Set up ClamAV virus scanning for incoming traffic
Description
This guide is for setting up ClamAV antivirus and the steps to set up virus scanning for files being uploaded by users onto OpenG2P Modules.
Please note that this guide only applies to enabling virus scanning for HTTP traffic coming into a particular module from outside (ingress), and this doesn't apply to virus scanning for service-to-service traffic.
Flow description
All the incoming traffic to the particular service will first be sent to Clammit. Clammit will then scan the requests for Virus with ClamAV. If no viruses are found, Clammit will forward the request to the backend service. If viruses are found, Clammit will deny the request.

Installation
Only one ClamAV + Clammit installation is enough for the entire Kubernetes Cluster (for all namespaces/sandboxes). This installation can be individually scaled up depending on incoming traffic.
ClamAV Installation
This section uses Wiremind Helm charts for ClamAV installation on Kubernetes.
Create
clamav-system
namespace.kubectl create ns clamav-system
[Optional] Move
clamav-system
namespace intoSystem
project in Rancher to manage access control.Add wiremind helm repo
helm repo add wiremind https://wiremind.github.io/wiremind-helm-charts helm repo update
Install ClamAV in
clamav-system
namespace.helm -n clamav-system upgrade --install clamav wiremind/clamav
Clammit Installation
Requires ClamAV from above.
Add openg2p helm repo
helm repo add openg2p https://openg2p.github.io/openg2p-helm helm repo update
Install Clammit in
clamav-system
namespace.helm -n clamav-system upgrade --install clammit openg2p/clammit
Virus-scan setup
This section describes the configuration process to pass all incoming traffic of a particular service for virus scanning, using the previously installed Clammit instance.
Navigate to Rancher -> Istio -> Virtual Services, choose the virtual service for which you want to enable virus scanning, and edit as YAML.
Copy the route -> destination -> host and port number. Under headers -> request -> set, add a header like:
x-clammit-backend: http://{destination_host}.{destination_namespace}:{destination_port}
Change the route -> destination -> host and port number to the following.
route: - destination: host: clammit.clamav-system.svc.cluster.local port: number: 80
Example
Say you want to virus-scan all incoming traffic of the Social Registry odoo module, the Istio Virtual Service social-registry-odoo
would look like this.
Before
spec: ... http: ... - headers: request: set: ... route: - destination: host: social-registry-odoo port: number: 80
After
spec: ... http: ... - headers: request: set: x-clammit-backend: http://social-registry-odoo.dev ... route: - destination: host: clammit.clamav-system.svc.cluster.local port: number: 80
Sources
Clammit site, source code and docs.
Wiremind ClamAV Helm chart source.
OpenG2P Clammit Helm chart & Docker source code.
Last updated
Was this helpful?