MISP · monjiapawne · May 25, 2026 · May 26, 2026 · May 26, 2026 · May 26, 2026
diff --git a/kubernetes/README.md b/kubernetes/README.md
@@ -11,6 +11,8 @@ These are minimum viable kubernetes manifests for
 
 There is also an [example network policy](./manifests/policy-cilium.yaml) (Cilium specific) that assumes the use of ingress-nginx in the ingress-nginx namespace to expose MISP.
 
+Optionally there is a MISP-Guard proxy [Component](./components/misp-guard/).
+
 The manifests and required secrets can be generated through [kustomize](./kustomization.yaml).
 
 ## Usage
@@ -52,4 +54,29 @@ This will then override or add the SUPERVISOR_HOST, while keeping everything els
 
 By default these manifests assume the use of S3 based attachment storage (see `S3_*` keys in [instance-secrets.env](./instance-secrets.env)).
 
-If these variables are not all supplied, the default is for MISP to store attachment data in `/var/www/MISP/app/files/`. This should be backed by a persistentVolumeClaim of your preferred storageclass named `misp-files`.
+If these variables are not all supplied, the default is for MISP to store attachment data in `/var/www/MISP/app/files/`. This should be backed by a persistentVolumeClaim of your preferred storageclass named `misp-files`.
+
+## MISP-Guard
+
+Information on MISP-Guard's configuration and environment variables can be found in the root [README](../README.md#misp-guard-optional).
+
+### Enabling
+
+Add the following to your `kustomization.yaml`:
+
+```yaml
+components:
+  - ./components/misp-guard
+```
+
+### Configuration
+
+Edit the [misp-guard-config](./components/misp-guard/guard-cm.yaml) ConfigMap with your instance details. 
+The `misp_container` IP is automatically resolved at runtime via the `misp-core-svc` service.
+
+### Applying
+
+```bash
+kustomize build . | kubectl apply -f -
+kubectl rollout restart deployment misp-guard
+```
diff --git a/kubernetes/components/misp-guard/deployment-misp-guard.yaml b/kubernetes/components/misp-guard/deployment-misp-guard.yaml
@@ -0,0 +1,85 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: misp-guard
+  labels:
+    app.kubernetes.io/name: misp-guard
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: misp-guard
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: misp-guard
+    spec:
+      enableServiceLinks: false
+      # Ensure we can resolve the misp-core ClusterIP before starting MISP-Guard
+      # If the IP is not resolved first MISP-Guard will fail
+      initContainers:
+        - name: wait-for-misp-core
+          image: "ghcr.io/misp/misp-docker/misp-guard:latest"
+          imagePullPolicy: IfNotPresent
+          command:
+            - sh
+            - -c
+            - |
+              until getent hosts misp-core; do
+                echo "waiting for misp-core DNS to resolve"
+                sleep 5
+              done
+      containers:
+        - name: misp-guard
+          image: "ghcr.io/misp/misp-docker/misp-guard:latest"
+          imagePullPolicy: IfNotPresent
+          livenessProbe:
+            exec:
+              # Check if the misp-core IP still matches what's in the running config
+              # This is just precautionary incase the misp-core pod is restarted and the guard is not
+              command:
+                - sh
+                - -c
+                - 'getent hosts misp-core | grep -qF "$(jq -r .instances.misp_container.ip /srv/misp-guard/src/config.json)"'
+            periodSeconds: 30
+            failureThreshold: 3
+          readinessProbe:
+            tcpSocket:
+              port: 8888
+            initialDelaySeconds: 10
+            periodSeconds: 30
+            timeoutSeconds: 5
+            failureThreshold: 2
+            successThreshold: 1
+          env:
+            - name: GUARD_PORT
+              value: "8888"
+          ports:
+            - name: misp-guard
+              protocol: TCP
+              containerPort: 8888
+          resources:
+            limits:
+              memory: 2048Mi
+            requests:
+              memory: 512Mi
+              cpu: 50m 
+          volumeMounts:
+            - name: misp-guard-config
+              mountPath: /config.json
+              subPath: misp-guard-config.json
+            - name: misp-guard-ca
+              mountPath: /misp_guard_ca
+
+      volumes:
+        - name: misp-guard-config
+          configMap:
+            name: misp-guard-config
+            items:
+              - key: misp-guard-config.json
+                path: misp-guard-config.json
+        # TODO: replace with a shared volume to distribute the mitmproxy CA to misp-core (same purpose as the misp_guard_ca compose volume)
+        - name: misp-guard-ca
+          emptyDir: {}
diff --git a/kubernetes/components/misp-guard/guard-cm.yaml b/kubernetes/components/misp-guard/guard-cm.yaml
@@ -0,0 +1,65 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: misp-guard-config
+data:
+  misp-guard-config.json: |
+    {
+        "allowlist": {
+            "urls": [],
+            "domains": []
+        },
+        "compartments_rules": {
+            "can_reach": {
+                "compartment_1": [
+                    "compartment_1"
+                ]
+            }
+        },
+        "instances": {
+            "misp_container": {
+                "ip": "AUTO_REPLACED_AT_RUNTIME",
+                "host": "local-misp",
+                "port": 443,
+                "compartment_id": "compartment_1",
+                "affiliation": "internal",
+                "taxonomies_rules": {
+                    "required_taxonomies": [],
+                    "allowed_tags": {},
+                    "blocked_tags": [
+                        "tlp:red"
+                    ]
+                },
+                "blocked_distribution_levels": [],
+                "blocked_sharing_groups_uuids": [],
+                "blocked_attribute_types": [],
+                "blocked_attribute_categories": [],
+                "blocked_object_types": []
+            },
+            "partner_example": {
+                "ip": "10.0.0.1",
+                "host": "partner.misp.org",
+                "port": 443,
+                "compartment_id": "compartment_1",
+                "affiliation": "partner",
+                "taxonomies_rules": {
+                    "required_taxonomies": [],
+                    "allowed_tags": {
+                        "tlp": [
+                            "tlp:clear",
+                            "tlp:white",
+                            "tlp:green"
+                        ]
+                    },
+                    "blocked_tags": [
+                        "tlp:red"
+                    ]
+                },
+                "blocked_distribution_levels": [],
+                "blocked_sharing_groups_uuids": [],
+                "blocked_attribute_types": [],
+                "blocked_attribute_categories": [],
+                "blocked_object_types": []
+            }
+        }
+    }
diff --git a/kubernetes/components/misp-guard/kustomization.yaml b/kubernetes/components/misp-guard/kustomization.yaml
@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - deployment-misp-guard.yaml
+  - guard-cm.yaml
+  - misp-core-svc.yaml
+  - misp-guard-svc.yaml
+
+configMapGenerator:
+  - name: misp-guard-proxy
+    literals:
+      - PROXY_ENABLE=true
+      - PROXY_HOST=misp-guard
+      - PROXY_PORT=8888
diff --git a/kubernetes/components/misp-guard/misp-core-svc.yaml b/kubernetes/components/misp-guard/misp-core-svc.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: misp-core
+  labels:
+    app.kubernetes.io/name: misp-core
+    app.kubernetes.io/part-of: misp
+spec:
+  type: ClusterIP
+  clusterIP: None
+  ports:
+    - port: 9002
+      targetPort: misp-php
+      protocol: TCP
+      name: misp-php
+  selector:
+    app.kubernetes.io/name: misp
diff --git a/kubernetes/components/misp-guard/misp-guard-svc.yaml b/kubernetes/components/misp-guard/misp-guard-svc.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: misp-guard
+  labels:
+    app.kubernetes.io/name: misp-guard
+    app.kubernetes.io/part-of: misp
+spec:
+  type: ClusterIP
+  ports:
+    - port: 8888
+      targetPort: misp-guard
+      protocol: TCP
+      name: proxy
+  selector:
+    app.kubernetes.io/name: misp-guard
diff --git a/kubernetes/manifests/deployment-misp.yaml b/kubernetes/manifests/deployment-misp.yaml
@@ -66,6 +66,10 @@ spec:
                 name: mysql-credentials
             - secretRef:
                 name: instance-secrets
+            # Optional, injected by the misp-guard component
+            - configMapRef:
+                name: misp-guard-proxy
+                optional: true
           volumeMounts:
             # For centralised collection (e.g. tailing to stdout)
             - mountPath: /var/www/MISP/app/tmp/logs