https://networking-incubator.github.io/coraza-kubernetes-operator/v0.4/howto/Recent content in How-to Guides on Coraza Kubernetes OperatorHugoen-ushttps://networking-incubator.github.io/coraza-kubernetes-operator/v0.4/howto/install-kubernetes-helm/Mon, 01 Jan 0001 00:00:00 +0000https://networking-incubator.github.io/coraza-kubernetes-operator/v0.4/howto/install-kubernetes-helm/<p>This guide covers installing the Coraza Kubernetes Operator using Helm on a standard Kubernetes cluster.</p> <h2 id="prerequisites">Prerequisites</h2> <ul> <li>Kubernetes cluster running <strong>v1.32 or later</strong></li> <li><a href="https://istio.io/latest/docs/setup/">Istio</a> installed with Gateway API CRDs</li> <li><a href="https://helm.sh/docs/intro/install/">Helm 3</a> installed</li> </ul> <h2 id="add-the-helm-repository">Add the Helm Repository</h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">helm repo add coraza-kubernetes-operator <span class="se">\ </span></span></span><span class="line"><span class="cl"> https://networking-incubator.github.io/coraza-kubernetes-operator/ </span></span><span class="line"><span class="cl">helm repo update </span></span></code></pre></div><h2 id="install-with-default-values">Install with Default Values</h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">helm upgrade --install coraza-kubernetes-operator <span class="se">\ </span></span></span><span class="line"><span class="cl"> coraza-kubernetes-operator/coraza-kubernetes-operator <span class="se">\ </span></span></span><span class="line"><span class="cl"> --namespace coraza-system <span class="se">\ </span></span></span><span class="line"><span class="cl"> --create-namespace </span></span></code></pre></div><h2 id="customize-the-installation">Customize the Installation</h2> <p>Override default values by passing a values file or individual settings:</p>https://networking-incubator.github.io/coraza-kubernetes-operator/v0.4/howto/install-openshift-operatorhub/Mon, 01 Jan 0001 00:00:00 +0000https://networking-incubator.github.io/coraza-kubernetes-operator/v0.4/howto/install-openshift-operatorhub/<p>This guide covers installing the Coraza Kubernetes Operator on OpenShift Container Platform using the OperatorHub.</p> <h2 id="prerequisites">Prerequisites</h2> <ul> <li>OpenShift Container Platform <strong>v4.20 or later</strong></li> <li>Cluster administrator privileges</li> <li>OpenShift Service Mesh or Istio installed with Gateway API support</li> </ul> <h2 id="install-from-operatorhub-web-console">Install from OperatorHub (Web Console)</h2> <ol> <li>Log in to the OpenShift web console as a cluster administrator.</li> <li>Navigate to <strong>Operators &gt; OperatorHub</strong>.</li> <li>Search for <strong>Coraza Kubernetes Operator</strong>.</li> <li>Select the operator tile and click <strong>Install</strong>.</li> <li>Choose the update channel, installation mode, and approval strategy.</li> <li>Click <strong>Install</strong> and wait for the operator to reach the <strong>Succeeded</strong> phase.</li> </ol> <!-- TODO: Replace with the published CatalogSource details when available. --> <h2 id="install-from-operatorhub-cli">Install from OperatorHub (CLI)</h2> <p>If the operator is available in your cluster&rsquo;s default catalog, create a Subscription resource:</p>https://networking-incubator.github.io/coraza-kubernetes-operator/v0.4/howto/creating-firewall-rules/Mon, 01 Jan 0001 00:00:00 +0000https://networking-incubator.github.io/coraza-kubernetes-operator/v0.4/howto/creating-firewall-rules/<p>Firewall rules in the Coraza Kubernetes Operator are written using <a href="https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v3.x%29">ModSecurity SecLang</a> syntax, stored in ConfigMaps, and aggregated by a RuleSet resource.</p> <h2 id="writing-rules-in-configmaps">Writing Rules in ConfigMaps</h2> <p>Each ConfigMap must contain a key named <code>rules</code> with SecLang directives as its value.</p> <p>A basic ConfigMap with Coraza engine configuration:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ConfigMap</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">base-rules</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> SecRuleEngine On </span></span></span><span class="line"><span class="cl"><span class="sd"> SecRequestBodyAccess On </span></span></span><span class="line"><span class="cl"><span class="sd"> SecResponseBodyAccess Off </span></span></span><span class="line"><span class="cl"><span class="sd"> SecAuditLog /dev/stdout </span></span></span><span class="line"><span class="cl"><span class="sd"> SecAuditLogFormat JSON </span></span></span><span class="line"><span class="cl"><span class="sd"> SecAuditEngine RelevantOnly</span><span class="w"> </span></span></span></code></pre></div><p>A ConfigMap with a SQL injection detection rule:</p>https://networking-incubator.github.io/coraza-kubernetes-operator/v0.4/howto/deploying-waf-engine/Mon, 01 Jan 0001 00:00:00 +0000https://networking-incubator.github.io/coraza-kubernetes-operator/v0.4/howto/deploying-waf-engine/<p>An Engine resource references a RuleSet and attaches the Coraza WAF to one or more Gateways via an Istio WasmPlugin.</p> <h2 id="creating-an-engine">Creating an Engine</h2> <p>The minimum Engine configuration requires a RuleSet reference and a workload selector that matches your Gateway:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">waf.k8s.coraza.io/v1alpha1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Engine</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">my-engine</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ruleSet</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">my-ruleset</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">driver</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">istio</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">wasm</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">mode</span><span class="p">:</span><span class="w"> </span><span class="l">gateway</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">workloadSelector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">gateway.networking.k8s.io/gateway-name</span><span class="p">:</span><span class="w"> </span><span class="l">my-gateway</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ruleSetCacheServer</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pollIntervalSeconds</span><span class="p">:</span><span class="w"> </span><span class="m">15</span><span class="w"> </span></span></span></code></pre></div><h2 id="selecting-a-gateway">Selecting a Gateway</h2> <p>The <code>workloadSelector</code> determines which Gateway pods the WAF attaches to. Kubernetes Gateway API implementations typically label Gateway pods with <code>gateway.networking.k8s.io/gateway-name</code>. Use the label that matches your Gateway:</p>https://networking-incubator.github.io/coraza-kubernetes-operator/v0.4/howto/using-coreruleset/Mon, 01 Jan 0001 00:00:00 +0000https://networking-incubator.github.io/coraza-kubernetes-operator/v0.4/howto/using-coreruleset/<p>The <a href="https://coreruleset.org/">OWASP CoreRuleSet (CRS)</a> is a widely used set of attack detection rules for ModSecurity-compatible WAFs. The <code>kubectl-coraza</code> plugin can generate Kubernetes ConfigMaps and RuleSet resources from CRS rule files.</p> <div class="alert alert-warning" role="alert"><div class="h4 alert-heading" role="heading">Important</div> <p>This project does not provide, maintain, or support CoreRuleSet rules. Users must supply their own rules. The tools described here are provided for convenience.</p> </div> <h2 id="install-the-kubectl-coraza-plugin">Install the kubectl-coraza Plugin</h2> <p>Build the plugin from the operator repository:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">git clone https://github.com/networking-incubator/coraza-kubernetes-operator.git </span></span><span class="line"><span class="cl"><span class="nb">cd</span> coraza-kubernetes-operator </span></span><span class="line"><span class="cl">make build </span></span></code></pre></div><p>This produces <code>bin/kubectl-coraza</code>. Copy it to a directory on your <code>PATH</code>:</p>https://networking-incubator.github.io/coraza-kubernetes-operator/v0.4/howto/using-data-files/Mon, 01 Jan 0001 00:00:00 +0000https://networking-incubator.github.io/coraza-kubernetes-operator/v0.4/howto/using-data-files/<p>Some SecLang rules use the <code>@pmFromFile</code> directive to match against patterns stored in external data files. The Coraza Kubernetes Operator supports this through Secrets of type <code>coraza/data</code>.</p> <h2 id="when-to-use-data-files">When to Use Data Files</h2> <p>Use data files when your rules reference <code>@pmFromFile</code>. For example:</p> <pre tabindex="0"><code>SecRule ARGS &#34;@pmFromFile bad-patterns.data&#34; \ &#34;id:3001,phase:2,deny,status:403,msg:&#39;Blocked pattern detected&#39;&#34; </code></pre><p>This rule reads patterns from a file named <code>bad-patterns.data</code>. To make this file available to the operator, store it in a Secret.</p>https://networking-incubator.github.io/coraza-kubernetes-operator/v0.4/howto/configuring-failure-policies/Mon, 01 Jan 0001 00:00:00 +0000https://networking-incubator.github.io/coraza-kubernetes-operator/v0.4/howto/configuring-failure-policies/<p>The Engine <code>failurePolicy</code> field determines how traffic is handled when the WAF is not ready or encounters an error during rule evaluation.</p> <h2 id="available-policies">Available Policies</h2> <table> <thead> <tr> <th>Policy</th> <th>Behavior</th> </tr> </thead> <tbody> <tr> <td><code>fail</code> (default)</td> <td>Block all traffic when the WAF is not ready or encounters an error. This prioritizes security.</td> </tr> <tr> <td><code>allow</code></td> <td>Allow traffic through when the WAF is not ready or encounters an error. This prioritizes availability.</td> </tr> </tbody> </table> <h2 id="setting-the-failure-policy">Setting the Failure Policy</h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">waf.k8s.coraza.io/v1alpha1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Engine</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">my-engine</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">failurePolicy</span><span class="p">:</span><span class="w"> </span><span class="l">fail</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ruleSet</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">my-ruleset</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">driver</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">istio</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">wasm</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">mode</span><span class="p">:</span><span class="w"> </span><span class="l">gateway</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">workloadSelector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">gateway.networking.k8s.io/gateway-name</span><span class="p">:</span><span class="w"> </span><span class="l">my-gateway</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ruleSetCacheServer</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pollIntervalSeconds</span><span class="p">:</span><span class="w"> </span><span class="m">15</span><span class="w"> </span></span></span></code></pre></div><h2 id="when-to-use-each-policy">When to Use Each Policy</h2> <h3 id="use-fail-when">Use <code>fail</code> when:</h3> <ul> <li>Security is the highest priority.</li> <li>You prefer to block traffic rather than risk allowing unfiltered requests.</li> <li>The application behind the Gateway can tolerate brief outages during WAF startup or rule updates.</li> </ul> <h3 id="use-allow-when">Use <code>allow</code> when:</h3> <ul> <li>Availability is the highest priority.</li> <li>You prefer to serve traffic unfiltered rather than block it during WAF startup.</li> <li>The WAF provides defense-in-depth alongside other security controls.</li> </ul> <h2 id="changing-the-policy">Changing the Policy</h2> <p>You can change the failure policy on an existing Engine at any time:</p>https://networking-incubator.github.io/coraza-kubernetes-operator/v0.4/howto/monitoring-prometheus/Mon, 01 Jan 0001 00:00:00 +0000https://networking-incubator.github.io/coraza-kubernetes-operator/v0.4/howto/monitoring-prometheus/<p>The Coraza Kubernetes Operator exposes Prometheus metrics over HTTPS for monitoring the RuleSet cache server.</p> <h2 id="enabling-the-metrics-endpoint">Enabling the Metrics Endpoint</h2> <p>Metrics are enabled by default. The endpoint is served over HTTPS on port <strong>8443</strong> with TLS 1.3 and requires authentication via a Kubernetes ServiceAccount token.</p> <p>To disable metrics:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># values.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metrics</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span></code></pre></div><h2 id="enabling-the-servicemonitor">Enabling the ServiceMonitor</h2> <p>If you use the <a href="https://prometheus-operator.dev/">Prometheus Operator</a>, enable the ServiceMonitor to automatically discover the metrics endpoint:</p>https://networking-incubator.github.io/coraza-kubernetes-operator/v0.4/howto/upgrading/Mon, 01 Jan 0001 00:00:00 +0000https://networking-incubator.github.io/coraza-kubernetes-operator/v0.4/howto/upgrading/<h2 id="upgrading-with-helm">Upgrading with Helm</h2> <p>To upgrade to the latest version:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">helm repo update </span></span><span class="line"><span class="cl">helm upgrade coraza-kubernetes-operator <span class="se">\ </span></span></span><span class="line"><span class="cl"> coraza-kubernetes-operator/coraza-kubernetes-operator <span class="se">\ </span></span></span><span class="line"><span class="cl"> --namespace coraza-system </span></span></code></pre></div><p>To upgrade to a specific version:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">helm upgrade coraza-kubernetes-operator <span class="se">\ </span></span></span><span class="line"><span class="cl"> coraza-kubernetes-operator/coraza-kubernetes-operator <span class="se">\ </span></span></span><span class="line"><span class="cl"> --namespace coraza-system <span class="se">\ </span></span></span><span class="line"><span class="cl"> --version 0.3.0 </span></span></code></pre></div><p>Helm automatically applies any CRD changes included in the new chart version.</p> <h2 id="upgrading-on-openshift-olm">Upgrading on OpenShift (OLM)</h2> <p>If you installed the operator through OperatorHub with automatic approval, OLM handles upgrades automatically when new versions are published to the catalog.</p>