Manage the Web Application Firewall
CloudOps for Kubernetes bundles an optional Web Application Firewall (WAF) to restrict access to Elastic Path services. The included optional web application firewall is the ModSecurity Web Application Firewall (WAF) and deploys as a DaemonSet in the Kubernetes cluster accessed by HAProxy through a ClusterIP service. CloudOps for Kubernetes uses the Open Web Application Security Project (OWASP) WAF Top 10 Ruleset, which is open source and free.
Deploying WAF During Bootstrap
To include the ModSecurity WAF DamonSet in the CloudOps for Kubernetes cluster set the TF_VAR_enable_modsec_waf variable to true in the docker-compose.override.yml file. If you choose to leave the TF_VAR_enable_modsec_waf variable set to false you can enable the WAF later by setting this to true and repeating the bootstrap process, or by using the provided Jenkins job.
Managing WAF using Jenkins
The ModSecurity WAF can be enabled, disabled and managed using the provided update-waf Jenkins job.
Configuring the WAF
The WAF configuration is controlled by files that you check into your CloudOps for Kubernetes Git repository. To modify the WAF configuration you must first update these files in your Git repository then run the update-waf Jenkins job to apply any configuration changes. The files that control the WAF configuration are:
/terraform/modsec-waf/crs-setup.conf/terraform/modsec-waf/modsecurity.conf
For more information about the ModSecurity and OWASP configuration files, see the following resources:
Jenkins Job Parameters
The following parameters are available in the update-waf Jenkins job:
badRequestLogging
If badRequestLogging is set, the ModSecurity DaemonSet will log bad JavaScript Object Notation (JSON) requests that could not be parsed properly by ModSecurity. By default, this is set to false to reduce noise in the pod logs.
resetWAF
If resetWAF is set, the Jenkins job restarts the ModSecurity DaemonSet after the job finishes running Terraform apply. For ModSecurity to apply any configuration changes, the ModSecurity service present on the pods in the DaemonSet will not consume changes until it restarts. To change the configuration, ensure that you wait until all new pods are ready and any old pods are terminated. If there are old pods running and malicious requests are sent to the cluster, it is possible for the requests to be routed to an out-of-date pod without the configuration change applied.
deleteWAF
If deleteWAF is set, Terraform runs in destroy mode and disables the WAF on the cluster entirely. Destroy mode also deletes the Terraform workspace and Kubernetes namespace if these are empty.
plan_mode
When selected, this runs Terraform in plan mode and prompts you to approve changes before you continue. This works in both the setup and destroy modes.
kubernetesClusterName
The Kubernetes Cluster on which to update the WAF configuration for.
cloudOpsForKubernetesRepoURL
The CloudOps for Kubernetes repository URL to use when cloning the Jenkinsfile and Terraform configuration that define how the infrastructure is deployed.
cloudOpsForKubernetesBranch
The CloudOps for Kubernetes branch to use when cloning the Jenkinsfile and Terraform configuration. This branch defines how the infrastructure deploys.