Skip to content

networking-incubator/coraza-kubernetes-operator

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

200 Commits
.claude/skills/run-tests
.claude/skills/run-tests
 
 
.github
.github
 
 
api/v1alpha1
api/v1alpha1
 
 
bundle/base
bundle/base
 
 
catalog
catalog
 
 
charts/coraza-kubernetes-operator
charts/coraza-kubernetes-operator
 
 
cmd
cmd
 
 
config
config
 
 
docs
docs
 
 
hack
hack
 
 
internal
internal
 
 
logo
logo
 
 
test
test
 
 
tools
tools
 
 
.cr.yaml
.cr.yaml
 
 
.ct.yaml
.ct.yaml
 
 
.dockerignore
.dockerignore
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
.golangci.yml
.golangci.yml
 
 
.kubeapilinter.yml
.kubeapilinter.yml
 
 
CLAUDE.md
CLAUDE.md
 
 
CODE_OF_CONDUCT.md
CODE_OF_CONDUCT.md
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
DEVELOPMENT.md
DEVELOPMENT.md
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
LIMITATIONS.md
LIMITATIONS.md
 
 
Makefile
Makefile
 
 
PROJECT
PROJECT
 
 
README.md
README.md
 
 
RELEASE.md
RELEASE.md
 
 
SECURITY.md
SECURITY.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation

CI RELEASE

Coraza Kubernetes Operator

Web Application Firewall (WAF) support for Kubernetes Gateways.

About

The Coraza Kubernetes Operator (CKO) enables declarative management of Web Application Firewalls (WAF) on Kubernetes clusters. Users can deploy firewall engines which are attached to Gateways, and rules which those engines enforce.

Coraza is used as the firewall engine.

Key Features

  • Engine API - declaratively manage WAF instances
  • RuleSet API - declaratively manage firewall rules
  • ModSecurity Seclang compatibility

Supported Platforms

The operator is designed to run on:

  • Kubernetes: v1.32+
  • OpenShift Container Platform (OCP): v4.20+

Supported Integrations

The operator integrates with other tools to attach WAF instances to their gateways/proxies:

  • istio - Istio integration ✅ Currently Supported (ingress Gateway only)
  • wasm - WebAssembly deployment ✅ Currently Supported

Note: Only Istio+WASM is supported currently.

Architecture

RuleSet resources aggregate rules (e.g. list of ConfigMap resources containing the Seclang rules) which when then get emitted to the RuleSet cache server.

Note: Currently, only Seclang rules are supported.

The RuleSet cache contains the compiled and validated set of rules, which is pulled by Engines.

Engine resources pick a RuleSet to enforce, and attach the Coraza WAF to a Gateway, which will then enforce the configured RuleSet.

Warning: Hosting or providing any packaged rules is an explicit non-goal of this project. Users must supply their own rules.

The keys for the cache are the namespace/name of the RuleSet, allowing the compiled set of rules to be polled from a cache server hosting the cache.

Note: All RuleSets and rules are restricted to same-namespace currently.

The engine controller responds to Engine resources by deploying the Coraza engine according to the type and mode provided, and attaching it to a Gateway.

Note: For example: if the type is istio and the mode is wasm, it will attach Coraza to an Istio Gateway, loading it via a WASM module.

Engine resources target a RuleSet to indicate the firewall rules that will be applied to all Gateway traffic. Poll intervals for RuleSets can be set to enable automatic and live rule updates on running Engines.

cko-architecture-diagram

Documentation

Documentation is available at the project documentation site.

Development

See DEVELOPMENT.md for build instructions, test suites, and the source-of-truth / generation pipeline reference.

Contributing

Contributions are welcome!

Please see the CONTRIBUTING.md guide before you get started.

License

Apache License 2.0 - see LICENSE.

About

Web Application Firewall (WAF) for Kubernetes Gateways

Topics

kubernetes golang security ai networking firewall wasm waf owasp envoy owasp-crs-core-rule-set owasp-top-10 istio proxy-wasm coraza coraza-waf coreruleset

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity
Custom properties

Stars

9 stars

Watchers

1 watching

Forks

6 forks
Report repository

Releases

4 tags

Packages

 
 
 

Contributors

Languages