Overview

The Datadog AppSec Gateway API Request Mirror enhances application security by leveraging the RequestMirror functionality in Kubernetes Gateway APIs to duplicate traffic to a Datadog App &API Protection endpoint. This enables real-time detection and analysis of potential application-level attacks, API endpoint discovery, and more, all without impacting the primary request flow.

Prerequisites

• A Kubernetes cluster with Gateway API CRDs installed.
• A controller compatible with the Gateway API RequestMirror filter.
• Go 1.23+ installed on your local machine.

Enabling threat detection

Installation

1. Deploy the Datadog Agent in your Kubernetes cluster following the Kubernetes installation guide.

2. Configure the Datadog Agent to support incoming AppSec payloads using APM as transport.

3. Deploy the AppSec Gateway API Request Mirror in the namespace of your choice (e.g., datadog) along with its service:

   kubectl apply -f https://raw.githubusercontent.com/DataDog/dd-trace-go/main/contrib/k8s.io/gateway-api/cmd/request-mirror/deployment.yaml
   

4. Verify the deployment:

   kubectl get pods -l app=request-mirror
   

5. Patch your Gateway resources to allow access to the namespace with the deployment:

   go run github.com/DataDog/dd-trace-go/contrib/k8s.io/gateway-api/cmd/patch-gateways@latest
   

   Use the -help flag to see options for customizing the patching behavior.

6. Patch your HTTPRoute resources to redirect traffic to the service:

   go run github.com/DataDog/dd-trace-go/contrib/k8s.io/gateway-api/cmd/patch-httproutes@latest
   

   This command adds a RequestMirror filter to all HTTPRoute resources in all namespaces. Use the -help flag for configuration options.

   Note: Regularly running this command ensures any newly created HTTPRoute resources automatically include the RequestMirror filter. Consider adding the resulting patch to your CI/CD pipeline where HTTPRoute resources are modified.

   After this configuration is complete, the library collects security data from your application and sends it to the Agent. The Agent sends the data to Datadog, where out-of-the-box detection rules flag attacker techniques and potential misconfigurations so you can take steps to remediate.

7. To see App and API Protection threat detection in action, send known attack patterns to your application. For example, trigger the Security Scanner Detected rule by running a file that contains the following curl script:

   for ((i=1;i<=250;i++)); 
   do
   # Target existing service's routes
   curl https://your-application-url/existing-route -A dd-test-scanner-log;
   # Target non existing service's routes
   curl https://your-application-url/non-existing-route -A dd-test-scanner-log;
   done

   Note: The dd-test-scanner-log value is supported in the most recent releases.

   A few minutes after you enable your application and send known attack patterns to it, threat information appears in the Application Signals Explorer and vulnerability information appears in the Vulnerabilities explorer.

Configuration

Environment Variables

The Gateway API Request Mirror deployment can be configured using the following environment variables:

Configure the Datadog Agent to receive traces from the integration using the following environment variables:

Deployment Example

The default deployment creates a service that listens on port 8080 for mirrored requests and exposes a health check endpoint on port 8081:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: request-mirror
  labels:
    app.kubernetes.io/component: request-mirror
    app.kubernetes.io/name: datadog
spec:
  strategy:
    type: RollingUpdate
  selector:
    matchLabels:
      app: request-mirror
  template:
    metadata:
      labels:
        app: request-mirror
    spec:
      containers:
        - name: request-mirror
          image: ghcr.io/datadog/dd-trace-go/request-mirror:latest
          ports:
            - containerPort: 8080
              name: http
          livenessProbe:
            httpGet:
              path: /
              port: 8081
          readinessProbe:
            httpGet:
              path: /
              port: 8081
          env:
            - name: DD_AGENT_HOST
              value: "datadog-agent"  # Adjust to your Agent service name
---
apiVersion: v1
kind: Service
metadata:
  name: request-mirror
spec:
  selector:
    app: request-mirror
  ports:
    - name: http
      port: 8080
      targetPort: 8080

Datadog Go Tracer and Gateway API integration

The Gateway API integration uses the Datadog Go Tracer and inherits all environment variables from the tracer. You can find more information in Configuring the Go Tracing Library and AAP Library Configuration.

Enabling APM tracing

By default, the request mirror traces won’t enable Datadog’s APM product. If you want to use Application & API Protection without APM tracing functionality, this is the default behavior.

To enable APM tracing, set the environment variable DD_APM_TRACING_ENABLED=true in the request mirror deployment.

If you want to explicitly disable APM tracing while using App and API Protection:

1. Configure your deployment with the DD_APM_TRACING_ENABLED=false environment variable in addition to the DD_APPSEC_ENABLED=true environment variable.
2. This configuration will reduce the amount of APM data sent to Datadog to the minimum required by App and API Protection products.

For more details, see Standalone App and API Protection.

Limitations

The Gateway API integration has the following limitations:

• It cannot access HTTP responses
• No request blocking can be applied
• Only json is supported for analysing HTTP request bodies.

For finer-grained analysis and other AAP features, consider trying other AAP integrations.

Further Reading

Más enlaces, artículos y documentación útiles:

Gateway API integration's source codeSOURCE CODE OOTB App and API Protection RulesDOCUMENTATION Troubleshooting App and API ProtectionDOCUMENTATION