WAF configuration using K8s ConfigMap does't work in Gateway object

Question

WAF configuration using K8s ConfigMap does't work in Gateway object

htech7x opened this issue 3 months ago · comments

Oleksandr Liemieshko commented 3 months ago

Gloo Edge Product

Enterprise

Gloo Edge Version

1.16.7

Kubernetes Version

1.28.5

Describe the bug

WAF filter configuration in Gloo EE using k8s ConfigMap works with VirtualService object, works on "routes" level, but does not work with Gateway object.

Expected Behavior

WAF filtering works

Steps to reproduce the bug

Create ConfigMap from the file "wafip.conf":

SecRuleEngine On
SecRule REMOTE_ADDR "!@ipMatch 173.175.0.0/16,10.10.11.101" "phase:1,deny,status:403,id:1,msg:'block ip'"

kubectl create cm mywaf --from-file=wafip.conf -n gloo-system

Edit Gateway object:

apiVersion: gateway.solo.io/v1
kind: Gateway
metadata:
  labels:
    app: gloo
  name: gateway-proxy
  namespace: gloo-system
spec:
  bindAddress: '::'
  bindPort: 8080
  httpGateway:
    options:                                              # < --- add this line
      waf:                                                   # < --- add this line
        configMapRuleSets:                      # < --- add this line
        - configMapRef:                             # < --- add this line
            name: mywaf                              # < --- add this line
            namespace: gloo-system          # < --- add this line
  options:
    accessLoggingService:
      accessLog:
      - fileSink:
          path: /dev/stdout
          stringFormat: |
            [%START_TIME%] %REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH)% %REQ(:PATH)% %RESP(:PATH)% %PROTOCOL% %RESPONSE_CODE% %RESPONSE_FLAGS% %RESPONSE_CODE_DETAILS% %UPSTREAM_HOST% %UPSTREAM_CLUSTER%
  proxyNames:
  - gateway-proxy
  ssl: false
  useProxyProto: false

Check:

curl -H "Host: pet.com" ab4abd470440f492f9ae49fde56a48fc-652961447.us-east-2.elb.amazonaws.com/zoo -i
HTTP/1.1 200 OK
content-type: text/xml
date: Fri, 19 Apr 2024 17:32:31 GMT
content-length: 86
x-envoy-upstream-service-time: 0
server: envoy

[{"id":1,"name":"Dog","status":"available"},{"id":2,"name":"Cat","status":"pending"}]

logs:
[2024-04-19T17:32:24.697Z] GET /zoo /api/pets - HTTP/1.1 200 - via_upstream 192.168.12.227:8080 default-petstore-8080_gloo-system

Using the same ConfigMap in VirtualService, works as expected:

apiVersion: gateway.solo.io/v1
kind: VirtualService
metadata:
  name: pet-vs
  namespace: gloo-system
spec:
  virtualHost:
    options:
      waf:
        configMapRuleSets:
        - configMapRef:
            name: mywaf
            namespace: gloo-system
    domains:
    - pet.com
    routes:
    - matchers:
      - prefix: /zoo
      options:
        prefixRewrite: /api/pets
      routeAction:
        single:
          upstream:
            name: default-petstore-8080
            namespace: gloo-system

curl -H "Host: pet.com" ab4abd470440f492f9ae49fde56a48fc-652961447.us-east-2.elb.amazonaws.com/zoo -i
HTTP/1.1 403 Forbidden
content-length: 34
content-type: text/plain
date: Fri, 19 Apr 2024 18:33:44 GMT
server: envoy

ModSecurity: intervention occurred%

logs:
[2024-04-19T18:33:45.126Z] GET - /zoo - HTTP/1.1 403 UAEX [client_192.168.15.38]_ModSecurity:_Access_denied_with_code_403_(phase_1)._Matched_"Operator_`IpMatch'_with_parameter_`173.175.0.0/16,10.10.11.101'_against_variable_`REMOTE_ADDR'_(Value:_`192.168.15.38'_)_[file_"<<reference_missing_or_not_informed>>"]_[line_"2"]_[id_"1"]_[rev_""]_[msg_"block_ip"]_[data_""]_[severity_"0"]_[ver_""]_[maturity_"0"]_[accuracy_"0"]_[hostname_""]_[uri_"/zoo"]_[unique_id_"171355162570.596724"]_[ref_"v0,13"] - default-petstore-8080_gloo-system

Using WAF directly in Gateway, works as expected:

apiVersion: gateway.solo.io/v1
kind: Gateway
metadata:
  labels:
    app: gloo
  name: gateway-proxy
  namespace: gloo-system
spec:
  bindAddress: '::'
  bindPort: 8080
  httpGateway:
    options:
      waf:
        ruleSets:
        - ruleStr: |
            SecRuleEngine On
            SecRule REMOTE_ADDR "!@ipMatch 173.175.0.0/16,10.10.11.101" "phase:1,deny,status:403,id:1,msg:'block ip'"
  options:
    accessLoggingService:
      accessLog:
      - fileSink:
          path: /dev/stdout
          stringFormat: |
            [%START_TIME%] %REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH)% %REQ(:PATH)% %RESP(:PATH)% %PROTOCOL% %RESPONSE_CODE% %RESPONSE_FLAGS% %RESPONSE_CODE_DETAILS% %UPSTREAM_HOST% %UPSTREAM_CLUSTER%
  proxyNames:
  - gateway-proxy
  ssl: false
  useProxyProto: false

curl -H "Host: pet.com" ab4abd470440f492f9ae49fde56a48fc-652961447.us-east-2.elb.amazonaws.com/zoo -i
HTTP/1.1 403 Forbidden
content-length: 34
content-type: text/plain
date: Fri, 19 Apr 2024 18:50:24 GMT
server: envoy

ModSecurity: intervention occurred%

logs:
[2024-04-19T18:50:24.450Z] GET - /zoo - HTTP/1.1 403 UAEX [client_192.168.15.38]_ModSecurity:_Access_denied_with_code_403_(phase_1)._Matched_"Operator_`IpMatch'_with_parameter_`173.175.0.0/16,10.10.11.101'_against_variable_`REMOTE_ADDR'_(Value:_`192.168.15.38'_)_[file_"<<reference_missing_or_not_informed>>"]_[line_"2"]_[id_"1"]_[rev_""]_[msg_"block_ip"]_[data_""]_[severity_"0"]_[ver_""]_[maturity_"0"]_[accuracy_"0"]_[hostname_""]_[uri_"/zoo"]_[unique_id_"17135526242.949542"]_[ref_"v0,13"] - default-petstore-8080_gloo-system

Additional Environment Detail

No response

Additional Context

No response

Keith Babo · Answer 1 · Fri May 03 2024 22:16:57 GMT+0800 (China Standard Time)

@nfuden interesting this works from direct config or mounting from file but not from configMap?

Ryan · Answer 2 · Tue Jul 02 2024 01:55:16 GMT+0800 (China Standard Time)

@kcbabo We've seen this same behavior following the latest documentation. Directly applying to gateway works, but referencing configmap from gateway does not.