Noma Runtime Protection: Enable Noma Runtime Protection - Plugin

Enable Noma Runtime Protection

Enable the Noma Runtime Protection plugin.

In this example, monitor mode is enabled, which means that the plugin will only monitor and log attacks. If you want to enable blocking, set monitor_mode to false.

This plugin also requires the following Kong Gateway entity configuration:

Set up AI Gateway by creating a Service, a Route, and enabling the AI Proxy plugin.
Create a Consumer and an auth key to identify the application/client calling the API.
Group Consumers (Optional): If you want to set up shared runtime policies, group your Consumers into Consumer Groups.

Prerequisites

(Optional) You have created an application in Noma and copied its application’s ID. If you don’t specify an application ID, it will automatically take the name of the Kong Gateway Consumer.
The Noma Runtime Protection plugin is installed.

Environment variables

https://api.noma.security: The base URL for the Noma API. The default value is https://api.noma.security.
NOMA_APPLICATION_ID: Your Noma Application ID.
NOMA_CLIENT_ID: Your Noma Client ID. Contact your Noma Technical Account Manager to receive this.
NOMA_CLIENT_SECRET: Your Noma Client Secret. Contact your Noma Technical Account Manager to receive this.

Set up the plugin

Add this section to your kong.yaml configuration file:

kong.yaml

Copied!

_format_version: "3.0"
plugins:
  - name: noma-runtime-protection
    config:
      API_base: https://api.noma.security
      monitor_mode: true
      application_id: ${{ env "DECK_NOMA_APPLICATION_ID" }}
      client_id: ${{ env "DECK_NOMA_CLIENT_ID" }}
      client_secret: ${{ env "DECK_NOMA_CLIENT_SECRET" }}

Make the following request:

curl -i -X POST http://localhost:8001/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "noma-runtime-protection",
      "config": {
        "API_base": "https://api.noma.security",
        "monitor_mode": true,
        "application_id": "'$NOMA_APPLICATION_ID'",
        "client_id": "'$NOMA_CLIENT_ID'",
        "client_secret": "'$NOMA_CLIENT_SECRET'"
      },
      "tags": []
    }
    '

Copied!

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "noma-runtime-protection",
      "config": {
        "API_base": "https://api.noma.security",
        "monitor_mode": true,
        "application_id": "'$NOMA_APPLICATION_ID'",
        "client_id": "'$NOMA_CLIENT_ID'",
        "client_secret": "'$NOMA_CLIENT_SECRET'"
      },
      "tags": []
    }
    '

Copied!

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
controlPlaneId: The id of the control plane.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
  name: noma-runtime-protection
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
    konghq.com/tags: ''
  labels:
    global: 'true'
config:
  API_base: https://api.noma.security
  monitor_mode: true
  application_id: '$NOMA_APPLICATION_ID'
  client_id: '$NOMA_CLIENT_ID'
  client_secret: '$NOMA_CLIENT_SECRET'
plugin: noma-runtime-protection
" | kubectl apply -f -

Copied!

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Copied!

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_noma_runtime_protection" "my_noma_runtime_protection" {
  enabled = true

  config = {
    API_base = "https://api.noma.security"
    monitor_mode = true
    application_id = var.noma_application_id
    client_id = var.noma_client_id
    client_secret = var.noma_client_secret
  }
  tags = []

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}

Copied!

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "noma_client_secret" {
  type = string
}

Copied!

Add this section to your kong.yaml configuration file:

kong.yaml

Copied!

_format_version: "3.0"
plugins:
  - name: noma-runtime-protection
    service: serviceName|Id
    config:
      API_base: https://api.noma.security
      monitor_mode: true
      application_id: ${{ env "DECK_NOMA_APPLICATION_ID" }}
      client_id: ${{ env "DECK_NOMA_CLIENT_ID" }}
      client_secret: ${{ env "DECK_NOMA_CLIENT_SECRET" }}

Make sure to replace the following placeholders with your own values:

serviceName|Id: The id or name of the service the plugin configuration will target.

Make the following request:

curl -i -X POST http://localhost:8001/services/{serviceName|Id}/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "noma-runtime-protection",
      "config": {
        "API_base": "https://api.noma.security",
        "monitor_mode": true,
        "application_id": "'$NOMA_APPLICATION_ID'",
        "client_id": "'$NOMA_CLIENT_ID'",
        "client_secret": "'$NOMA_CLIENT_SECRET'"
      },
      "tags": []
    }
    '

Copied!

Make sure to replace the following placeholders with your own values:

serviceName|Id: The id or name of the service the plugin configuration will target.

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/services/{serviceId}/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "noma-runtime-protection",
      "config": {
        "API_base": "https://api.noma.security",
        "monitor_mode": true,
        "application_id": "'$NOMA_APPLICATION_ID'",
        "client_id": "'$NOMA_CLIENT_ID'",
        "client_secret": "'$NOMA_CLIENT_SECRET'"
      },
      "tags": []
    }
    '

Copied!

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
controlPlaneId: The id of the control plane.
serviceId: The id of the service the plugin configuration will target.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: noma-runtime-protection
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
    konghq.com/tags: ''
config:
  API_base: https://api.noma.security
  monitor_mode: true
  application_id: '$NOMA_APPLICATION_ID'
  client_id: '$NOMA_CLIENT_ID'
  client_secret: '$NOMA_CLIENT_SECRET'
plugin: noma-runtime-protection
" | kubectl apply -f -

Copied!

Next, apply the KongPlugin resource by annotating the service resource:

kubectl annotate -n kong service SERVICE_NAME konghq.com/plugins=noma-runtime-protection

Copied!

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Copied!

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_noma_runtime_protection" "my_noma_runtime_protection" {
  enabled = true

  config = {
    API_base = "https://api.noma.security"
    monitor_mode = true
    application_id = var.noma_application_id
    client_id = var.noma_client_id
    client_secret = var.noma_client_secret
  }
  tags = []

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
  service = {
    id = konnect_gateway_service.my_service.id
  }
}

Copied!

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "noma_client_secret" {
  type = string
}

Copied!

Add this section to your kong.yaml configuration file:

kong.yaml

Copied!

_format_version: "3.0"
plugins:
  - name: noma-runtime-protection
    route: routeName|Id
    config:
      API_base: https://api.noma.security
      monitor_mode: true
      application_id: ${{ env "DECK_NOMA_APPLICATION_ID" }}
      client_id: ${{ env "DECK_NOMA_CLIENT_ID" }}
      client_secret: ${{ env "DECK_NOMA_CLIENT_SECRET" }}

Make sure to replace the following placeholders with your own values:

routeName|Id: The id or name of the route the plugin configuration will target.

Make the following request:

curl -i -X POST http://localhost:8001/routes/{routeName|Id}/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "noma-runtime-protection",
      "config": {
        "API_base": "https://api.noma.security",
        "monitor_mode": true,
        "application_id": "'$NOMA_APPLICATION_ID'",
        "client_id": "'$NOMA_CLIENT_ID'",
        "client_secret": "'$NOMA_CLIENT_SECRET'"
      },
      "tags": []
    }
    '

Copied!

Make sure to replace the following placeholders with your own values:

routeName|Id: The id or name of the route the plugin configuration will target.

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/routes/{routeId}/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "noma-runtime-protection",
      "config": {
        "API_base": "https://api.noma.security",
        "monitor_mode": true,
        "application_id": "'$NOMA_APPLICATION_ID'",
        "client_id": "'$NOMA_CLIENT_ID'",
        "client_secret": "'$NOMA_CLIENT_SECRET'"
      },
      "tags": []
    }
    '

Copied!

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
controlPlaneId: The id of the control plane.
routeId: The id of the route the plugin configuration will target.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: noma-runtime-protection
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
    konghq.com/tags: ''
config:
  API_base: https://api.noma.security
  monitor_mode: true
  application_id: '$NOMA_APPLICATION_ID'
  client_id: '$NOMA_CLIENT_ID'
  client_secret: '$NOMA_CLIENT_SECRET'
plugin: noma-runtime-protection
" | kubectl apply -f -

Copied!

Next, apply the KongPlugin resource by annotating the httproute or ingress resource:

kubectl annotate -n kong httproute  konghq.com/plugins=noma-runtime-protection

Copied!

kubectl annotate -n kong ingress  konghq.com/plugins=noma-runtime-protection

Copied!

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Copied!

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_noma_runtime_protection" "my_noma_runtime_protection" {
  enabled = true

  config = {
    API_base = "https://api.noma.security"
    monitor_mode = true
    application_id = var.noma_application_id
    client_id = var.noma_client_id
    client_secret = var.noma_client_secret
  }
  tags = []

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
  route = {
    id = konnect_gateway_route.my_route.id
  }
}

Copied!

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "noma_client_secret" {
  type = string
}

Copied!

Add this section to your kong.yaml configuration file:

kong.yaml

Copied!

_format_version: "3.0"
plugins:
  - name: noma-runtime-protection
    consumer: consumerName|Id
    config:
      API_base: https://api.noma.security
      monitor_mode: true
      application_id: ${{ env "DECK_NOMA_APPLICATION_ID" }}
      client_id: ${{ env "DECK_NOMA_CLIENT_ID" }}
      client_secret: ${{ env "DECK_NOMA_CLIENT_SECRET" }}

Make sure to replace the following placeholders with your own values:

consumerName|Id: The id or name of the consumer the plugin configuration will target.

Make the following request:

curl -i -X POST http://localhost:8001/consumers/{consumerName|Id}/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "noma-runtime-protection",
      "config": {
        "API_base": "https://api.noma.security",
        "monitor_mode": true,
        "application_id": "'$NOMA_APPLICATION_ID'",
        "client_id": "'$NOMA_CLIENT_ID'",
        "client_secret": "'$NOMA_CLIENT_SECRET'"
      },
      "tags": []
    }
    '

Copied!

Make sure to replace the following placeholders with your own values:

consumerName|Id: The id or name of the consumer the plugin configuration will target.

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/consumers/{consumerId}/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "noma-runtime-protection",
      "config": {
        "API_base": "https://api.noma.security",
        "monitor_mode": true,
        "application_id": "'$NOMA_APPLICATION_ID'",
        "client_id": "'$NOMA_CLIENT_ID'",
        "client_secret": "'$NOMA_CLIENT_SECRET'"
      },
      "tags": []
    }
    '

Copied!

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
controlPlaneId: The id of the control plane.
consumerId: The id of the consumer the plugin configuration will target.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: noma-runtime-protection
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
    konghq.com/tags: ''
config:
  API_base: https://api.noma.security
  monitor_mode: true
  application_id: '$NOMA_APPLICATION_ID'
  client_id: '$NOMA_CLIENT_ID'
  client_secret: '$NOMA_CLIENT_SECRET'
plugin: noma-runtime-protection
" | kubectl apply -f -

Copied!

Next, apply the KongPlugin resource by annotating the KongConsumer resource:

kubectl annotate -n kong kongconsumer CONSUMER_NAME konghq.com/plugins=noma-runtime-protection

Copied!

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Copied!

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_noma_runtime_protection" "my_noma_runtime_protection" {
  enabled = true

  config = {
    API_base = "https://api.noma.security"
    monitor_mode = true
    application_id = var.noma_application_id
    client_id = var.noma_client_id
    client_secret = var.noma_client_secret
  }
  tags = []

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
  consumer = {
    id = konnect_gateway_consumer.my_consumer.id
  }
}

Copied!

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "noma_client_secret" {
  type = string
}

Copied!

Add this section to your kong.yaml configuration file:

kong.yaml

Copied!

_format_version: "3.0"
plugins:
  - name: noma-runtime-protection
    consumer_group: consumerGroupName|Id
    config:
      API_base: https://api.noma.security
      monitor_mode: true
      application_id: ${{ env "DECK_NOMA_APPLICATION_ID" }}
      client_id: ${{ env "DECK_NOMA_CLIENT_ID" }}
      client_secret: ${{ env "DECK_NOMA_CLIENT_SECRET" }}

Make sure to replace the following placeholders with your own values:

consumerGroupName|Id: The id or name of the consumer group the plugin configuration will target.

Make the following request:

curl -i -X POST http://localhost:8001/consumer_groups/{consumerGroupName|Id}/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "noma-runtime-protection",
      "config": {
        "API_base": "https://api.noma.security",
        "monitor_mode": true,
        "application_id": "'$NOMA_APPLICATION_ID'",
        "client_id": "'$NOMA_CLIENT_ID'",
        "client_secret": "'$NOMA_CLIENT_SECRET'"
      },
      "tags": []
    }
    '

Copied!

Make sure to replace the following placeholders with your own values:

consumerGroupName|Id: The id or name of the consumer group the plugin configuration will target.

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/consumer_groups/{consumerGroupId}/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "noma-runtime-protection",
      "config": {
        "API_base": "https://api.noma.security",
        "monitor_mode": true,
        "application_id": "'$NOMA_APPLICATION_ID'",
        "client_id": "'$NOMA_CLIENT_ID'",
        "client_secret": "'$NOMA_CLIENT_SECRET'"
      },
      "tags": []
    }
    '

Copied!

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
controlPlaneId: The id of the control plane.
consumerGroupId: The id of the consumer group the plugin configuration will target.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: noma-runtime-protection
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
    konghq.com/tags: ''
config:
  API_base: https://api.noma.security
  monitor_mode: true
  application_id: '$NOMA_APPLICATION_ID'
  client_id: '$NOMA_CLIENT_ID'
  client_secret: '$NOMA_CLIENT_SECRET'
plugin: noma-runtime-protection
" | kubectl apply -f -

Copied!

Next, apply the KongPlugin resource by annotating the KongConsumerGroup resource:

kubectl annotate -n kong kongconsumergroup CONSUMERGROUP_NAME konghq.com/plugins=noma-runtime-protection

Copied!

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Copied!

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_noma_runtime_protection" "my_noma_runtime_protection" {
  enabled = true

  config = {
    API_base = "https://api.noma.security"
    monitor_mode = true
    application_id = var.noma_application_id
    client_id = var.noma_client_id
    client_secret = var.noma_client_secret
  }
  tags = []

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
  consumer_group = {
    id = konnect_gateway_consumer_group.my_consumer_group.id
  }
}

Copied!

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "noma_client_secret" {
  type = string
}

Copied!

Noma Runtime Protection

Enable Noma Runtime Protection

Prerequisites

Environment variables

Set up the plugin

Help us make these docs great!

Still need help