Commit 79a41c50 authored by Lucas Charles's avatar Lucas Charles Committed by Mayra Cabrera

Enable modsecurity in nginx-ingress deployments

Update the default ingress chart to enable modsecurity along with the
default Core Rule Set.

This functionality uses the default settings of
"detection-only" mode to log requests to the audit log but blocks no
traffic by default

Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/65192
parent 461a6b90
...@@ -35,6 +35,10 @@ module Clusters ...@@ -35,6 +35,10 @@ module Clusters
'stable/nginx-ingress' 'stable/nginx-ingress'
end end
def values
content_values.to_yaml
end
def allowed_to_uninstall? def allowed_to_uninstall?
external_ip_or_hostname? && application_jupyter_nil_or_installable? external_ip_or_hostname? && application_jupyter_nil_or_installable?
end end
...@@ -67,6 +71,23 @@ module Clusters ...@@ -67,6 +71,23 @@ module Clusters
private private
def specification
return {} unless Feature.enabled?(:ingress_modsecurity)
{
"controller" => {
"config" => {
"enable-modsecurity" => "true",
"enable-owasp-modsecurity-crs" => "true"
}
}
}
end
def content_values
YAML.load_file(chart_values_file).deep_merge!(specification)
end
def application_jupyter_nil_or_installable? def application_jupyter_nil_or_installable?
cluster.application_jupyter.nil? || cluster.application_jupyter&.installable? cluster.application_jupyter.nil? || cluster.application_jupyter&.installable?
end end
......
---
title: Enable modsecurity in nginx-ingress apps
merge_request: 15774
author:
type: added
...@@ -129,6 +129,34 @@ chart is used to install this application with a ...@@ -129,6 +129,34 @@ chart is used to install this application with a
[`values.yaml`](https://gitlab.com/gitlab-org/gitlab-foss/blob/master/vendor/ingress/values.yaml) [`values.yaml`](https://gitlab.com/gitlab-org/gitlab-foss/blob/master/vendor/ingress/values.yaml)
file. file.
#### Modsecurity Application Firewall
> [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/issues/65192) in GitLab 12.3 (enabled using `ingress_modsecurity` [feature flag](../../development/feature_flags/development.md#enabling-a-feature-flag-in-development)).
GitLab supports
[`modsecurity`](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#modsecurity)
to check requests against [OWASP's Core Rule Set](https://www.modsecurity.org/CRS/Documentation/).
This feature:
- Runs in "Detection-only mode" unless configured otherwise.
- Is viewable by checking your ingress controller's `modsec` log for rule violations.
For example:
```sh
kubectl -n gitlab-managed-apps exec -it $(kubectl get pods -n gitlab-managed-apps | grep 'ingress-controller' | awk '{print $1}') -- tail -f /var/log/modsec_audit.log
```
There is a small performance overhead by enabling `modsecurity`. However, if this is
considered significant for your application, you can toggle the feature flag back to
false by running the following command within the Rails console:
```ruby
Feature.disable(:ingress_modsecurity)
```
Once disabled, you must reinstall your ingress application for the changes to
take effect.
### JupyterHub ### JupyterHub
> - Introduced in GitLab 11.0 for project-level clusters. > - Introduced in GitLab 11.0 for project-level clusters.
......
...@@ -131,4 +131,41 @@ describe Clusters::Applications::Ingress do ...@@ -131,4 +131,41 @@ describe Clusters::Applications::Ingress do
expect(values).to include('podAnnotations') expect(values).to include('podAnnotations')
end end
end end
describe '#values' do
let(:project) { build(:project) }
let(:cluster) { build(:cluster, projects: [project]) }
context 'when ingress_modsecurity is enabled' do
before do
stub_feature_flags(ingress_modsecurity: true)
allow(subject).to receive(:cluster).and_return(cluster)
end
it 'includes modsecurity module enablement' do
expect(subject.values).to include("enable-modsecurity: 'true'")
end
it 'includes modsecurity core ruleset enablement' do
expect(subject.values).to include("enable-owasp-modsecurity-crs: 'true'")
end
end
context 'when ingress_modsecurity is disabled' do
before do
stub_feature_flags(ingress_modsecurity: false)
allow(subject).to receive(:cluster).and_return(cluster)
end
it 'excludes modsecurity module enablement' do
expect(subject.values).not_to include('enable-modsecurity')
end
it 'excludes modsecurity core ruleset enablement' do
expect(subject.values).not_to include('enable-owasp-modsecurity-crs')
end
end
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment