NGINX Ingress Controller Integration

OMetaScan NGINX Ingress Controller Configuration

The configuration of OMetaScan NGINX Ingress Controller is similar to the NGINX Ingress Controller Introduction - NGINX Ingress Controller (kubernetes.github.io)

ConfigMaps

ConfigMaps allow you to decouple configuration artifacts from image content to keep containerized applications portable.

The ConfigMap API resource stores configuration data as key-value pairs. The data provides the configurations for system components for the nginx-controller.

NameTypeDefaultUsage
enable-ometascanbool“false”

Enable or Disable ometascan module globally

Note: You must enable this config to use ometascan module

Annotations

NameTypeDefaultUsage
nginx.ingress.kubernetes.io/ometascan-send-timeoutnumber60Sets a timeout for transmitting a request to the proxied server. The timeout is set only between two successive write operations, not for the transmission of the whole request. If the proxied server does not receive anything within this time, the connection is closed.
nginx.ingress.kubernetes.io/ometascan-read-timeoutnumber

86400

(1 day)

Defines a timeout for reading a response from the proxied server. The timeout is set only between two successive read operations, not for the transmission of the whole response. If the proxied server does not transmit anything within this time, the connection is closed.
nginx.ingress.kubernetes.io/ometascan-pre-cache-sizenumber

9223372036854775807

(maximum number of Nginx)

Config maximum caching size per request.
nginx.ingress.kubernetes.io/ometascan-pre-cache"true" or "false""false"Turn on/off pre-caching request when sending to ICAP Server
nginx.ingress.kubernetes.io/ometascan-passstringNo default

Sets the protocol and address of a ICAP server and an optional URI to which a location should be mapped.

e.g: http://icap-address:8043

Note: Must have it for enable annotation

nginx.ingress.kubernetes.io/ometascan-methodsstringGET HEAD POST PUT PATCH DELETEThis directive specifies HTTP request methods that are considered by ometascan_pass. HTTP request methods not listed will be skipped completely. The following HTTP methods are allowed: GET, HEAD, POST, PUT, PATCH, and DELETE
nginx.ingress.kubernetes.io/ometascan-connect-timeoutnumber60Defines a timeout for establishing a connection with a proxied server. It should be noted that this timeout cannot usually exceed 75 seconds.

You can add these Kubernetes annotations to specific Ingress objects to customize their behavior.

OMetaScan NGINX Ingress on Minikube

Requirement

Pre-setup

Enable Nginx ingress on Minikube

  • start minikube
Copy
  • enable the NGINX Ingress controller, run the following command
Copy
  • Verify that the NGINX Ingress controller is running
Copy

The output is similar to:

Copy

Change default Nginx Ingress image to Nginx Ingress with OMetascan module image

  • Update the default image to opswat/nginx-ingress using the following command:
Copy
  • Verify that the images is changed:
Copy

the output:

Copy
  • Verify that the NGINX Ingress controller is replaced and running
Copy

The output is similar to:

Copy

Enable OMetascan Module

  • Set enable-ometascan: "true" to turn on the OMetascan module on ConfigMaps of ingress-nginx-controller:
Copy

Deploy Echo Server as Service A

refer to: https://github.com/Ealenn/Echo-Server#kubernetes

Copy

Example:

  • /path1 rewrite to /subpathA (use ometascan)

  • /path2 rewrite to /subpathB (use ometascan)

    • Only PUT methods
    • Max client body size 100 Mb

  • /path3 rewrite to /subpathC (do not use ometascan)
Copy

OMetaScan NGINX Ingress on Kubenetes

Requirements

  • An existing K8S cluster
  • Helm CLI
  • NGINX Ingress with OMetascan module images:
Copy
  • An existing MD ICAP Server on Kubernetes

Instructions

Example:

1.Install NGINX Ingress Controller via Helm Chart

Copy

Output:
Copy

Output:

Verify the result install nginx-ingress as cli:

Copy

Output:

Make sure your nginx install with status of the pod nginx-ingress is running!

2. Replace The Ingress Controller Image

To replace the ingress controller image, we need to patch the existing k8s resource (deployment, DaemonSet, etc.) for the existing ingress controller to include the new image. For this, edit the ingress-controller-patch-image.yml file and replace the container name to match the existing controller and run the following command (replace 'deployment' and 'ingress-nginx-controller' with your specific resource type and name for the controller):

ingress-controller-patch-image.yml

Copy
Copy

Output:

update-configmap-ingress-controller.yml

Copy
Copy

Output:

3. Deploy A Service To Test with MetaDefender ICAP Server

3.1.Create deployment sample:

Copy

Output:

3.2.Expose service sample:

Copy

Output:

3.3.Create file ingress for sample app:

ingress-be.yml

Copy
Copy

Output:

Add the following line to the bottom of the /etc/hosts file on your computer (you will need administrator access):

Copy

The expected MD ICAP Server will scan requests
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
  Last updated on Feb 3, 2023
Next to read:
Airlock Secure Access Hub Gateway
On This Page
NGINX Ingress Controller IntegrationOMetaScan NGINX Ingress Controller ConfigurationConfigMapsAnnotationsOMetaScan NGINX Ingress on MinikubeRequirementPre-setupEnable Nginx ingress on MinikubeChange default Nginx Ingress image to Nginx Ingress with OMetascan module imageEnable OMetascan ModuleDeploy Echo Server as Service AExample:OMetaScan NGINX Ingress on KubenetesRequirementsInstructions1.Install NGINX Ingress Controller via Helm Chart2. Replace The Ingress Controller Image3. Deploy A Service To Test with MetaDefender ICAP Server