Overview

The Datadog AppSec Gateway API Request Mirror enhances application security by leveraging the RequestMirror functionality in Kubernetes Gateway APIs to duplicate traffic to a Datadog App &API Protection endpoint. This enables real-time detection and analysis of potential application-level attacks, API endpoint discovery, and more, all without impacting the primary request flow.

Prerequisites

• A Kubernetes cluster with Gateway API CRDs installed.
• A controller compatible with the Gateway API RequestMirror filter.
• Go 1.23+ installed on your local machine.

Enabling threat detection

Installation

1. Deploy the Datadog Agent in your Kubernetes cluster following the Kubernetes installation guide.

2. Configure the Datadog Agent to support incoming AppSec payloads using APM as transport.

3. Deploy the AppSec Gateway API Request Mirror in the namespace of your choice (e.g., datadog) along with its service:

   kubectl apply -f https://raw.githubusercontent.com/DataDog/dd-trace-go/main/contrib/k8s.io/gateway-api/cmd/request-mirror/deployment.yaml
   

4. Verify the deployment:

   kubectl get pods -l app=request-mirror
   

5. Patch your Gateway resources to allow access to the namespace with the deployment:

   go run github.com/DataDog/dd-trace-go/contrib/k8s.io/gateway-api/cmd/patch-gateways@latest
   

   Use the -help flag to see options for customizing the patching behavior.

6. Patch your HTTPRoute resources to redirect traffic to the service:

   go run github.com/DataDog/dd-trace-go/contrib/k8s.io/gateway-api/cmd/patch-httproutes@latest
   

   This command adds a RequestMirror filter to all HTTPRoute resources in all namespaces. Use the -help flag for configuration options.

   Note: Regularly running this command ensures any newly created HTTPRoute resources automatically include the RequestMirror filter. Consider adding the resulting patch to your CI/CD pipeline where HTTPRoute resources are modified.

이 구성을 완료하면 라이브러리가 애플리케이션에서 보안 데이터를 수집해 에이전트로 전송하고, 이 데이터는 다시 Datadog로 전송됩니다. 그러면 기본 감지 규칙에 기반해 공격자 기술과 잠재 구성 오류가 플래그되며, 이를 기반으로 문제 해결 단계를 진행할 수 있습니다.

3. 애플리케이션 보안 관리에서 감지 활동을 잘 하고 있는지 확인하려면 알려진 공격 패턴을 애플리케이션으로 보내세요. 예를 들어 다음 curl 스크립트가 포함된 파일을 실행해 보안 스캐너 감지됨 규칙을 트리거할 수 있습니다.

   for ((i=1;i<=250;i++)); 
   do
   # Target existing service’s routes
   curl https://your-application-url/existing-route -A dd-test-scanner-log;
   # Target non existing service’s routes
   curl https://your-application-url/non-existing-route -A dd-test-scanner-log;
   done

   참고: dd-test-scanner-log 값은 최신 릴리스에서 지원됩니다.

   애플리케이션을 활성화하고 실행한 몇 분 후 Application Signals Explorer에서 위협 정보가 표시되고 Vulnerability Explorer에 취약 정보가 표시됩니다.

Configuration

Environment Variables

The Gateway API Request Mirror deployment can be configured using the following environment variables:

Configure the Datadog Agent to receive traces from the integration using the following environment variables:

Deployment Example

The default deployment creates a service that listens on port 8080 for mirrored requests and exposes a health check endpoint on port 8081:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: request-mirror
  labels:
    app.kubernetes.io/component: request-mirror
    app.kubernetes.io/name: datadog
spec:
  strategy:
    type: RollingUpdate
  selector:
    matchLabels:
      app: request-mirror
  template:
    metadata:
      labels:
        app: request-mirror
    spec:
      containers:
        - name: request-mirror
          image: ghcr.io/datadog/dd-trace-go/request-mirror:latest
          ports:
            - containerPort: 8080
              name: http
          livenessProbe:
            httpGet:
              path: /
              port: 8081
          readinessProbe:
            httpGet:
              path: /
              port: 8081
          env:
            - name: DD_AGENT_HOST
              value: "datadog-agent"  # Adjust to your Agent service name
---
apiVersion: v1
kind: Service
metadata:
  name: request-mirror
spec:
  selector:
    app: request-mirror
  ports:
    - name: http
      port: 8080
      targetPort: 8080

Datadog Go Tracer and Gateway API integration

The Gateway API integration uses the Datadog Go Tracer and inherits all environment variables from the tracer. You can find more information in Configuring the Go Tracing Library and AAP Library Configuration.

Enabling APM tracing

By default, the request mirror traces won’t enable Datadog’s APM product. If you want to use Application & API Protection without APM tracing functionality, this is the default behavior.

To enable APM tracing, set the environment variable DD_APM_TRACING_ENABLED=true in the request mirror deployment.

If you want to explicitly disable APM tracing while using App and API Protection:

1. Configure your deployment with the DD_APM_TRACING_ENABLED=false environment variable in addition to the DD_APPSEC_ENABLED=true environment variable.
2. This configuration will reduce the amount of APM data sent to Datadog to the minimum required by App and API Protection products.

For more details, see Standalone App and API Protection.

Limitations

The Gateway API integration has the following limitations:

• It cannot access HTTP responses
• No request blocking can be applied
• Only json is supported for analysing HTTP request bodies.

For finer-grained analysis and other AAP features, consider trying other AAP integrations.

Further Reading

추가 유용한 문서, 링크 및 기사:

Gateway API integration's source codeSOURCE CODE OOTB App and API Protection RulesDOCUMENTATION Troubleshooting App and API ProtectionDOCUMENTATION