Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ingress annotation for WAF policy behaviour for NAP v5 #6706

Open
5 tasks
shaun-nx opened this issue Oct 24, 2024 · 1 comment
Open
5 tasks

Ingress annotation for WAF policy behaviour for NAP v5 #6706

shaun-nx opened this issue Oct 24, 2024 · 1 comment
Labels
needs more info Issues that require more information proposal An issue that proposes a feature request ready for refinement An issue that was triaged and it is ready to be refined
Milestone

Comments

@shaun-nx
Copy link
Contributor

shaun-nx commented Oct 24, 2024

As a user of NGINX Ingress Controller, I would like to enhance the security of my ingress resources by configuring WAF style annotation settings

UACs:

  • Add additional annotations for WAF to enable compatibility with tar bundles
  • Mirror fields in WAF Policy
  • Support only WAF v5
  • Ensure all AppProtect related annotations are validated
  • Ensure Ingress resource is rejected correctly if an AppProtect related annotations is miss-configured

Decision Log:

  • No implementation needed for Master/Minion pattern

Example configuration:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: cafe
  namespace: cafe
  annotations:
    custom.nginx.org/app-protect-policy: "/etc/app_protect/bundles/policy-cafe.tgz"
    custom.nginx.org/app-protect-enable: "true"
    custom.nginx.org/app-protect-security-log-enable: "true"
    custom.nginx.org/app-protect-security-log: "log_all"
    custom.nginx.org/app-protect-security-log-destination: "syslog:server=127.0.0.1:514"
spec:
  ingressClassName: nginxplus
  tls:
  - hosts:
    - cafe.example.com
    secretName: cafe-secret
  rules:
  - host: cafe.example.com
    http:
      paths:
      - path: /coffee
        pathType: Prefix
        backend:
          service:
            name: coffee-svc
            port:
              number: 80
@shaun-nx shaun-nx added the proposal An issue that proposes a feature request label Oct 24, 2024
@shaun-nx shaun-nx added this to the v4.1.0 milestone Oct 24, 2024
Copy link

Hi @shaun-nx thanks for reporting!

Be sure to check out the docs and the Contributing Guidelines while you wait for a human to take a look at this 🙂

Cheers!

@shaun-nx shaun-nx added the ready for refinement An issue that was triaged and it is ready to be refined label Oct 24, 2024
@shaun-nx shaun-nx changed the title waf Policy support for kind: Ingress Ingress annotation for WAF policy behaviour Nov 5, 2024
@shaun-nx shaun-nx moved this from Todo ☑ to Prioritized backlog in NGINX Ingress Controller Nov 11, 2024
@danielnginx danielnginx added the needs more info Issues that require more information label Nov 12, 2024
@shaun-nx shaun-nx changed the title Ingress annotation for WAF policy behaviour Ingress annotation for WAF policy behaviour for NAP v5 Nov 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
needs more info Issues that require more information proposal An issue that proposes a feature request ready for refinement An issue that was triaged and it is ready to be refined
Projects
Status: Prioritized backlog
Development

No branches or pull requests

2 participants