Enabling AAP for Gateway API in Kubernetes

This product is not supported for your selected Datadog site. ().
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.
AAP for Gateway API is experimental. Please follow the instructions below to try it out.

Overview

The Datadog AppSec Gateway API Request Mirror enhances application security by leveraging the RequestMirror functionality in Kubernetes Gateway APIs to duplicate traffic to a Datadog App &API Protection endpoint. This enables real-time detection and analysis of potential application-level attacks, API endpoint discovery, and more, all without impacting the primary request flow.

Prerequisites

Enabling threat detection

Installation

  1. Deploy the Datadog Agent in your Kubernetes cluster following the Kubernetes installation guide.

  2. Configure the Datadog Agent to support incoming AppSec payloads using APM as transport.

  3. Deploy the AppSec Gateway API Request Mirror in the namespace of your choice (e.g., datadog) along with its service:

    kubectl apply -f https://raw.githubusercontent.com/DataDog/dd-trace-go/main/contrib/k8s.io/gateway-api/cmd/request-mirror/deployment.yaml

  4. Verify the deployment:

    kubectl get pods -l app=request-mirror

  5. Patch your Gateway resources to allow access to the namespace with the deployment:

    go run github.com/DataDog/dd-trace-go/contrib/k8s.io/gateway-api/cmd/patch-gateways@latest

    Use the -help flag to see options for customizing the patching behavior.

  6. Patch your HTTPRoute resources to redirect traffic to the service:

    go run github.com/DataDog/dd-trace-go/contrib/k8s.io/gateway-api/cmd/patch-httproutes@latest

    This command adds a RequestMirror filter to all HTTPRoute resources in all namespaces. Use the -help flag for configuration options.

    Note: Regularly running this command ensures any newly created HTTPRoute resources automatically include the RequestMirror filter. Consider adding the resulting patch to your CI/CD pipeline where HTTPRoute resources are modified.

    Une fois cette configuration terminée, la bibliothèque recueille des données de sécurité à partir de votre application et les envoie à l’Agent, qui les transmet à son tour à Datadog. Les règles de détection prêtes à l’emploi signalent alors les attaques et les problèmes potentiels de configuration, afin que vous puissiez agir en conséquence.

  7. Pour tester la détection des menaces Application Security Management, envoyez des patterns d’attaque connus à votre application. Par exemple, exécutez un fichier contenant le script curl suivant afin de déclencher la règle de détection de scanner de sécurité :

    for ((i=1;i<=250;i++)); 
    do
    # Target existing service’s routes
    curl https://your-application-url/existing-route -A dd-test-scanner-log;
    # Target non existing service’s routes
    curl https://your-application-url/non-existing-route -A dd-test-scanner-log;
    done

    Remarque : la plupart des versions récentes prennent en charge la valeur dd-test-scanner-log.

    Quelques minutes après avoir activé votre application et envoyé les patterns d’attaque, des informations sur les menaces s’affichent dans l’Application Signals Explorer. Des informations sur les vulnérabilités apparaissent également dans le Vulnerability Explorer.

Configuration

Environment Variables

The Gateway API Request Mirror deployment can be configured using the following environment variables:

Environment VariableDefault ValueDescription
DD_REQUEST_MIRROR_LISTEN_ADDR:8080Address and port where the request mirror service listens for incoming mirrored requests
DD_REQUEST_MIRROR_HEALTHCHECK_ADDR:8081Address and port where the health check endpoint is served

Configure the Datadog Agent to receive traces from the integration using the following environment variables:

Environment VariableDefault valueDescription
DD_AGENT_HOSTlocalhostHostname where your Datadog Agent is running
DD_TRACE_AGENT_PORT8126Port of the Datadog Agent for trace collection

Deployment Example

The default deployment creates a service that listens on port 8080 for mirrored requests and exposes a health check endpoint on port 8081:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: request-mirror
  labels:
    app.kubernetes.io/component: request-mirror
    app.kubernetes.io/name: datadog
spec:
  strategy:
    type: RollingUpdate
  selector:
    matchLabels:
      app: request-mirror
  template:
    metadata:
      labels:
        app: request-mirror
    spec:
      containers:
        - name: request-mirror
          image: ghcr.io/datadog/dd-trace-go/request-mirror:latest
          ports:
            - containerPort: 8080
              name: http
          livenessProbe:
            httpGet:
              path: /
              port: 8081
          readinessProbe:
            httpGet:
              path: /
              port: 8081
          env:
            - name: DD_AGENT_HOST
              value: "datadog-agent"  # Adjust to your Agent service name
---
apiVersion: v1
kind: Service
metadata:
  name: request-mirror
spec:
  selector:
    app: request-mirror
  ports:
    - name: http
      port: 8080
      targetPort: 8080

Datadog Go Tracer and Gateway API integration

Note: The AAP Gateway API integration is built on top of the Datadog Go Tracer. It follows the same release process as the tracer, and its Docker images are tagged with the corresponding tracer version.

The Gateway API integration uses the Datadog Go Tracer and inherits all environment variables from the tracer. You can find more information in Configuring the Go Tracing Library and AAP Library Configuration.

Enabling APM tracing

By default, the request mirror traces won’t enable Datadog’s APM product. If you want to use Application & API Protection without APM tracing functionality, this is the default behavior.

To enable APM tracing, set the environment variable DD_APM_TRACING_ENABLED=true in the request mirror deployment.

If you want to explicitly disable APM tracing while using App and API Protection:

  1. Configure your deployment with the DD_APM_TRACING_ENABLED=false environment variable in addition to the DD_APPSEC_ENABLED=true environment variable.
  2. This configuration will reduce the amount of APM data sent to Datadog to the minimum required by App and API Protection products.

For more details, see Standalone App and API Protection.

Limitations

The Gateway API integration has the following limitations:

  • It cannot access HTTP responses
  • No request blocking can be applied
  • Only json is supported for analysing HTTP request bodies.

For finer-grained analysis and other AAP features, consider trying other AAP integrations.

Further Reading

Documentation, liens et articles supplémentaires utiles:

Gateway API integration's source codeSOURCE CODE more more OOTB App and API Protection RulesDOCUMENTATION more more Troubleshooting App and API ProtectionDOCUMENTATION more more