-
Feature
-
Resolution: Unresolved
-
Critical
-
None
-
None
-
Product / Portfolio Work
-
None
-
False
-
-
False
-
None
-
None
-
None
-
None
-
None
-
-
None
-
None
-
None
-
None
Feature Overview (aka. Goal Summary)
This feature delivers a Developer Preview of a Coraza-based Kubernetes Operator that enables native Web Application Firewall (WAF) capabilities within OpenShift.
The operator will deploy and manage Coraza WAF engines and ModSecurity-compatible rulesets integrated with OpenShift Gateway API through Istio/Envoy using a Wasm module. This provides signature-based web attack detection aligned with OWASP ruleset compatibility and embeds WAF protection directly into the OpenShift networking layer.
The intent is not to deliver a production-ready WAF, but to ship a tightly-scoped MVP Developer Preview to customers in time for Red Hat Summit (May 11–14, 2026) in order to:
- Validate real customer WAF use cases
- Validate architectural direction (Gateway API, Wasm, Istio/Envoy)
- Validate ruleset management and operator lifecycle model
- Gather feedback to inform potential future GA investment
OpenShift currently has no native WAF capability, forcing customers to rely on external appliances or public cloud implementations. This preview explores shifting WAF protection into the cluster, closer to applications, aligned with industry and upstream community direction.
Goals (aka. expected user outcomes)
- Provide a functional Developer Preview WAF capability for OpenShift customers.
- Demonstrate Coraza WAF engine lifecycle management via an Operator.
- Demonstrate ModSecurity/OWASP ruleset lifecycle management via CRDs.
- Integrate WAF enforcement into Gateway API traffic paths using Istio/Envoy + Wasm.
- Enable customers to trial WAF in realistic environments and provide feedback.
- Deliver the preview via OperatorHub in time for Red Hat Summit 2026.
- Validate whether this problem space, architecture, and UX warrant future GA investment.
Requirements (aka. Acceptance Criteria):
Functional Requirements
- Deploy and manage Coraza WAF engine instances via Operator
- Deploy and manage ModSecurity-compatible rulesets via CRDs
- Load rulesets dynamically into Coraza engines
- Integrate with OpenShift Gateway API
- Use Istio/Envoy with Wasm module for WAF execution
- Provide basic examples and documentation for:
- Enabling WAF on a Gateway
- Loading OWASP CRS
- Observing WAF detections
Non-Functional Requirements (MVP scope)
- Basic reliability within constrained environment
- Basic test coverage (unit, integration, E2E on OCP)
- QE validation sufficient for Developer Preview publishing
- Operator packaging for OpenShift and OperatorHub publication
Anyone reviewing this Feature needs to know which deployment configurations that the Feature will apply to (or not) once it's been completed. Describe specific needs (or indicate N/A) for each of the following deployment scenarios. For specific configurations that are out-of-scope for a given release, ensure you provide the OCPSTRAT (for the future to be supported configuration) as well.
| Deployment considerations | List applicable specific needs (N/A = not applicable) |
| Self-managed, managed, or both | |
| Classic (standalone cluster) | |
| Hosted control planes | |
| Multi node, Compact (three node), or Single node (SNO), or all | |
| Connected / Restricted Network | |
| Architectures, e.g. x86_x64, ARM (aarch64), IBM Power (ppc64le), and IBM Z (s390x) | |
| Operator compatibility | |
| Backport needed (list applicable versions) | |
| UI need (e.g. OpenShift Console, dynamic plugin, OCM) | |
| Other (please specify) |
Milestones Timeline:
Target availability: Before May 11, 2026 (Red Hat Summit)
| Milestone | Release | Duration | Description | Deliverables |
|---|---|---|---|---|
| Gap Analysis, Expansion, Hardening & Testing | v0.2.0 pre-release | 6 weeks | Identify MVP gaps, hardening, unit and integration tests, initial QE validation | Hardened engine, SecRule validation, Initial QE report |
| Operator, Packaging, E2E & Documentation | v0.3.0 pre-release | 4 weeks | Extend controllers into full OpenShift operator, expand tests, create documentation | OCP E2E test suite, Operator packaging, Documentation |
| Packaging, Publishing & Ship-it | v0.4.0 dev-preview | 3 weeks | Finalize metadata, QE validation, publish to OperatorHub | OperatorHub listing, QE report, Documentation |
Use Cases:
This preview targets validation of the following (non-exhaustive) customer scenarios:
- Customer mandates decryption and inspection of all web traffic at the cluster edge
- Customer wants a cluster-native alternative to external WAF appliances
- Customer desires WAF capability for on-prem OpenShift where cloud WAFs are unavailable
- Customer wants to apply OWASP CRS rules to Gateway traffic
- Customer policy requires SSL termination at the load balancer, but still requires in-cluster inspection
- Customer evaluating integration with commercial WAF tooling alongside open rulesets
Questions to Answer:
This Developer Preview is intended to answer:
- Do customers want a native OpenShift WAF?
- Is Gateway API integration the correct control point?
- Is Wasm + Envoy a viable enforcement mechanism?
- How do customers want to manage rulesets?
- What performance and scale expectations exist?
- Do customers require integrations beyond Istio/Envoy?
- What operational UX do customers expect from a WAF Operator?
- Is OWASP CRS sufficient, or are additional rule ecosystems required?
Out of Scope
To maintain velocity for Summit delivery, the following are explicitly out of scope:
- Performance and large-scale validation
- Production readiness
- Support for non-Istio or non-Wasm integrations
- Integration with IngressController, HAProxy, or other dataplanes
- Deep upstream collaboration at this stage
- GA migration path guarantees
- Advanced observability, tuning, or UX polish
- Commercial WAF integrations
Background
OpenShift today lacks any native WAF capability. Customers must rely on external WAFs, increasing:
- Latency
- Cost
- Operational complexity
- Architectural fragmentation
There is growing upstream interest in embedding WAF capabilities directly into cloud-native networking layers (OWASP + Kubernetes ecosystems). This effort aligns with the broader industry trend of shifting security left and embedding protections closer to applications.
The Coraza Kubernetes Operator project is near MVP status and provides a strong foundation to extend for OpenShift use.
Customer Considerations
- This is a Developer Preview of a new OpenShift feature, and its scope of support is limited to terms defined in https://access.redhat.com/support/offerings/devpreview
- Customers evaluating this preview are early adopters helping shape potential future direction.
Documentation Considerations
Documentation must clearly include:
- Developer Preview disclaimers
- Installation via OperatorHub
- Example Gateway + WAF configuration
- Example OWASP CRS ruleset deployment
- Known limitations
- How to provide feedback
- Architectural explanation (Gateway API → Envoy → Wasm → Coraza → Ruleset)
Documentation is critical for Summit demos and customer enablement.
Interoperability Considerations
This preview intentionally limits interoperability to:
- OpenShift Gateway API
- Istio/Envoy dataplane
- Wasm module deployment model
- ModSecurity-compatible rulesets (OWASP CRS)
Future iterations may evaluate:
- Additional dataplanes
- IngressController integrations
- Broader rule ecosystems
- Commercial WAF interoperability
For this preview, interoperability breadth is traded for delivery speed and clarity of architecture.
