[3] Ingress-nginx - enable modsecurity

elastisys / compliantkubernetes-apps

Elastisys Compliant Kubernetes is an open source, Certified Kubernetes distribution designed according to the ISO27001 controls: providing you with security tooling and observability from day one.

https://elastisys.io/compliantkubernetes/

Apache License 2.0

46 stars 7 forks source link

[3] Ingress-nginx - enable modsecurity #536

Closed crssnd closed 2 years ago

crssnd commented 3 years ago

What should be investigated. Enabling modsecurity for ingress-nginx.

Definition of Done Is is feasible to enable modsecurity? Can we enable/disabled enable-owasp-core-rules per domain? How easy? What is the performance impact of enabling this?

tordsson commented 3 years ago

Enforcing WAF-style protection rules using ingress or Falco? What is your opinion @cristiklein ?

cristiklein commented 3 years ago

This sounds like a really cool feature to have in Compliant Kubernetes.

I'm tempted to wait a bit and see where this project is heading: https://github.com/bunkerity/bunkerized-nginx#kubernetes

crssnd commented 2 years ago

@cristiklein how long are you willing to wait for bunkerized-nginx kubernetes integration go stable?

cristiklein commented 2 years ago

@crssnd Is it as simple as adding two lines in the Ingress ConfigMap?

enable-modsecurity: "true"
enable-owasp-modsecurity-crs: "true"

If yes, then I wouldn't wait any longer.

crssnd commented 2 years ago

@cristiklein according to the docs: "It can be enabled for a particular set of ingress locations. The ModSecurity module must first be enabled by enabling ModSecurity in the ConfigMap. Note this will enable ModSecurity for all paths, and each path must be disabled manually."

the short answer is yes, but let's see what the investigation will reveal :)