Skip to main content
logoTetrate Service BridgeVersion: 1.11.x

Internal WASM Extensions

TSB make use of the WASM technology to extend the functionality of the TSB. Currently the functionality includes WAF and Identity propagation.

To improve the efficiency of deploying workload proxies (Gateways or Sidecars) in Kubernetes environment and avoid manual management, these extensions can be mounted directly instead of being fetched from image registries. This can improve pod availability and startup times.

Configuration Steps

The feature can be enabled by updating the ControlPlane CR configuration. Here’s how you can do it:

spec:
components:
istio:
mountInternalWasmExtensions: true

Once set, this configuration ensures that internal WASM extensions are directly mounted onto the proxy (gateway or sidecar)pods, without requiring any downloads.

WAF for VM Workloads

Using WAF as internal image will works without any changes for Kubernetes workloads. If you have VM workloads and want to use WAF, you need to create a WasmExtensions that use internal WAF images that already part of VM proxy image then use it in the TSB resources.

apiVersion: extension.tsb.tetrate.io/v2
kind: WasmExtension
metadata:
organization: tetrate
name: local-waf
spec:
url: file:///wasm-plugins/coraza-proxy-wasm.wasm
source: ghcr.io/tetrateio/coraza-proxy-wasm:0.0.5

Notice that the url is a local file path that already part of the proxy image.

You can use TSB WAF WasmExtensions similar with how you use other WasmExtension, that is by attaching it to TSB resources. For example, following shows how to configure WAF for Gateway.

apiVersion: gateway.tsb.tetrate.io/v2
kind: Gateway
metadata:
name: tsb-gateway-httpbin
spec:
workloadSelector:
labels:
app: tsb-gateway-httpbin
http:
- name: httpbin
port: 8443
hostname: "httpbin.tetrate.io"
...
extension:
- fqn: "organizations/tetrate/extensions/local-waf"
config:
rules:
- Include @recommended-conf
- SecRuleEngine On
- SecRequestBodyAccess On
- SecResponseBodyAccess Off
- Include @crs-setup-conf
- Include @owasp_crs/*.conf