I'm curious about how everyone is implementing Web Application Firewalls (WAF) in their Kubernetes clusters. Are you using an external edge server outside of the cluster, or are you handling it internally with setups like Ingress, a reverse proxy like Nginx, or even a sidecar approach?
5 Answers
We use Cloudflare with WAF enabled, and it goes through an edge WAF before reaching our Ingress. However, we’re considering ditching the edge WAF and just running Nginx directly in front of the Ingress with the Metadefender ICAP module.
I’ve set it up with CloudFront feeding into a WAF before hitting our Kubernetes ALB. It’s been working smoothly so far!
Calico does offer a sort of WAF for Kubernetes clusters, but keep in mind that it’s mainly available with their enterprise version, not the open source one.
Has anyone attempted using NLB with Cloudflare? I tried that setup in front of our Nginx Ingress Controller, but ran into some cert issues between Cloudflare and the NLB.
If you're on GCP, we utilize the gateway API to deploy an L7 load balancer that routes directly to our pods, and the backend service policy allows integration with Cloud Armor.
Do you know how much Metadefender costs?