nginxinc / kubernetes-ingress

NGINX and NGINX Plus Ingress Controllers for Kubernetes
https://docs.nginx.com/nginx-ingress-controller
Apache License 2.0
4.68k stars 1.97k forks source link

Remove unnecessary validation of WAF bundle filepaths used in `apBundle` and `apLogBundle` fields of waf Policy #6641

Open tstraley opened 1 month ago

tstraley commented 1 month ago

Is your feature request related to a problem? Please describe. As a user with many different WAF policies being defined using pre-compiled bundles, I want to be able to keep my various bundle files that I manage well-organized.

For example, I have several different Virtual Servers, and many different routes. Some of these routes are used for gRPC traffic, which require their own grpc-profiles in the WAF policies, while others may have specific signatures and bot policies. There is also the need to be able to provide new versions as we pick up the latest attack signatures & threat campaigns, or need to compile new versions for a NIC upgrade that has a new WAF engine version.

These result in bundles that we'd like to organize in a logical filesystem hierarchy, a la /etc/nginx/waf/bundles/version/server/route/policy.tgz. Or to put in more concrete examples: /etc/nginx/waf/bundles/3.6.2-11.48.0/cafe/coffee/blocking.tgz, /etc/nginx/waf/bundles/3.7.0-11.133.0/cafe/tea/transparent.tgz, etc. (where apBundle: "3.6.2-11.48.0/cafe/coffee/blocking.tgz"

Unfortunately, this would result in a validation error:

Invalid value: "3.6.2-11.48.0/cafe/coffee/blocking.tgz": a qualified name must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')]

Describe the solution you'd like Given that this apBundle and apLogBundle are supposed to be filepaths, ideally the validation would only consist of confirming the file does exist and is readable. The use of k8s "Qualified Name" validation on these fields is restrictive to managing many bundle files in a logical way, and doesn't make sense to do for filepaths (qualified names are for k8s resource references, as I understand it).

Describe alternatives you've considered Because the "Qualified Name" validation allows a dir/file pattern (simply by coincidence) I can organize bundle files in a single nested directory, eg. cafe-policies/coffee-blocking-11.48.0.tgz is allowed, and works just fine.

I can also make really complex file names and dump ALL policy bundles and log bundles into a single directory (this seems to be the suggested methodology) but then it makes management of these bundles unnecessarily difficult.

Additional context

github-actions[bot] commented 1 month ago

Hi @tstraley thanks for reporting!

Be sure to check out the docs and the Contributing Guidelines while you wait for a human to take a look at this :slightly_smiling_face:

Cheers!

tstraley commented 1 month ago

TLDR:

I am using v4. I have successfully used the documentation to create waf policies using bundles that are in my mounted volume.

I can set apBundle: parent-dir/bundle1.tgz and everything works great (the full filepath on the file system is /etc/nginx/waf/bundles/parent-dir/bundle1.tgz). No issues. No errors. NIC works. WAF works. I'm happy.

But then I do apBundle: parent-dir/other-dir/bundle2.tgz (the file exists in the proper volume like above), and now suddenly I get a validation error. This is a poor experience. I see no reason I shouldn't be able to organize these files into a nested directory, when I can use a single directory without any technical issue.