpenShift 4.20 and later, the Gateway API CRDs are included by default. You must create the <code>openshift-default</code> GatewayClass, which is the <a href="https://docs.redhat.com/en/documentation/openshift_container_platform/4.21/html/ingress_and_load_balancing/configuring-ingress-cluster-traffic#ingress-gateway-api">officially supported GatewayClass</a> provided by the OpenShift Ingress Operator:</p>https://networking-incubator.github.io/coraza-kubernetes-operator/dev/howto/creating-firewall-rules/Mon, 01 Jan 0001 00:00:00 +0000https://networking-incubator.github.io/coraza-kubernetes-operator/dev/howto/creating-firewall-rules/<p>Firewall rules in the Coraza Kubernetes Operator are written using <a href="https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v3.x%29">ModSecurity SecLang</a> syntax. Rule text is stored in <strong>RuleSource</strong> resources; a <strong>RuleSet</strong> lists RuleSource (and optional RuleData) names in order and drives compilation and caching.</p> <h2 id="writing-rules-in-rulesources">Writing rules in RuleSources</h2> <p>Each <strong>RuleSource</strong> has <code>spec.rules</code>: a string containing SecLang directives (use a <code>|</code> block scalar in YAML for multiline text).</p> <p>A basic RuleSource with Coraza engine configuration:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">waf.k8s.coraza.io/v1alpha1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">RuleSource</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">base-rules</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> SecRuleEngine On </span></span></span><span class="line"><span class="cl"><span class="sd"> SecRequestBodyAccess On </span></span></span><span class="line"><span class="cl"><span class="sd"> SecResponseBodyAccess Off </span></span></span><span class="line"><span class="cl"><span class="sd"> SecAuditLog /dev/stdout </span></span></span><span class="line"><span class="cl"><span class="sd"> SecAuditLogFormat JSON </span></span></span><span class="line"><span class="cl"><span class="sd"> SecAuditEngine RelevantOnly</span><span class="w"> </span></span></span></code></pre></div><p>A RuleSource with a SQL injection detection rule:</p>https://networking-incubator.github.io/coraza-kubernetes-operator/dev/howto/deploying-waf-engine/Mon, 01 Jan 0001 00:00:00 +0000https://networking-incubator.github.io/coraza-kubernetes-operator/dev/howto/deploying-waf-engine/<p>An Engine resource references a RuleSet and attaches the Coraza WAF to a Gateway via an Istio WasmPlugin.</p> <h2 id="creating-an-engine">Creating an Engine</h2> <p>The minimum Engine configuration requires a RuleSet reference and a target that identifies your Gateway:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">waf.k8s.coraza.io/v1alpha1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Engine</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">my-engine</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ruleSet</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">my-ruleset</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">target</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">Gateway</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">my-gateway</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">provider</span><span class="p">:</span><span class="w"> </span><span class="l">Istio</span><span class="w"> </span></span></span></code></pre></div><h2 id="selecting-a-gateway">Selecting a Gateway</h2> <p>The <code>target.name</code> identifies the Gateway resource in the same namespace. The operator derives the workload label selector using the GEP-1762 convention (<code>gateway.networking.k8s.io/gateway-name</code> label).</p>https://networking-incubator.github.io/coraza-kubernetes-operator/dev/howto/using-coreruleset/Mon, 01 Jan 0001 00:00:00 +0000https://networking-incubator.github.io/coraza-kubernetes-operator/dev/howto/using-coreruleset/<p>The <a href="https://coreruleset.org/">OWASP CoreRuleSet (CRS)</a> is a widely used set of attack detection rules for ModSecurity-compatible WAFs. The <code>kubectl-coraza</code> plugin can generate <strong>RuleSource</strong>, <strong>RuleData</strong>, and <strong>RuleSet</strong> manifests from CRS rule files.</p> <div class="alert alert-warning" role="alert"><div class="h4 alert-heading" role="heading">Important</div> <p>This project does not provide, maintain, or support CoreRuleSet rules. Users must supply their own rules. The tools described here are provided for convenience.</p> </div> <h2 id="install-the-kubectl-coraza-plugin">Install the kubectl-coraza Plugin</h2> <p>Build the plugin from the operator repository:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">git clone https://github.com/networking-incubator/coraza-kubernetes-operator.git </span></span><span class="line"><span class="cl"><span class="nb">cd</span> coraza-kubernetes-operator </span></span><span class="line"><span class="cl">make build </span></span></code></pre></div><p>This produces <code>bin/kubectl-coraza</code>. Copy it to a directory on your <code>PATH</code>:</p>https://networking-incubator.github.io/coraza-kubernetes-operator/dev/howto/using-data-files/Mon, 01 Jan 0001 00:00:00 +0000https://networking-incubator.github.io/coraza-kubernetes-operator/dev/howto/using-data-files/<p>Some SecLang rules use the <code>@pmFromFile</code> directive to match against patterns stored in external data files. The Coraza Kubernetes Operator provides these files from <strong>RuleData</strong> resources, referenced by the <strong>RuleSet</strong> <code>spec.data</code> list.</p> <h2 id="when-to-use-data-files">When to use data files</h2> <p>Use data files when your rules reference <code>@pmFromFile</code>. For example:</p> <pre tabindex="0"><code>SecRule ARGS &#34;@pmFromFile bad-patterns.data&#34; \ &#34;id:3001,phase:2,deny,status:403,msg:&#39;Blocked pattern detected&#39;&#34; </code></pre><p>This rule reads patterns from a file named <code>bad-patterns.data</code>. Store that file in a <strong>RuleData</strong> <code>spec.files</code> map (filename → content).</p>https://networking-incubator.github.io/coraza-kubernetes-operator/dev/howto/configuring-failure-policies/Mon, 01 Jan 0001 00:00:00 +0000https://networking-incubator.github.io/coraza-kubernetes-operator/dev/howto/configuring-failure-policies/<p>The Engine <code>failurePolicy</code> field determines how traffic is handled when the WAF is not ready or encounters an error during rule evaluation.</p> <h2 id="available-policies">Available Policies</h2> <table> <thead> <tr> <th>Policy</th> <th>Behavior</th> </tr> </thead> <tbody> <tr> <td><code>fail</code> (default)</td> <td>Block all traffic when the WAF is not ready or encounters an error. This prioritizes security.</td> </tr> <tr> <td><code>allow</code></td> <td>Allow traffic through when the WAF is not ready or encounters an error. This prioritizes availability.</td> </tr> </tbody> </table> <h2 id="setting-the-failure-policy">Setting the Failure Policy</h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">waf.k8s.coraza.io/v1alpha1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Engine</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">my-engine</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">failurePolicy</span><span class="p">:</span><span class="w"> </span><span class="l">fail</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ruleSet</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">my-ruleset</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">target</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">Gateway</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">my-gateway</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">provider</span><span class="p">:</span><span class="w"> </span><span class="l">Istio</span><span class="w"> </span></span></span></code></pre></div><h2 id="when-to-use-each-policy">When to Use Each Policy</h2> <h3 id="use-fail-when">Use <code>fail</code> when:</h3> <ul> <li>Security is the highest priority.</li> <li>You prefer to block traffic rather than risk allowing unfiltered requests.</li> <li>The application behind the Gateway can tolerate brief outages during WAF startup or rule updates.</li> </ul> <h3 id="use-allow-when">Use <code>allow</code> when:</h3> <ul> <li>Availability is the highest priority.</li> <li>You prefer to serve traffic unfiltered rather than block it during WAF startup.</li> <li>The WAF provides defense-in-depth alongside other security controls.</li> </ul> <h2 id="changing-the-policy">Changing the Policy</h2> <p>You can change the failure policy on an existing Engine at any time:</p>https://networking-incubator.github.io/coraza-kubernetes-operator/dev/howto/monitoring-prometheus/Mon, 01 Jan 0001 00:00:00 +0000https://networking-incubator.github.io/coraza-kubernetes-operator/dev/howto/monitoring-prometheus/<p>The Coraza Kubernetes Operator exposes Prometheus metrics over HTTPS for monitoring the RuleSet cache server.</p> <h2 id="enabling-the-metrics-endpoint">Enabling the Metrics Endpoint</h2> <p>Metrics are enabled by default. The endpoint is served over HTTPS on port <strong>8443</strong> with TLS 1.3 and requires authentication via a Kubernetes ServiceAccount token.</p> <p>To disable metrics:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># values.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metrics</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span></code></pre></div><h2 id="enabling-the-servicemonitor">Enabling the ServiceMonitor</h2> <p>If you use the <a href="https://prometheus-operator.dev/">Prometheus Operator</a>, enable the ServiceMonitor to automatically discover the metrics endpoint:</p>https://networking-incubator.github.io/coraza-kubernetes-operator/dev/howto/upgrading/Mon, 01 Jan 0001 00:00:00 +0000https://networking-incubator.github.io/coraza-kubernetes-operator/dev/howto/upgrading/<h2 id="upgrading-with-helm">Upgrading with Helm</h2> <p>To upgrade to the latest version:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">helm repo update </span></span><span class="line"><span class="cl">helm upgrade coraza-kubernetes-operator <span class="se">\ </span></span></span><span class="line"><span class="cl"> coraza-kubernetes-operator/coraza-kubernetes-operator <span class="se">\ </span></span></span><span class="line"><span class="cl"> --namespace coraza-system </span></span></code></pre></div><p>To upgrade to a specific version:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">helm upgrade coraza-kubernetes-operator <span class="se">\ </span></span></span><span class="line"><span class="cl"> coraza-kubernetes-operator/coraza-kubernetes-operator <span class="se">\ </span></span></span><span class="line"><span class="cl"> --namespace coraza-system <span class="se">\ </span></span></span><span class="line"><span class="cl"> --version 0.3.0 </span></span></code></pre></div><p>Helm automatically applies any CRD changes included in the new chart version.</p> <h2 id="upgrading-on-openshift-olm">Upgrading on OpenShift (OLM)</h2> <p>If you installed the operator through OperatorHub with automatic approval, OLM handles upgrades automatically when new versions are published to the catalog.</p>