Using Azure WAF to protect AKS Websites

After the first article on how to deploy AKS we will check how to use an Application Gateway as an Ingress controller and a WAF. Why? To protect your websites 😊

To start, be sure to deploy your AKS cluster.

Now, you can deploy your Application Gateway, in Azure, with WAFv2 SKU:

Create a public IP for this WAF:

Create an empty backend pool (it will not be used, because of the integration as Ingress):

Create a routing rule1, with HTTP protocol (it will not be used, because of the integration as Ingress):

And the backend target (it will not be used, because of the integration as Ingress):

You will have this:

When the App Gateway has been deployed, go to your Azure AD, and get the name of your Service Principal:

Get the application ID, and create a new secret:

Give to this Azure AD Service Principal, the Contributor right on the AKS Resource Group:

Now, connect to your AKS Cluster:

az login

az account set --subscription subscriptionId

az aks get-credentials --name Starwind-WE --resource-group Starwind-WE

az login

az account set --subscription subscriptionId

az aks get-credentials --name Starwind-WE --resource-group Starwind-WE

Execute the following command, to apply the deployment template rbac:

kubectl apply -f <a href="https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/deployment-rbac.yaml">https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/deployment-rbac.yaml</a>

1	kubectl apply -f <a href="https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/deployment-rbac.yaml">https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/deployment-rbac.yaml</a>

Convert your Azure AD Service principal secret to base 64:

echo "SecretofSP" | base64

1	echo "SecretofSP" \| base64

Now, create 2 files, with the following content:

01-aadpodidentity-sp.yaml

apiVersion: v1

kind: Secret

metadata:

  name: aad1-sp

type: Opaque

data:

  ClientSecret: TheBase64ChainofTheServicePrincipal

---

apiVersion: "aadpodidentity.k8s.io/v1"

kind: AzureIdentity

metadata:

  name: aad1

spec:

  type: 1

  TenantID: YourTenantID

  ClientID: TheApplicationIDofTheServicePrincipal

  ClientPassword: {"Name":"aad1-sp","Namespace":"default"}

apiVersion: v1

kind: Secret

metadata:

type: Opaque

data:

ClientSecret: TheBase64ChainofTheServicePrincipal

---

apiVersion: "aadpodidentity.k8s.io/v1"

kind: AzureIdentity

metadata:

spec:

type: 1

TenantID: YourTenantID

ClientID: TheApplicationIDofTheServicePrincipal

ClientPassword: {"Name":"aad1-sp","Namespace":"default"}

02-aadpodidentitybinding.yaml

apiVersion: "aadpodidentity.k8s.io/v1"

kind: AzureIdentityBinding

metadata:

  name: azure-id-binding

spec: 

  AzureIdentity: "aad1"

  Selector: "floapp"

apiVersion: "aadpodidentity.k8s.io/v1"

kind: AzureIdentityBinding

metadata:

spec:

AzureIdentity: "aad1"

Selector: "floapp"

And apply them:

kubectl apply -f 01-aadpodidentity-sp.yaml

kubectl apply -f 02-aadpodidentitybinding.yaml

kubectl get pods -A

kubectl apply -f 01-aadpodidentity-sp.yaml

kubectl apply -f 02-aadpodidentitybinding.yaml

kubectl get pods -A

Pods are now running:

Now, we will convert the following connection string, to base64:

{

"clientId": "The Service Principal ID",

"clientSecret": "Client Secret of the Service Principal (not encoded in base64)",

"subscriptionId": "SubscriptionID Where the AKS Cluster is hosted",

"tenantId": " YourTenantID ",

"activeDirectoryEndpointUrl": "https://login.microsoftonline.com",

"resourceManagerEndpointUrl": "https://management.azure.com/",

"activeDirectoryGraphResourceId": "https://graph.windows.net/",

"sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",

"galleryEndpointUrl": "https://gallery.azure.com/",

"managementEndpointUrl": "https://management.core.windows.net/"

}

{

"clientId": "The Service Principal ID",

"clientSecret": "Client Secret of the Service Principal (not encoded in base64)",

"subscriptionId": "SubscriptionID Where the AKS Cluster is hosted",

"tenantId": " YourTenantID ",

"activeDirectoryEndpointUrl": "https://login.microsoftonline.com",

"resourceManagerEndpointUrl": "https://management.azure.com/",

"activeDirectoryGraphResourceId": "https://graph.windows.net/",

"sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",

"galleryEndpointUrl": "https://gallery.azure.com/",

"managementEndpointUrl": "https://management.core.windows.net/"

}

Copy this code with your values and go to https://www.base64encode.org/. Paste it and click to Encode. And get the result:

Create a new file, 04-helm-config.yaml, and paste the code, by replacing values, with your own:

verbosityLevel: 3

appgw:

    subscriptionId: YourSubscriptionID

    resourceGroup: AKS

    name: FLOAPP-WAF01

    usePrivateIP: false

    shared: false

armAuth:

   type: servicePrincipal

   secretJSON: The Base64 encoded connection string create before

rbac:

    enabled: true

verbosityLevel: 3

appgw:

subscriptionId: YourSubscriptionID

resourceGroup: AKS

usePrivateIP: false

shared: false

armAuth:

type: servicePrincipal

secretJSON: The Base64 encoded connection string create before

rbac:

enabled: true

It’s time to apply this configuration, with helm:

helm repo add application-gateway-kubernetes-ingress <a href="https://appgwingress.blob.core.windows.net/ingress-azure-helm-package/">https://appgwingress.blob.core.windows.net/ingress-azure-helm-package/</a>

helm repo update

helm install -f 04-helm-config.yaml application-gateway-kubernetes-ingress/ingress-azure --generate-name

helm repo add application-gateway-kubernetes-ingress <a href="https://appgwingress.blob.core.windows.net/ingress-azure-helm-package/">https://appgwingress.blob.core.windows.net/ingress-azure-helm-package/</a>

helm repo update

helm install -f 04-helm-config.yaml application-gateway-kubernetes-ingress/ingress-azure --generate-name

The ingress pod has been deployed:

We will deploy a test application:

apiVersion: apps/v1

kind: Deployment

metadata:

  name: nginx-deployment

spec:

  selector:

    matchLabels:

      app: nginx

  replicas: 1

  template:

    metadata:

      labels:

        app: nginx

    spec:

      containers:

      - name: nginx

        image: nginx:1.16.1

        ports:

        - containerPort: 80

---

apiVersion: v1

kind: Service

metadata:

  name: nginx

spec:

  ports:

    - name: nginx

      port: 80

      protocol: TCP

      targetPort: 80

  type: ClusterIP

  selector:

    app: nginx

---

apiVersion: extensions/v1beta1

kind: Ingress

metadata:

  name: nginx

  labels:

    app: nginx

  annotations:

    kubernetes.io/ingress.class: azure/application-gateway

spec:

  rules:

  - host: starwind.falaconsulting.be

    http:

      paths:

      - backend:

          serviceName: nginx

          servicePort: 80

apiVersion: apps/v1

kind: Deployment

metadata:

spec:

selector:

matchLabels:

app: nginx

replicas: 1

template:

metadata:

labels:

app: nginx

spec:

containers:

- name: nginx

image: nginx:1.16.1

ports:

- containerPort: 80

---

apiVersion: v1

kind: Service

metadata:

spec:

ports:

- name: nginx

port: 80

protocol: TCP

targetPort: 80

type: ClusterIP

selector:

app: nginx

---

apiVersion: extensions/v1beta1

kind: Ingress

metadata:

labels:

app: nginx

annotations:

kubernetes.io/ingress.class: azure/application-gateway

spec:

rules:

- host: starwind.falaconsulting.be

http:

paths:

- backend:

serviceName: nginx

servicePort: 80

I created a DNS entry, starwind, that points to the public IP of my Application gateway. After few seconds, the deployment is finished on the Application Gateway: