Skip to main content
logoTetrate Service BridgeVersion: next

Internal WASM Extensions

TSB make use of the WASM technology to extend the functionality of the TSB. Currently the functionality only includes WAF (versions of TSB prior to 1.14.0 also used WASM for identity propagation).

To improve the efficiency of deploying workload proxies (Gateways or Sidecars) in Kubernetes environment and avoid manual management, these extensions can be mounted directly instead of being fetched from image registries. This can improve pod availability and startup times.

Disabled by default

The mountInternalWasmExtensions control-plane feature is disabled by default, as it cannot be used along with Kubernetes Native Sidecars. If you enable both, you may see issues with the istio-proxy service.

If you wish to use and automatically mount WASM extensions in proxy (gateway or sidecar) pods, please ensure that the SidecarContainers feature gate is not enabled on the cluster, then set mountInternalWasmExtensions: true in your ControlPlane CR.

Please refer to Tetrate Technical Support for more information.

Configuration Steps

The feature can be enabled by updating the ControlPlane CR configuration. Here’s how you can do it:

spec:
  components:
    istio:
      mountInternalWasmExtensions: true

Once set, this configuration ensures that internal WASM extensions are directly mounted onto the proxy (gateway or sidecar) pods, without requiring any downloads.

WAF for VM Workloads

Using WAF as internal image will works without any changes for Kubernetes workloads. If you have VM workloads and want to use WAF, you need to create a WasmExtensions that use internal WAF images that already part of VM proxy image then use it in the TSB resources.

apiVersion: extension.tsb.tetrate.io/v2
kind: WasmExtension
metadata:
  organization: tetrate
  name: local-waf
spec:
  url: file:///wasm-plugins/coraza-proxy-wasm.wasm
  source: ghcr.io/tetrateio/coraza-proxy-wasm:0.0.5

Notice that the url is a local file path that already part of the proxy image.

You can use TSB WAF WasmExtensions similar with how you use other WasmExtension, that is by attaching it to TSB resources. For example, following shows how to configure WAF for Gateway.

apiVersion: gateway.tsb.tetrate.io/v2
kind: Gateway
metadata:
  name: tsb-gateway-httpbin
spec:
  workloadSelector:
    labels:
      app: tsb-gateway-httpbin
  http:
    - name: httpbin
      port: 8443
      hostname: "httpbin.tetrate.io"
      ...
  extension:
    - fqn: "organizations/tetrate/extensions/local-waf"
      config:
        rules:
          - Include @recommended-conf
          - SecRuleEngine On
          - SecRequestBodyAccess On
          - SecResponseBodyAccess Off
          - Include @crs-setup-conf
          - Include @owasp_crs/*.conf