From d646d8a80b828a1f20d20683c5c426efc0111641 Mon Sep 17 00:00:00 2001 From: Venktesh Date: Wed, 6 Dec 2023 12:39:03 +0000 Subject: [PATCH 1/3] add waf bundle docs --- .../installation-with-manifests.md | 1 + .../app-protect-waf/configuration.md | 23 ++++++++++++++++- .../app-protect-waf/installation.md | 25 +++++++++++++++++++ 3 files changed, 48 insertions(+), 1 deletion(-) diff --git a/docs/content/installation/installing-nic/installation-with-manifests.md b/docs/content/installation/installing-nic/installation-with-manifests.md index ec72c4073e..96e7c0f71d 100644 --- a/docs/content/installation/installing-nic/installation-with-manifests.md +++ b/docs/content/installation/installing-nic/installation-with-manifests.md @@ -105,6 +105,7 @@ If you are installing the CRDs this way, ensure that you have first [cloned the ``` ### Optional custom resource definitions +> **Note** This step can be skipped if you are using App Protect WAF module with policy bundles. 1. For the NGINX App Protect WAF module, create CRDs for `APPolicy`, `APLogConf` and `APUserSig`: ```shell diff --git a/docs/content/installation/integrations/app-protect-waf/configuration.md b/docs/content/installation/integrations/app-protect-waf/configuration.md index fb631d0153..b44a8e0b78 100644 --- a/docs/content/installation/integrations/app-protect-waf/configuration.md +++ b/docs/content/installation/integrations/app-protect-waf/configuration.md @@ -18,7 +18,7 @@ NGINX Ingress Controller has a set of global configuration parameters that align You can enable and configure NGINX App Protect WAF on the Custom Resources (VirtualServer, VirtualServerRoute) or on the Ingress-resource basis. -To configure NGINX App Protect WAF on a VirtualServer resource, you would create a Policy Custom Resource referencing the APPolicy Custom Resource, and add this to the VirtualServer definition. See the documentation on the [NGINX App Protect WAF Policy]({{< relref "configuration/policy-resource.md#waf" >}}). +To configure NGINX App Protect WAF on a VirtualServer resource, you would create a Policy Custom Resource referencing the `APPolicy` Custom Resource or `APPolicy` Bundle, and add this to the VirtualServer definition. See the documentation on the [NGINX App Protect WAF Policy]({{< relref "configuration/policy-resource.md#waf" >}}). To configure NGINX App Protect WAF on an Ingress resource, you would apply the [`app-protect` annotations]({{< relref "configuration/ingress-resources/advanced-configuration-with-annotations.md#app-protect" >}}) to each desired resource. @@ -207,6 +207,27 @@ spec: tag: Fruits ``` +## App Protect WAF Bundles + +You can define App Protect WAF bundles for VirtualServers by creating policy bundles and putting them on a mounted volume accessible from NGINX Ingress Controller. + + +For example, you can configure a policy by referencing generated WAF Policy Bundle: + +> **Note**: Currently we do not support `securityLogs` for policy bundles. +```yaml +apiVersion: k8s.nginx.org/v1 +kind: Policy +metadata: + name: +spec: + waf: + enable: true + apBundle: ".tgz" +``` + +> **Note**: Before applying the policy, a WAF Policy Bundle must be created, copied to a volume, and the volume must be mounted to `/etc/nginx/waf/bundles`. + ## OpenAPI Specification in NGINX Ingress Controller The OpenAPI Specification defines the spec file format needed to describe RESTful APIs. The spec file can be written either in JSON or YAML. Using a spec file simplifies the work of implementing API protection. Refer to the [OpenAPI Specification](https://github.com/OAI/OpenAPI-Specification) (formerly called Swagger) for details. diff --git a/docs/content/installation/integrations/app-protect-waf/installation.md b/docs/content/installation/integrations/app-protect-waf/installation.md index 696084e63d..9ab4b891d7 100644 --- a/docs/content/installation/integrations/app-protect-waf/installation.md +++ b/docs/content/installation/integrations/app-protect-waf/installation.md @@ -63,6 +63,31 @@ Take the steps below to set up and deploy the NGINX Ingress Controller and App P 2. [Create the common Kubernetes resources]({{< relref "installation/installing-nic/installation-with-manifests.md#create-common-resources" >}}). 3. Enable the App Protect WAF module by adding the `enable-app-protect` [cli argument]({{< relref "configuration/global-configuration/command-line-arguments.md#cmdoption-enable-app-protect" >}}) to your Deployment or DaemonSet file. + If you intend to use the NGINX Ingress Controller with the AppProtect WAF module and policy bundles, follow these additional steps: + - Skip configuring custom resource definition for `APPolicy` `APLogConf` and `APUserSig`. + - Create and configure [Persistent Volume and Persistent Volume Claim](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) in your Kubernetes cluster. + - Modify NGINX Ingress Controller Deployment or DaemonSet file to include volumes and volume mounts. + + Make the following changes: + Add `volumes` section to deployment template spec: + ```yaml + ... + volumes: + - name: + persistentVolumeClaim: + claimName: + ... + ``` + Add volume mounts to `containers` section: + ```yaml + ... + volumeMounts: + - name: + mountPath: /etc/nginx/waf/bundles + ... + ``` + > **Important**: NGINX Ingress Controller requires the volume mount path to be `/etc/nginx/waf/bundles` + 4. [Deploy the Ingress Controller]({{< relref "installation/installing-nic/installation-with-manifests.md#deploy-ingress-controller" >}}). For more information, see the [Configuration guide]({{< relref "installation/integrations/app-protect-waf/configuration.md" >}}) and the NGINX Ingress Controller with App Protect example resources on GitHub [for VirtualServer resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.3.2/examples/custom-resources/app-protect-waf) and [for Ingress resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.3.2/examples/ingress-resources/app-protect-waf" >}}). From 3c978d0704784b75e04631e69a1f4c74493bcbbd Mon Sep 17 00:00:00 2001 From: Venktesh Shivam Patel Date: Wed, 6 Dec 2023 13:50:52 +0000 Subject: [PATCH 2/3] update with review suggestion Co-authored-by: Alan Dooley Signed-off-by: Venktesh Shivam Patel --- .../installation/installing-nic/installation-with-manifests.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/content/installation/installing-nic/installation-with-manifests.md b/docs/content/installation/installing-nic/installation-with-manifests.md index 96e7c0f71d..9c68b30fb2 100644 --- a/docs/content/installation/installing-nic/installation-with-manifests.md +++ b/docs/content/installation/installing-nic/installation-with-manifests.md @@ -105,7 +105,8 @@ If you are installing the CRDs this way, ensure that you have first [cloned the ``` ### Optional custom resource definitions -> **Note** This step can be skipped if you are using App Protect WAF module with policy bundles. +{{< note >}} This step can be skipped if you are using App Protect WAF module with policy bundles. {{< /note >}} + 1. For the NGINX App Protect WAF module, create CRDs for `APPolicy`, `APLogConf` and `APUserSig`: ```shell From 70a347076deaec4a284a1838604087bda70f99e2 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Wed, 6 Dec 2023 13:51:09 +0000 Subject: [PATCH 3/3] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- .../installation/installing-nic/installation-with-manifests.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/installation/installing-nic/installation-with-manifests.md b/docs/content/installation/installing-nic/installation-with-manifests.md index 9c68b30fb2..8cce2039a2 100644 --- a/docs/content/installation/installing-nic/installation-with-manifests.md +++ b/docs/content/installation/installing-nic/installation-with-manifests.md @@ -105,7 +105,7 @@ If you are installing the CRDs this way, ensure that you have first [cloned the ``` ### Optional custom resource definitions -{{< note >}} This step can be skipped if you are using App Protect WAF module with policy bundles. {{< /note >}} +{{< note >}} This step can be skipped if you are using App Protect WAF module with policy bundles. {{< /note >}} 1. For the NGINX App Protect WAF module, create CRDs for `APPolicy`, `APLogConf` and `APUserSig`: