Skip to content

Deploying API Security Proxy in K8s

Getting Started

This guide provides a step-by-step process for deploying API Sec Proxy in a Kubernetes environment, aimed at enhancing API observability. It includes detailed commands for each step along with their explanations.

1. Prerequisites

  • A Kubernetes cluster running version 1.28 or later.
  • kubectl version 1.28 or later.

2. Deploying API Sec Proxy

Configure API Sec Proxy receiver by following this. Then deploy updated API Sec Proxy manifest by following kubectl command:

kubectl apply -f sentryflow.yaml

This will create a namespace named sentryflow and will deploy the necessary Kubernetes resources.

Then, check if API Sec Proxy is up and running by:

$ kubectl -n sentryflow get pods
NAME                         READY   STATUS    RESTARTS   AGE
sentryflow-cff887bbd-rljm7   1/1     Running   0          73s

3. Viewing Captured API Access Events Clients

API Sec Proxy has now been deployed in the cluster. In addition, API Sec Proxy exports API access events through gRPC.

You can use sfctl the API Sec Proxy client to view or filter captured API access events

$ sfctl event
{"level":"INFO","timestamp":"2025-01-08T18:15:31.720+0530","caller":"apievent/common.go:165","msg":"starting API Events streaming"}
{"level":"INFO","timestamp":"2025-01-08T18:15:31.771+0530","caller":"apievent/common.go:171","msg":"started API Events streaming"}
# API Access Events
{"metadata":{"context_id":9,"timestamp":1736340391,"istio_version":"1.24.1","mesh_id":"cluster.local","node_name":"kind-control-plane"},"source":{"name":"server-c7669846-w5v8m","namespace":"default","ip":"10.244.0.8","port":57754},"destination":{"namespace":"sentryflow","ip":"10.96.79.211","port":9999},"request":{"headers":{":authority":"sentryflow.sentryflow:9999",":method":"HEAD",":path":"/",":scheme":"http","accept":"*/*","user-agent":"curl/7.88.1","x-forwarded-proto":"http","x-request-id":"9ff1f0fb-adca-4cbb-bfbb-7927d5aa02ae"}},"response":{"headers":{":status":"404","content-length":"19","content-type":"text/plain; charset=utf-8","date":"Wed, 08 Jan 2025 12:46:31 GMT","x-content-type-options":"nosniff"}},"protocol":"HTTP/1.1"}
...

Filter API Events based on some Response Status Code

$ sfctl event filter --status "4xx"
{"level":"INFO","timestamp":"2025-01-08T18:20:37.096+0530","caller":"apievent/common.go:165","msg":"starting API Events streaming"}
{"level":"INFO","timestamp":"2025-01-08T18:20:37.151+0530","caller":"apievent/common.go:171","msg":"started API Events streaming"}
# API Access Events
{"metadata":{"context_id":10,"timestamp":1736340639,"istio_version":"1.24.1","mesh_id":"cluster.local","node_name":"kind-control-plane"},"source":{"name":"server-c7669846-w5v8m","namespace":"default","ip":"10.244.0.8","port":37154},"destination":{"namespace":"sentryflow","ip":"10.96.79.211","port":9999},"request":{"headers":{":authority":"sentryflow.sentryflow:9999",":method":"HEAD",":path":"/",":scheme":"http","accept":"*/*","user-agent":"curl/7.88.1","x-forwarded-proto":"http","x-request-id":"e20a1002-09d1-4f3f-936e-ce688652ea4d"}},"response":{"headers":{":status":"404","content-length":"19","content-type":"text/plain; charset=utf-8","date":"Wed, 08 Jan 2025 12:50:39 GMT","x-content-type-options":"nosniff"}},"protocol":"HTTP/1.1"}

For more info check this.

Next Steps

Proceed to the API Security Use Case to learn how to view your API inventory, create collections, upload OpenAPI specifications, and scan for security findings.