Deep dive on PCI DSS 4.0 API Security Requirements

Deployment - Kubernetes Ingress Side-Car

kubernetes Ingress Sidecar Diagram
  1. The Edge Controller can be deployed as a POD in the K8 cluster or outside as a VM.

  2. AppSentinels supports two deployment modes for K8 Ingress – OOB/Transparent & Service-chaining/Enforcement. OOB sensor is a Suricata based sniffer plugin. Service-chaining sensor is an Envoy based sensor. These sensors are injected into respective K8 PODS via K8 injector provided by AppSentinels or deployed by helm charts.

  3. OOB/transparent sensor listen to POD’s incoming port and forwards the traffic to the Edge Controller. The traffic also goes to the listening micro-service, in parallel. This mode doesn’t impact Application scale/availability or responsiveness but doesn’t support inline action enforcement.

  4. Service-chaining Envoy sensor receives the packet going to the micro-service and forwards it to Edge controller. It waits for the Okay response from the Edge Controller before forwarding the packet to the micro-service. This allows the plugin to enforce inline action based on the response received.

  5. AppSentinels Service-chaining mode has fail-open/fail-close as well as max-latency configuration knob. In case Edge controller response is delayed and/or latency crosses configured threshold, plugin gets into fail-open mode and forwards the packet to Application thereby ensuring availability and responsiveness in case of a slowness/outage.