Airlock Microgateway is a Kubernetes native WAAP (Web Application and API Protection) solution to protect microservices.
Modern application security is embedded in the development workflow and follows DevSecOps paradigms. Airlock Microgateway is the perfect fit for these requirements. It is a lightweight alternative to the Airlock Gateway appliance, optimized for Kubernetes environments. Airlock Microgateway protects your applications and microservices with the tried-and-tested Airlock security features against attacks, while also providing a high degree of scalability.
- Kubernetes native integration with sidecar injection and Gateway API support
- Reverse proxy functionality with request routing rules, TLS termination and remote IP extraction
- Using native Envoy HTTP filters like Lua scripting, RBAC, ext_authz, JWT authentication
- Content security filters for protecting against known attacks (OWASP Top 10)
- Access control using OpenID Connect to allow only authenticated users to access the protected services
- API security features like JSON parsing, OpenAPI specification enforcement or GraphQL schema validation
For a list of all features, view the comparison of the community and premium edition.
We offer a growing number of Airlock Microgateway labs that are designed to be easy-to-follow tutorials. All labs are fully guided and cover aspects of Airlock Microgateway from installation to configuration in a preconfigured cloud-based Kubernetes environment.
Learn the basics and expand existing knowledge without any administration effort in a secure environment.
Check the official documentation at docs.airlock.com or the product website at airlock.com/microgateway. The links below point out the most interesting documentation sites when starting with Airlock Microgateway.
The instructions below provide a quick start guide. Detailed information are provided in the manual.
- Airlock Microgateway License
- cert-manager
- helm (>= v3.8.0)
In order to use Airlock Microgateway you need a license and the cert-manager. You may either request a community license free of charge or purchase a premium license. For an easy start in non-production environments, you may deploy the same cert-manager we are using internally for testing.
- Either request a community or premium license
- Community license: airlock.com/microgateway-community
- Premium license: airlock.com/microgateway-premium
- Check your inbox and save the license file microgateway-license.txt locally.
See Community vs. Premium editions in detail to choose the right license type.
helm repo add jetstack https://charts.jetstack.io
helm install cert-manager jetstack/cert-manager --version 'v1.16.1' -n cert-manager --create-namespace --set crds.enabled=true --wait
Note: Installing Airlock Microgateway CNI is required for data plane mode sidecar.
See documentation for more information about data plane modes.
-
Install the CNI Plugin with Helm.
Note: Certain environments such as OpenShift or GKE require non-default configurations when installing the CNI plugin. For the most common setups, values files are provided in the chart folder.
# Standard setup helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.4.2' kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
# GKE setup helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.4.2' -f https://raw.githubusercontent.com/airlock/microgateway/4.4.2/deploy/charts/airlock-microgateway-cni/gke-values.yaml kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
# OpenShift setup helm install airlock-microgateway-cni -n openshift-operators oci://quay.io/airlockcharts/microgateway-cni --version '4.4.2' -f https://raw.githubusercontent.com/airlock/microgateway/4.4.2/deploy/charts/airlock-microgateway-cni/openshift-values.yaml kubectl -n openshift-operators rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
Important: On OpenShift, all pods which should be protected by Airlock Microgateway must explicitly reference the Airlock Microgateway CNI NetworkAttachmentDefinition via the annotation
k8s.v1.cni.cncf.io/networks
(see documentation for details). -
(Recommended) You can verify the correctness of the installation with
helm test
.# Standard and GKE setup helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.2' helm test airlock-microgateway-cni -n kube-system --logs helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.2'
# OpenShift setup helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.2' helm test airlock-microgateway-cni -n openshift-operators --logs helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.2'
Consult our documentation in case of any installation error.
This guide assumes a microgateway-license.txt file is present in the working directory.
-
Install CRDs and Operator.
# Create namespace kubectl create namespace airlock-microgateway-system # Install License kubectl -n airlock-microgateway-system create secret generic airlock-microgateway-license --from-file=microgateway-license.txt # Install Operator (CRDs are included via the standard Helm 3 mechanism, i.e. Helm will handle initial installation but not upgrades) helm install airlock-microgateway -n airlock-microgateway-system oci://quay.io/airlockcharts/microgateway --version '4.4.2' --wait
-
(Recommended) You can verify the correctness of the installation with
helm test
.helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.4.2' helm test airlock-microgateway -n airlock-microgateway-system --logs helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.4.2'
The helm install/upgrade
command currently does not support upgrading CRDs that already exist in the cluster.
CRDs should instead be manually upgraded before upgrading the Operator itself via the following command:
kubectl apply -k https://github.com/airlock/microgateway/deploy/charts/airlock-microgateway/crds/?ref=4.4.2 --server-side --force-conflicts
Note: Certain GitOps solutions such as e.g. Argo CD or Flux CD have their own mechanisms for automatically upgrading CRDs included with Helm charts.
If you have a paid license, please follow the premium support process.
For the community edition, check our Airlock community forum for FAQs or register to post your question.
View the detailed license terms for the software contained in this image.
- Decompiling or reverse engineering is not permitted.
- Using any of the deny rules or parts of these filter patterns outside of the image is not permitted.
Airlock® is a security innovation by ergon