Web Application Firewall #1692
Description
Problem Statement
Applications running on Kyma Kubernetes clusters are currently exposed to external HTTP/HTTPS traffic without a dedicated Web Application Firewall (WAF) layer.
As a result, incoming traffic is not centrally inspected or protected against common web application attacks (e.g. OWASP Top 10) before reaching Kubernetes services.
This creates a security and compliance gap, particularly for workloads that are subject to requirements such as SOC2, where WAF protection is considered a mandatory control for publicly exposed applications.
At the same time, Kyma environments rely on stable, client-facing public domains and an established network and DNS setup.
Any solution that addresses this gap must not require changes to existing domains, URLs, or application behavior, nor introduce breaking changes for existing consumers.
Required Outcome
All external HTTP/HTTPS traffic is inspected and protected by a WAF before reaching any Kubernetes service
WAF protection is introduced without impacting application behavior, availability, or public endpointsExisting network and DNS configuration remains unchanged