Kubernetes
This page describes how to install F5 DOS for NGINX using Kubernetes.
It explains the common steps necessary for any Kubernetes-based deployment, then provides details specific to Helm or Manifests.
To complete this guide, you will need the following pre-requisites:
- A functional Kubernetes cluster
- An active F5 DOS for NGINX subscription (Purchased or trial)
- Docker
To review supported operating systems, read the Releases topic.
Download the SSL certificate, private key, and the JWT license file associated with your NGINX Plus subscription from the MyF5 Customer Portal:
- Log in to MyF5.
- Go to My Products & Plans > Subscriptions to see your active subscriptions.
- Find your NGINX products or services subscription, and select the Subscription ID for details.
- Download the nginx-repo.crt and nginx-repo.key from the subscription page.
- Download the JSON Web Token (JWT) from the subscription page.
Starting from NGINX Plus Release 33, a JWT file is required for each NGINX Plus instance. For more information, see About Subscription Licenses.
In the same folder as your credential files, create a Dockerfile based on your desired operating system image using an example from the following sections.
# syntax=docker/dockerfile:1
# Supported OS_VER's are 3.21/3.22
ARG OS_VER="3.22"
# Base image
FROM alpine:${OS_VER}
# Install F5 DoS for NGINX
RUN --mount=type=secret,id=nginx-crt,dst=/etc/apk/cert.pem,mode=0644 \
--mount=type=secret,id=nginx-key,dst=/etc/apk/cert.key,mode=0644 \
--mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \
wget -O /etc/apk/keys/nginx_signing.rsa.pub https://cs.nginx.com/static/keys/nginx_signing.rsa.pub \
&& printf "https://pkgs.nginx.com/plus/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | tee -a /etc/apk/repositories \
&& printf "https://pkgs.nginx.com/app-protect-dos/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | tee -a /etc/apk/repositories \
&& apk update \
&& apk add app-protect-dos \
&& cat license.jwt > /etc/nginx/license.jwt \
&& ln -sf /dev/stdout /var/log/nginx/access.log \
&& ln -sf /dev/stderr /var/log/nginx/error.log \
&& rm -rf /var/cache/apk/*
# Copy configuration files:
COPY nginx.conf custom_log_format.json /etc/nginx/
COPY entrypoint.sh /root/
RUN chmod +x /root/entrypoint.sh
EXPOSE 80
STOPSIGNAL SIGQUIT
CMD ["sh", "/root/entrypoint.sh"]
# For AmazonLinux 2023:
FROM amazonlinux:2023
# Install F5 DoS for NGINX
RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
--mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
--mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \
dnf -y install ca-certificates \
&& curl -o /etc/yum.repos.d/plus-amazonlinux2023.repo https://cs.nginx.com/static/files/plus-amazonlinux2023.repo \
&& curl -o /etc/yum.repos.d/app-protect-dos-amazonlinux2023.repo https://cs.nginx.com/static/files/app-protect-dos-amazonlinux2023.repo \
&& dnf install -y app-protect-dos \
&& cat license.jwt > /etc/nginx/license.jwt \
&& dnf clean all \
&& rm -rf /var/cache/dnf \
&& ln -sf /dev/stdout /var/log/nginx/access.log \
&& ln -sf /dev/stderr /var/log/nginx/error.log
# Copy configuration files:
COPY nginx.conf custom_log_format.json /etc/nginx/
COPY entrypoint.sh /root/
RUN chmod +x /root/entrypoint.sh
EXPOSE 80
STOPSIGNAL SIGQUIT
CMD ["sh", "/root/entrypoint.sh"]
# Where can be bullseye/bookworm
FROM debian:bullseye
# Install F5 DoS for NGINX
RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
--mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
--mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \
apt-get update \
&& DEBIAN_FRONTEND="noninteractive" apt-get install -y --no-install-recommends apt-transport-https lsb-release ca-certificates wget gnupg2 debian-archive-keyring \
&& mkdir -p /etc/ssl/nginx/ /etc/nginx/ \
&& wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null \
&& printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/plus/debian $(lsb_release -cs) nginx-plus\n" > /etc/apt/sources.list.d/nginx-plus.list \
&& printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect-dos/debian $(lsb_release -cs) nginx-plus\n" > /etc/apt/sources.list.d/nginx-app-protect-dos.list \
&& wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx \
&& DEBIAN_FRONTEND="noninteractive" apt-get install -y app-protect-dos \
&& cat license.jwt > /etc/nginx/license.jwt \
&& apt-get remove --purge --auto-remove -y \
&& rm -rf /var/lib/apt/lists/* \
&& ln -sf /dev/stdout /var/log/nginx/access.log \
&& ln -sf /dev/stderr /var/log/nginx/error.log
COPY nginx.conf /etc/nginx/
COPY entrypoint.sh /root/
RUN chmod +x /root/entrypoint.sh
EXPOSE 80
STOPSIGNAL SIGQUIT
CMD ["sh", "/root/entrypoint.sh"]# For UBI 8
FROM registry.access.redhat.com/ubi8
ARG RHEL_ORG
ARG RHEL_ACTIVATION_KEY
# Install F5 DoS for NGINX
RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
--mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
--mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \
subscription-manager register --org=${RHEL_ORG} --activationkey=${RHEL_ACTIVATION_KEY} \
&& subscription-manager refresh \
&& subscription-manager attach --auto || true \
&& subscription-manager repos --enable=rhel-8-for-x86_64-baseos-rpms \
&& subscription-manager repos --enable=rhel-8-for-x86_64-appstream-rpms \
&& dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm \
&& dnf -y install ca-certificates \
&& curl -o /etc/yum.repos.d/plus-8.repo https://cs.nginx.com/static/files/plus-8.repo \
&& curl -o /etc/yum.repos.d/app-protect-dos-8.repo https://cs.nginx.com/static/files/app-protect-dos-8.repo \
&& dnf -y install app-protect-dos \
&& cat license.jwt > /etc/nginx/license.jwt \
&& rm /etc/yum.repos.d/plus-8.repo \
&& rm /etc/yum.repos.d/app-protect-dos-8.repo \
&& dnf clean all \
&& rm -rf /var/cache/yum \
&& ln -sf /dev/stdout /var/log/nginx/access.log \
&& ln -sf /dev/stderr /var/log/nginx/error.log
# Copy configuration files:
COPY nginx.conf custom_log_format.json /etc/nginx/
COPY entrypoint.sh /root/
RUN chmod +x /root/entrypoint.sh
EXPOSE 80
STOPSIGNAL SIGQUIT
CMD ["sh", "/root/entrypoint.sh"]# For UBI 9
FROM registry.access.redhat.com/ubi9
ARG RHEL_ORG
ARG RHEL_ACTIVATION_KEY
# Install F5 DoS for NGINX
RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
--mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
--mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \
subscription-manager register --org=${RHEL_ORG} --activationkey=${RHEL_ACTIVATION_KEY} \
&& subscription-manager refresh \
&& subscription-manager attach --auto || true \
&& subscription-manager repos --enable=rhel-9-for-x86_64-baseos-rpms \
&& subscription-manager repos --enable=rhel-9-for-x86_64-appstream-rpms \
&& dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm \
&& dnf -y install ca-certificates \
&& curl -o /etc/yum.repos.d/plus-9.repo https://cs.nginx.com/static/files/plus-9.repo \
&& curl -o /etc/yum.repos.d/app-protect-dos-9.repo https://cs.nginx.com/static/files/app-protect-dos-9.repo \
&& dnf -y install app-protect-dos \
&& cat license.jwt > /etc/nginx/license.jwt \
&& rm /etc/yum.repos.d/plus-9.repo \
&& rm /etc/yum.repos.d/app-protect-dos-9.repo \
&& dnf clean all \
&& rm -rf /var/cache/yum \
&& ln -sf /dev/stdout /var/log/nginx/access.log \
&& ln -sf /dev/stderr /var/log/nginx/error.log
# Copy configuration files:
COPY nginx.conf custom_log_format.json /etc/nginx/
COPY entrypoint.sh /root/
RUN chmod +x /root/entrypoint.sh
EXPOSE 80
STOPSIGNAL SIGQUIT
CMD ["sh", "/root/entrypoint.sh"]
# syntax=docker/dockerfile:1
# For Rocky Linux 9
FROM rockylinux:9
# Install F5 DoS for NGINX:
RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
--mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
--mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \
dnf -y install ca-certificates epel-release 'dnf-command(config-manager)' \
&& curl -o /etc/yum.repos.d/plus-9.repo https://cs.nginx.com/static/files/plus-9.repo \
&& curl -o /etc/yum.repos.d/app-protect-dos-9.repo https://cs.nginx.com/static/files/app-protect-dos-9.repo \
&& dnf config-manager --set-enabled crb \
&& dnf install -y app-protect-dos \
&& cat license.jwt > /etc/nginx/license.jwt \
&& dnf clean all \
&& rm -rf /var/cache/dnf \
&& ln -sf /dev/stdout /var/log/nginx/access.log \
&& ln -sf /dev/stderr /var/log/nginx/error.log
# Copy configuration files:
COPY nginx.conf custom_log_format.json /etc/nginx/
COPY entrypoint.sh /root/
RUN chmod +x /root/entrypoint.sh
EXPOSE 80
STOPSIGNAL SIGQUIT
CMD ["sh", "/root/entrypoint.sh"]
# syntax=docker/dockerfile:1
# For Ubuntu
# Where version can be: jammy/noble
FROM ubuntu:noble
# Setup repository keys
RUN apt-get update && \
# Install F5 DoS for NGINX
RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
--mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
--mount=type=secret,id=license-jwt,dst=license.jwt,mode=0644 \
apt-get update \
&& apt-get install -y --no-install-recommends apt-transport-https lsb-release ca-certificates wget gnupg2 ubuntu-keyring \
&& wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null \
&& printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/plus/ubuntu $(lsb_release -cs) nginx-plus\n" > /etc/apt/sources.list.d/nginx-plus.list \
&& printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect-dos/ubuntu $(lsb_release -cs) nginx-plus\n" > /etc/apt/sources.list.d/nginx-app-protect-dos.list \
&& wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx \
&& DEBIAN_FRONTEND="noninteractive" apt-get install -y app-protect-dos \
&& cat license.jwt > /etc/nginx/license.jwt \
&& apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* \
&& ln -sf /dev/stdout /var/log/nginx/access.log \
&& ln -sf /dev/stderr /var/log/nginx/error.log
COPY nginx.conf /etc/nginx/
COPY entrypoint.sh /root/
RUN chmod +x /root/entrypoint.sh
EXPOSE 80
STOPSIGNAL SIGQUIT
CMD ["sh", "/root/entrypoint.sh"]Your folder should contain the following files:
- nginx-repo.crt
- nginx-repo.key
- Dockerfile
To build an image, use the following command, replacing <your-image-name> as appropriate:
sudo docker build --no-cache --platform linux/amd64 \
--secret id=nginx-crt,src=nginx-repo.crt \
--secret id=nginx-key,src=nginx-repo.key \
--secret id=license-jwt,src=license.jwt \
-t <your-image-name> .Once you have built the image, push it to your private image repository, which should be accessible to your Kubernetes cluster.
From this point, the steps change based on your installation method:
Once you have installed F5 WAF for NGINX, you must load it as a module in the main context of your NGINX configuration.
load_module modules/ngx_http_app_protect_module.so;The Enforcer address must be added at the http context:
app_protect_enforcer_address 127.0.0.1:50000;And finally, F5 WAF for NGINX can enabled on a http, server or location context:
app_protect_enable on;WarningYou should only enable F5 WAF for NGINX on proxy_pass and grpc_pass locations.
Here are two examples of how these additions could look in configuration files:
The default path for this file is /etc/nginx/nginx.conf.
user nginx;
worker_processes auto;
# F5 WAF for NGINX
load_module modules/ngx_http_app_protect_module.so;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
# F5 WAF for NGINX
app_protect_enforcer_address 127.0.0.1:50000;
include /etc/nginx/conf.d/*.conf;
}The default path for this file is /etc/nginx/conf.d/default.conf.
server {
listen 80;
server_name domain.com;
location / {
# F5 WAF for NGINX
app_protect_enable on;
client_max_body_size 0;
default_type text/html;
proxy_pass http://127.0.0.1:8080/;
}
}
server {
listen 8080;
server_name localhost;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}Once you have updated your configuration files, you can reload NGINX to apply the changes. You have two options depending on your environment:
nginx -s reloadsudo systemctl reload nginx
Before you can start the Manifest deployment, you need a Kubernetes secret for the Docker registry.
You can create the secret using kubectl create:
kubectl create secret docker-registry regcred --docker-server=private-registry.nginx.com --docker-username=<JWT Token> --docker-password=noneThe <JWT Token> argument should be the contents of the file, not the file itself. Ensure there are no additional characters such as extra whitespace.
The default configuration provided creates two replicas, each hosting NGINX and WAF services together in a single Kubernetes pod.
Create all of these files in a single folder (Such as /manifests).
In each file, replace <your-private-registry>/waf:<your-tag> with your actual image tag.
This configuration uses a hostPath backed persistent volume claim.
apiVersion: apps/v1
kind: Deployment
metadata:
name: nap5-deployment
spec:
selector:
matchLabels:
app: nap5
replicas: 2
template:
metadata:
labels:
app: nap5
spec:
imagePullSecrets:
- name: regcred
containers:
- name: nginx
image: <your-private-registry>/waf:<your-tag>
imagePullPolicy: IfNotPresent
volumeMounts:
- name: app-protect-bd-config
mountPath: /opt/app_protect/bd_config
- name: app-protect-config
mountPath: /opt/app_protect/config
- name: waf-enforcer
image: private-registry.nginx.com/nap/waf-enforcer:<version-tag>
imagePullPolicy: IfNotPresent
env:
- name: ENFORCER_PORT
value: "50000"
volumeMounts:
- name: app-protect-bd-config
mountPath: /opt/app_protect/bd_config
- name: waf-config-mgr
image: private-registry.nginx.com/nap/waf-config-mgr:<version-tag>
imagePullPolicy: IfNotPresent
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
volumeMounts:
- name: app-protect-bd-config
mountPath: /opt/app_protect/bd_config
- name: app-protect-config
mountPath: /opt/app_protect/config
- name: app-protect-bundles
mountPath: /etc/app_protect/bundles
volumes:
- name: app-protect-bd-config
emptyDir: {}
- name: app-protect-config
emptyDir: {}
- name: app-protect-bundles
persistentVolumeClaim:
claimName: nap5-bundles-pvcapiVersion: apps/v1
kind: Deployment
metadata:
name: dos-deployment
spec:
selector:
matchLabels:
app: nap5
replicas: 2
template:
metadata:
labels:
app: nap5
spec:
imagePullSecrets:
- name: regcred
containers:
- name: nginx
image: <your-private-registry>/waf:<your-tag>
imagePullPolicy: IfNotPresent
volumeMounts:
- name: app-protect-bd-config
mountPath: /opt/app_protect/bd_config
- name: app-protect-config
mountPath: /opt/app_protect/config
- name: waf-enforcer
image: private-registry.nginx.com/nap/waf-enforcer:<version-tag>
imagePullPolicy: IfNotPresent
env:
- name: ENFORCER_PORT
value: "50000"
volumeMounts:
- name: app-protect-bd-config
mountPath: /opt/app_protect/bd_config
- name: waf-config-mgr
image: private-registry.nginx.com/nap/waf-config-mgr:<version-tag>
imagePullPolicy: IfNotPresent
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
volumeMounts:
- name: app-protect-bd-config
mountPath: /opt/app_protect/bd_config
- name: app-protect-config
mountPath: /opt/app_protect/config
- name: app-protect-bundles
mountPath: /etc/app_protect/bundles
volumes:
- name: app-protect-bd-config
emptyDir: {}
- name: app-protect-config
emptyDir: {}
- name: app-protect-bundles
persistentVolumeClaim:
claimName: nap5-bundles-pvcapiVersion: v1
kind: Service
metadata:
name: nginx
spec:
selector:
app: nap5
ports:
- protocol: TCP
port: 80
targetPort: 80
type: NodePortFrom the folder containing the YAML files from the previous step (Suggested as /manifests), deploy F5 DOS for NGINX using kubectl:
kubectl apply -f manifests/It will apply all the configuration defined in the files to your Kubernetes cluster.
You can then check the status of the deployment with kubectl get:
kubectl -n dos get deployments
kubectl -n dos get pods
kubectl -n dos get servicesYou should see output similar to the following:
...At this stage, you have finished deploying F5 WAF for NGINX and can look at Post-installation checks.