Web Application Firewall (WAF) support for Kubernetes Gateways.
The Coraza Kubernetes Operator (CKO) enables declarative management of Web
Application Firewalls (WAF) on Kubernetes clusters. Users can deploy
firewall engines which are attached to Gateways, and rules which those
engines enforce.
Coraza is used as the firewall engine.
EngineAPI - declaratively manage WAF instancesRuleSetAPI - declaratively manage firewall rules- ModSecurity Seclang compatibility
The operator is designed to run on:
- Kubernetes: v1.33+
- OpenShift Container Platform (OCP): v4.20+
The operator integrates with other tools to attach WAF instances to their gateways/proxies:
istio- Istio integration ✅ Currently Supported (ingress Gateway only)wasm- WebAssembly deployment ✅ Currently Supported
Note: Only Istio+WASM is supported currently.
RuleSet resources aggregate rules (e.g. list of ConfigMap resources
containing the Seclang rules) which when then get emitted to the RuleSet
cache server.
Note: Currently, only Seclang rules are supported.
The RuleSet cache contains the compiled and validated set of rules, which
is pulled by Engines.
Engine resources pick a RuleSet to enforce, and attach the Coraza WAF
to a Gateway, which will then enforce the configured RuleSet.
Warning: Hosting or providing any packaged rules is an explicit non-goal of this project. Users must supply their own rules.
Documentation is available in the wiki.
See DEVELOPMENT.md for build instructions, test suites, and the source-of-truth / generation pipeline reference.
Contributions are welcome!
Please see the CONTRIBUTING.md guide before you get started.
Apache License 2.0 - see LICENSE.