Enabling AAP for Gateway API in Kubernetes
This product is not supported for your selected
Datadog site. (
).
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
AAP for Gateway API is experimental. Please follow the instructions below to try it out.
Overview
The Datadog AppSec Gateway API Request Mirror enhances application security by leveraging the RequestMirror functionality in Kubernetes Gateway APIs to duplicate traffic to a Datadog App &API Protection endpoint. This enables real-time detection and analysis of potential application-level attacks, API endpoint discovery, and more, all without impacting the primary request flow.
Prerequisites
Enabling threat detection
Installation
Deploy the Datadog Agent in your Kubernetes cluster following the Kubernetes installation guide.
Configure the Datadog Agent to support incoming AppSec payloads using APM as transport.
Deploy the AppSec Gateway API Request Mirror in the namespace of your choice (e.g., datadog) along with its service:
kubectl apply -f https://raw.githubusercontent.com/DataDog/dd-trace-go/main/contrib/k8s.io/gateway-api/cmd/request-mirror/deployment.yaml
Verify the deployment:
kubectl get pods -l app=request-mirror
Patch your Gateway resources to allow access to the namespace with the deployment:
go run github.com/DataDog/dd-trace-go/contrib/k8s.io/gateway-api/cmd/patch-gateways@latest
Use the -help flag to see options for customizing the patching behavior.
Patch your HTTPRoute resources to redirect traffic to the service:
go run github.com/DataDog/dd-trace-go/contrib/k8s.io/gateway-api/cmd/patch-httproutes@latest
This command adds a RequestMirror filter to all HTTPRoute resources in all namespaces. Use the -help flag for configuration options.
Note: Regularly running this command ensures any newly created HTTPRoute resources automatically include the RequestMirror filter. Consider adding the resulting patch to your CI/CD pipeline where HTTPRoute resources are modified.
この構成が完了すると、ライブラリは、アプリケーションからセキュリティデータを収集し、Agent に送信します。Agent は、そのデータを Datadog に送信し、すぐに使える検出ルールによって、攻撃者のテクニックや潜在的な誤構成にフラグが立てられるため、是正措置を講じることができます。
Application Security Management の脅威検出の動作を見るには、既知の攻撃パターンをアプリケーションに送信してください。例えば、次の curl スクリプトを含むファイルを実行して、Security Scanner Detected ルールをトリガーします。
for ((i=1;i<=250;i++));
do
# Target existing service’s routes
curl https://your-application-url/existing-route -A dd-test-scanner-log;
# Target non existing service’s routes
curl https://your-application-url/non-existing-route -A dd-test-scanner-log;
done
注: dd-test-scanner-log の値は、最新のリリースでサポートされています。
アプリケーションを有効にして実行すると、数分後に Application Signals Explorer に脅威情報が表示され、Vulnerability Explorer に脆弱性情報が表示されます**。
Configuration
Environment Variables
The Gateway API Request Mirror deployment can be configured using the following environment variables:
| Environment Variable | Default Value | Description |
|---|
DD_REQUEST_MIRROR_LISTEN_ADDR | :8080 | Address and port where the request mirror service listens for incoming mirrored requests |
DD_REQUEST_MIRROR_HEALTHCHECK_ADDR | :8081 | Address and port where the health check endpoint is served |
Configure the Datadog Agent to receive traces from the integration using the following environment variables:
| Environment Variable | Default value | Description |
|---|
DD_AGENT_HOST | localhost | Hostname where your Datadog Agent is running |
DD_TRACE_AGENT_PORT | 8126 | Port of the Datadog Agent for trace collection |
Deployment Example
The default deployment creates a service that listens on port 8080 for mirrored requests and exposes a health check endpoint on port 8081:
apiVersion: apps/v1
kind: Deployment
metadata:
name: request-mirror
labels:
app.kubernetes.io/component: request-mirror
app.kubernetes.io/name: datadog
spec:
strategy:
type: RollingUpdate
selector:
matchLabels:
app: request-mirror
template:
metadata:
labels:
app: request-mirror
spec:
containers:
- name: request-mirror
image: ghcr.io/datadog/dd-trace-go/request-mirror:latest
ports:
- containerPort: 8080
name: http
livenessProbe:
httpGet:
path: /
port: 8081
readinessProbe:
httpGet:
path: /
port: 8081
env:
- name: DD_AGENT_HOST
value: "datadog-agent" # Adjust to your Agent service name
---
apiVersion: v1
kind: Service
metadata:
name: request-mirror
spec:
selector:
app: request-mirror
ports:
- name: http
port: 8080
targetPort: 8080
Datadog Go Tracer and Gateway API integration
Note: The AAP Gateway API integration is built on top of the Datadog Go Tracer. It follows the same release process as the tracer, and its Docker images are tagged with the corresponding tracer version.
The Gateway API integration uses the Datadog Go Tracer and inherits all environment variables from the tracer. You can find more information in Configuring the Go Tracing Library and AAP Library Configuration.
Enabling APM tracing
By default, the request mirror traces won’t enable Datadog’s APM product. If you want to use Application & API Protection without APM tracing functionality, this is the default behavior.
To enable APM tracing, set the environment variable DD_APM_TRACING_ENABLED=true in the request mirror deployment.
If you want to explicitly disable APM tracing while using App and API Protection:
- Configure your deployment with the
DD_APM_TRACING_ENABLED=false environment variable in addition to the DD_APPSEC_ENABLED=true environment variable. - This configuration will reduce the amount of APM data sent to Datadog to the minimum required by App and API Protection products.
For more details, see Standalone App and API Protection.
Limitations
The Gateway API integration has the following limitations:
- It cannot access HTTP responses
- No request blocking can be applied
- Only json is supported for analysing HTTP request bodies.
For finer-grained analysis and other AAP features, consider trying other AAP integrations.
Further Reading
