Check Point CloudGuard AppSec delivers access control and advanced threat prevention including web and api protection for mission-critical assets. Check Point CloudGuard AppSec delivers advanced, multi-layered threat prevention to protect customer assets in Kubernetes clusters from web attacks and sophisticated threats based on Contextual AI.
Helm charts provide the ability to deploy a collection of kubernetes services and containers with a single command. This helm chart deploys an ingress controller integrated with the Check Point container images that include Check Point CloudGuard AppSec nano agent. If you want to integrate the Check Point CloudGuard AppSec nano agent with an ingress controller other than nginx, follow the instructions in the AppSec installation guide. Another option would be to download the helm chart and modify the parameters to match your Kubernetes/Application environment.
NOTE: The following diagram shows a sample architecture with the application (optionally) exposed externally, using an Ingress and TLS configuration. The steps to enable the Ingress resource are in the sections below.
The following table lists the configurable parameters of this chart and their default values.
| Parameter | Description | Default |
|---|---|---|
nanoToken |
Check Point AppSec nanoToken from the CloudGuard Portal(required) | 034f3d-96093mf-3k43li... |
appURL |
URL of the application (must resolve to cluster IP address after deployment,required) | myapp.mycompany.com |
mysvcname |
K8s service name of your application(required) | myapp |
mysvcport |
K8s listening port of your service(required) | 8080 |
image.nginxCtlCpRepo |
Dockerhub location of the nginx image integrated with Check Point AppSec | checkpoint/infinity-next-nginx |
image.cpRepo |
Dockerhub location of the Check Point nano agent image | checkpoint/infinity-next-nano-agent |
TLS_CERTIFICATE_CRT |
Default TLS Certificate | Certificate string |
TLS_CERTIFICATE_KEY |
Default TLS Certificate Key | Certificate Key string |
Get up and running with a few clicks! Install this Check Point AppSec Kubernetes app to a Google Kubernetes Engine cluster using Google Cloud Marketplace. Follow the on-screen instructions.
You can use Google Cloud Shell or a local workstation to follow the steps below.
Configure your application in the Check Point CloudGuard AppSec Portal
Define your application in the “CloudGuard AppSec” application of the Check Point CloudGuard AppSec Portal according to the CloudGuard AppSec Deployment Guide section on AppSec Management. CP CloudGuard AppSec Admin Guide
Once the application has been configured in the CloudGuard AppSec Portal, retrieve the value for the nanoToken to be used in a later step.
You'll need the following tools in your development environment. If you are using Cloud Shell, gcloud, kubectl, Docker, and Git are installed in your environment by default.
Configure gcloud as a Docker credential helper:
gcloud auth configure-dockerCreate a new cluster from the command line:
export CLUSTER=cpappsec-cluster
export ZONE=us-west1-a
gcloud container clusters create "$CLUSTER" --zone "$ZONE"Configure kubectl to connect to the new cluster:
gcloud container clusters get-credentials "$CLUSTER" --zone "$ZONE"Clone this repo and the associated tools repo:
git clone --recursive https://github.com/GoogleCloudPlatform/click-to-deploy.gitAn Application resource is a collection of individual Kubernetes components, such as Services, Deployments, and so on, that you can manage as a group.
To set up your cluster to understand Application resources, run the following command:
kubectl apply -f "https://raw.githubusercontent.com/GoogleCloudPlatform/marketplace-k8s-app-tools/master/crd/app-crd.yaml"You need to run this command once.
The Application resource is defined by the Kubernetes SIG-apps community. The source code can be found on github.com/kubernetes-sigs/application.
Navigate to the cpappsec directory:
cd click-to-deploy/k8s/cpappsecChoose the instance name and namespace for the app.
export APP_INSTANCE_NAME=cpappsec-1
export NAMESPACE=mynamespaceSet up the image tag:
It is advised to use the stable image reference which you can find on Marketplace Container Registry.
Example:
export TAG="0.1.2"Alternatively you can use short tag which points to the latest image for selected version.
Warning: this tag is not stable and referenced image might change over time.
export TAG="0.1"Configure the container images:
export IMAGE_CPAPPSEC="marketplace.gcr.io/google/cpappsec"Note: You can skip this step to use a default CRT.
-
If you already have a certificate that you want to use, copy your certificate and key pair to the
/tmp/tls.crt, and/tmp/tls.keyfiles, then skip to the next step.To create a new certificate, run the following command:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ -keyout /tmp/tls.key \ -out /tmp/tls.crt \ -subj "/CN=cpappsec/O=cpappsec" -
Set
TLS_CERTIFICATE_KEYandTLS_CERTIFICATE_CRTvariables:export TLS_CERTIFICATE_KEY="$(cat /tmp/tls.key | base64)" export TLS_CERTIFICATE_CRT="$(cat /tmp/tls.crt | base64)"
If you use a different namespace than default, or the namespace does not exist
yet, run the command below to create a new namespace:
kubectl create namespace "$NAMESPACE"Use helm template to expand the template. We recommend that you save the
expanded manifest file for future updates to the application.
helm template chart/cpappsec \
--name "$APP_INSTANCE_NAME" \
--namespace "$NAMESPACE" \
--set cpappsec.image.repo="$IMAGE_CPAPPSEC" \
--set cpappsec.image.tag="$TAG" \
--set cpappsec.nanoToken="Your nanoToken" \
--set cpappsec.appURL="Your Application URL" \
--set cpappsec.mysvcname="Your Service Name" \
--set cpappsec.mysvcport="Your Service Port" \
--set tls.base64EncodedPrivateKey="$TLS_CERTIFICATE_KEY" \
--set tls.base64EncodedCertificate="$TLS_CERTIFICATE_CRT" \
> "${APP_INSTANCE_NAME}_manifest.yaml"Use kubectl to apply the manifest to your Kubernetes cluster:
kubectl apply -f "${APP_INSTANCE_NAME}_manifest.yaml" --namespace "${NAMESPACE}"To get the GCP Console URL for your app, run the following command:
echo "https://console.cloud.google.com/kubernetes/application/${ZONE}/${CLUSTER}/${NAMESPACE}/${APP_INSTANCE_NAME}"To view the app, open the URL in your browser.
Get the external IP of your Application site using the following command:
SERVICE_IP=$(kubectl get ingress $APP_INSTANCE_NAME-cp-ingress-ctl-svc \
--namespace $NAMESPACE \
--output jsonpath='{.status.loadBalancer.ingress[0].ip}')
echo "https://${SERVICE_IP}/"
The command shows you the URL of your site.
-
In the GCP Console, open Kubernetes Applications.
-
From the list of applications, click cpappsec.
-
On the Application Details page, click Delete.
Set your installation name and Kubernetes namespace:
export APP_INSTANCE_NAME=cpappsec-1
export NAMESPACE=mynamespaceNOTE: We recommend using a
kubectlversion that is the same as the version of your cluster. Using the same versions ofkubectland the cluster helps avoid unforeseen issues.
To delete the resources, use the expanded manifest file used for the installation.
Run kubectl on the expanded manifest file:
kubectl delete -f ${APP_INSTANCE_NAME}_manifest.yaml --namespace $NAMESPACEIf you don't have the expanded manifest, delete the resources using types and a label:
kubectl delete application,secret,service \
--namespace $NAMESPACE \
--selector app.kubernetes.io/name=$APP_INSTANCE_NAME