Over the past few years, Kubernetes (K8s) has emerged as the leading container orchestration platform for developers, offering the ability to seamlessly relocate and scale applications.
An enormous 92% of organizations now use Kubernetes in production environments, but this immense popularity has made Kubernetes a prime target for cyber attackers. Consequently, developers embrace modern security practices like ‘shift left’ to safeguard Kubernetes configurations, which is where Web Application Firewalls (WAFs) come into play. WAFs protect applications from threats, making them an essential part of Kubernetes infrastructure against cyber adversaries.
What is Kubernetes WAF?
A Kubernetes WAF is a security solution designed to protect applications and services running in Kubernetes environments. WAF operates at the application layer and protects web applications by filtering and monitoring HTTP traffic between a web application and the internet. Unlike traditional network firewalls, WAFs discern web traffic content, safeguarding against various attacks and vulnerabilities.
How to Choose a WAF Solution for Kubernetes
When selecting a WAF solution for Kubernetes, you should check for several key features:
Simple Integration: Should be able to easily integrate with Kubernetes environment.
Scalability: The ability to scale according to the application traffic.
Custom Rule Sets: Should be able to define custom rule sets according to the application's specific security requirements.
Real-time Monitoring: Real-time monitoring capabilities provide instant insights into web traffic, enabling quick response to security threats.
ML Capabilities: Machine learning (ML) capabilities enhance threat detection accuracy by identifying patterns and anomalies in web traffic.
7 Reasons Why You Need WAF With Kubernetes
Why are WAF and Kubernetes the perfect pairing? Here’s how.
1. Protect from Vulnerabilities
Although Kubernetes has built-in security features, the applications within clusters may still harbor vulnerabilities that attackers can exploit, leading to data breaches, service disruptions, or unauthorized access to Kubernetes secrets. The result is that attackers can compromise the integrity and availability of your applications.
You can use a WAF to inspect all incoming traffic to the cluster and filter out malicious patterns. For example, WAFs are very effective in blocking attacks like cross-site scripting (XSS), SQL injection, zero-day attacks, and denial-of-service (DoS) attacks.
Actionable Tips:
Set up custom rules to prevent known vulnerabilities and attack patterns. The code below shows AWS WAF's ACL rule to prevent SQL injections:
{
"Name": "SQLInjectionRule",
"Action": {
"Block": {}
},
"Priority": 1,
"Statement": {
"SqlInjectionMatchStatement": {
"FieldToMatch": {
"UriPath": {}
}
}
}
}Setup an automatic machine-leaning based WAF solution like open-appsec to block against both known and zero-day vulnerabilities.
2. Compliance and Data Security
Many organizations are subject to strict compliance requirements, such as PCI DSS and HIPAA. A WAF can enforce security policies and controls to automate compliance with data protection regulations and prevent data breaches.
Actionable Tips:
Use WAF to monitor outgoing traffic and apply rules to prevent the unauthorized transfer of sensitive data. The below example shows how to define a rule to monitor the response body of HTTP requests and look for the presence of the text credit_card_number using ModSecurity (which will be EOL soon):
SecRule RESPONSE_BODY "@contains credit_card_number" "id:1001, deny, status:403, msg:'Credit Card Data Leak'"Ensure WAF is configured to enforce SSL/TLS encryption for data in transit.
Enable WAF logging features to maintain records for audits
Use open-appsec DLP rules to scan specific patterns
3. Monitoring and Logging
Monitoring and logging are critical for maintaining the security and health of your Kubernetes cluster. A WAF can provide detailed logs and real-time incoming traffic monitoring, unveiling patterns indicating malicious intent. This proactive approach allows you to respond to emerging threats swiftly.
For example, you can use WAF logs to identify the IP addresses of attackers trying to exploit vulnerabilities in your applications. You can then block these IP addresses from accessing your applications.
Actionable Tips:
Enable logging.
Integrate with SIEMs.
Set up alerts.
4. Harnessing Machine Learning for Adaptive Security
Many modern WAF tools now incorporate machine learning (ML) capabilities to detect and block attacks. ML algorithms can be used to identify patterns in web traffic like DDoS attacks and prevent them before reaching your application.
Actionable Tips:
Select a WAF tool like open-appsec that supports machine learning capabilities.
Configure your WAF to perform anomaly detection.
Train the models with your specific traffic patterns to improve accuracy.
5. Managing Real-Time Communications
Managing real-time communications across multiple clusters can be a chaotic task. WAFs simplify this process by offering centralized points of control and security policy enforcement. For example, WAF can block all requests containing the word ‘bot’ in the user agent header, protecting your communication channels from bot attacks.
Actionable Tips:
Leverage WAFs to handle traffic routing for real-time services. The below example shows how to create traffic routing using Istio:
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: my-realtime-service
spec:
hosts:
- my-realtime-service.example.com
http:
- route:
- destination:
host: my-realtime-service.cluster1.svc.cluster.local
weight: 90
- route:
- destination:
host: my-realtime-service.cluster2.svc.cluster.local
weight: 10
Implement global load balancing with a WAF to distribute real-time communication traffic.
Ensure that the WAF setup is scalable and redundant to handle traffic spikes.
6. API Security and Native Kubernetes Integration
Sometimes, you might want to manage security at the pod or service level for Kubernetes clusters, especially when working with APIs. Granular control is essential since APIs can be primary targets for attacks.
A WAF with native integration for Kubernetes can provide specialized protection for APIs, allowing for fine-grained security policies and protection at the pod or service level. For example, WAF can be configured to block all API requests that do not contain a valid authentication token, protecting APIs from unauthorized access.
Actionable Tips:
Select a WAF solution like open-appsec with native integration for Kubernetes.
Use Kubernetes Network Policies to define pod-level security policies:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: api-security-policy
spec:
podSelector:
matchLabels:
app: api-service
ingress:
- from:
- podSelector:
matchLabels:
app: trusted-serviceDefine service-level security policies to control access to APIs and services:
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: api-service-security
spec:
host: api-service.cluster.local
trafficPolicy:
tls:
mode: STRICT7. Integration with CI/CD Pipelines
CI/CD pipelines have allowed developers to automate application deployments, facilitating faster and more reliable software delivery. But, simultaneously, you need to ensure those deployments do not contain any vulnerabilities. For this, you can integrate a WAF into the CI/CD pipeline. It acts as the last line of defense, ensuring new application releases undergo rigorous vulnerability checks before reaching production environments.
Actionable Tips:
Create a dedicated security testing stage in your CI/CD pipeline:
stages:
- build
- security-test
- deployIntegrate automated vulnerability scanning tools into the pipeline.
Implement automatic rollback procedures in the CI/CD pipeline
open-appsec is an open-source project that builds on machine learning to provide pre-emptive web app & API threat protection against OWASP-Top-10 and zero-day attacks. It simplifies maintenance as there is no threat signature upkeep and exception handling, like common in many WAF solutions.
To learn more about how open-appsec works, see this White Paper and the in-depth Video Tutorial. You can also experiment with deployment in the free Playground.
