Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[RS-2338] Update WAF docs following changes to configmap name and format #1886

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

[RS-2338] Update WAF docs following changes to configmap name and format #1886

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
fd8a7ae
WAF config following change to the configmap for view ruleset epic
gantony Feb 7, 2025
4bb2cbb
Small update following new L7 architecture
gantony Feb 7, 2025
0cec6df
Update version of coreruleset in introduction
gantony Feb 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 26 additions & 22 deletions calico-enterprise/threat/web-application-firewall.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@
### About $[prodname] WAF

WAF is deployed in your cluster with Envoy as a sidecar container on your pods. $[prodname] proxies traffic through Envoy, checking HTTP requests using the industry-standard
[ModSecurity](https://owasp.org/www-project-modsecurity-core-rule-set/) with OWASP Core Rule Set `v4.0.0-rc2` with some modifications for Kubernetes workloads.
[ModSecurity](https://owasp.org/www-project-modsecurity-core-rule-set/) with OWASP Core Rule Set `v4.7.0` with some modifications for Kubernetes workloads.

You simply enable WAF in the web console, and determine the deployments that you want to enable for WAF protection. By default WAF is set to `DetectionOnly` so no traffic will be denied until you are ready to turn on blocking mode.

Expand Down Expand Up @@ -140,25 +140,25 @@
Reviewing the default rule set config:

```bash
Include @coraza.conf-recommended
Include @crs-setup.conf.example
Include @owasp_crs/*.conf
Include coraza.conf
Include crs-setup.conf
Include coreruleset/*.conf

SecRuleEngine DetectionOnly
```

The configuration file starts with importing the appropriate rule set config. We use Coraza WAF's recommended [Core Rule Set setup](https://coraza.io/docs/tutorials/coreruleset/) files:

1. Coraza recommended [configuration](https://github.com/corazawaf/coraza/blob/main/coraza.conf-recommended)
1. The rest of the [coreruleset](https://github.com/coreruleset/coreruleset) files, currently [v4.0.0-rc2](https://github.com/coreruleset/coreruleset/tree/v4.0.0-rc2)
1. Coraza recommended configuration with [coraza.conf](https://github.com/corazawaf/coraza-coreruleset/blob/main/rules/%40coraza.conf-recommended) and [crs-setup.conf](https://github.com/corazawaf/coraza-coreruleset/blob/main/rules/%40crs-setup.conf.example) (kept in the same ConfigMap)

Check failure on line 152 in calico-enterprise/threat/web-application-firewall.mdx

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Vale.Terms] Use 'Coraza' instead of 'coraza'.

Raw Output:
{"message": "[Vale.Terms] Use 'Coraza' instead of 'coraza'.", "location": {"path": "calico-enterprise/threat/web-application-firewall.mdx", "range": {"start": {"line": 152, "column": 43}}}, "severity": "ERROR"}
1. The rest of the [coreruleset](https://github.com/corazawaf/coraza-coreruleset/tree/main/rules/%40owasp_crs) files, currently [v4.7.0](https://github.com/corazawaf/coraza-coreruleset/tree/v4.7.0/rules/%40owasp_crs)

Check failure on line 153 in calico-enterprise/threat/web-application-firewall.mdx

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'coreruleset'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'coreruleset'?", "location": {"path": "calico-enterprise/threat/web-application-firewall.mdx", "range": {"start": {"line": 153, "column": 21}}}, "severity": "ERROR"}

These files can be customized if desired. Add all your customizations directly under `tigera.conf`:

```bash
kubectl edit cm -n tigera-operator modsecurity-ruleset
kubectl edit cm -n tigera-operator tigera-waf-config
```

After editing this ConfigMap successfully, the `modsecurity-ruleset` ConfigMap will be replaced in the `tigera-operator` namespace,
After editing this ConfigMap successfully, the `tigera-waf-config` ConfigMap will be replaced in the `tigera-operator` namespace,
which then triggers a rolling restart of your L7 pods. This means that the HTTP connections going through L7 pods at the time of pod termination will be (RST) reset.

:::note
Expand All @@ -177,7 +177,7 @@

1. Edit the configmap:
```bash
kubectl edit cm -n tigera-operator modsecurity-ruleset
kubectl edit cm -n tigera-operator tigera-waf-config
```
2. Look for `SecRuleEngine DetectionOnly` and change it to `SecRuleEngine On`.
3. Save your changes. This triggers a rolling update of the L7 pods.
Expand All @@ -195,10 +195,10 @@
An example is adding a sampling mode. For that, the `tigera.conf` will look like this:

```bash
# Core Rule Set activation
Include @coraza.conf-recommended
Include @crs-setup.conf.example
Include @owasp_crs/*.conf
# CoreRuleset activation
Include coraza.conf
Include crs-setup.conf
Include coreruleset/*.conf

SecRuleEngine DetectionOnly

Expand Down Expand Up @@ -261,24 +261,26 @@

```
tigera.conf
coraza.conf
crs-setup.conf
wordpress-rule-exclusions-before.conf
wordpress-rule-exclusions-config.conf
```

and then `tigera.conf` contents should be:

```bash
Include @coraza.conf-recommended
Include coraza.conf

Include /etc/modsecurity-ruleset/wordpress-rule-exclusions-config.conf
Include /etc/modsecurity-ruleset/wordpress-rule-exclusions-before.conf
Include wordpress-rule-exclusions-config.conf
Include wordpress-rule-exclusions-before.conf

Include @crs-setup.conf.example
Include @owasp_crs/*.conf
Include crs-setup.conf
Include coreruleset/*.conf

# if your plugin has an -after.conf, include them here
# but wordpress rule exclusions doesn't so we're adding a comment placeholder
# Include /etc/modsecurity-ruleset/wordpress-rule-exclusions-after.conf
# Include wordpress-rule-exclusions-after.conf

SecRuleEngine DetectionOnly
```
Expand All @@ -289,12 +291,14 @@
## create the configuration map itself
kubectl create cm --dry-run=client \
--from-file=tigera.conf \
--from-file=coraza.conf \
--from-file=crs-setup.conf \
--from-file=wordpress-rule-exclusions-config.conf \
--from-file=wordpress-rule-exclusions-before.conf \
-n tigera-operator modsecurity-ruleset -o yaml > rule set.configmap.yaml
-n tigera-operator tigera-waf-config -o yaml > ruleset.configmap.yaml

## replace active configmap
kubectl replace -f rule set.configmap.yaml
kubectl replace -f ruleset.configmap.yaml
```

Read more about the order of execution for plugins here: https://coreruleset.org/docs/4-about-plugins/4-1-plugins/
Expand Down Expand Up @@ -338,7 +342,7 @@

#### Valid YAML

WAF enabled, ALP disabled, and Log collection is unspecified (and the default is disabled)
WAF disabled, ALP enabled (using per-host proxy), and Log collection is unspecified (and the default is disabled)

```yaml
apiVersion: operator.tigera.io/v1
Expand Down