TSB make use of the WASM technology to extend the functionality of the TSB. Currently the functionality includes WAF and Identity propagation.
To improve the efficiency of deploying workload proxies (Gateways or Sidecars) in Kubernetes environment and avoid manual management, these extensions can be mounted directly instead of being fetched from image registries. This can improve pod availability and startup times.
The feature can be enabled by updating the ControlPlane CR configuration. Here’s how you can do it:
Once set, this configuration ensures that internal WASM extensions are directly mounted onto the proxy (gateway or sidecar)pods, without requiring any downloads.
WAF for VM Workloads
Using WAF as internal image will works without any changes for Kubernetes workloads. If you have VM workloads and want to use WAF, you need to create a WasmExtensions that use internal WAF images that already part of VM proxy image then use it in the TSB resources.
Notice that the
url is a local file path that already part of the proxy image.
You can use TSB WAF WasmExtensions similar with how you use other WasmExtension, that is by attaching it to TSB resources. For example, following shows how to configure WAF for Gateway.
- name: httpbin
- fqn: "organizations/tetrate/extensions/local-waf"
- Include @recommended-conf
- SecRuleEngine On
- SecRequestBodyAccess On
- SecResponseBodyAccess Off
- Include @crs-setup-conf
- Include @owasp_crs/*.conf