Example NGINX App Protect deployed on Kubernetes Ingress Controller
Problem this snippet solves:
This code offers a couple of examples of deploying NGINX App Protect on Kubernetes Ingress Controller, showing one instance protecting traditional Web applications and one protecting API applications.
How to use this snippet:
The code can be applied manually through kubectl commands or as a part of a CI/CD pipeline.
Code :
#### Deploy NGINX Plus Ingress for WebApp from Gitlab.com #####
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: webapp-nginx-ingress
namespace: nginx-ingress
spec:
replicas: 1
selector:
matchLabels:
app: webapp-nginx-ingress
template:
metadata:
labels:
app: webapp-nginx-ingress
#annotations:
#prometheus.io/scrape: "true"
#prometheus.io/port: "9113"
spec:
serviceAccountName: nginx-ingress
imagePullSecrets:
- name:
containers:
- image:
name: webapp-nginx-plus-ingress
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443
#- name: prometheus
#containerPort: 9113
securityContext:
allowPrivilegeEscalation: true
runAsUser: 101 #nginx
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
args:
- -nginx-plus
- -nginx-configmaps=$(POD_NAMESPACE)/nginx-config
- -default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret
- -enable-app-protect
- -ingress-class=webapp-arcadia-ingress-class
#- -v=3 # Enables extensive logging. Useful for troubleshooting.
#- -report-ingress-status
#- -external-service=nginx-ingress
#- -enable-leader-election
#- -enable-prometheus-metrics
#### WebApp Protect Policy ###
---
apiVersion: appprotect.f5.com/v1beta1
kind: APPolicy
metadata:
name: webapp-dataguard-blocking
spec:
policy:
name: webapp-dataguard-blocking
template:
name: POLICY_TEMPLATE_NGINX_BASE
applicationLanguage: utf-8
enforcementMode: blocking
blocking-settings:
violations:
- name: VIOL_DATA_GUARD
alarm: true
block: true
data-guard:
enabled: true
maskData: true
creditCardNumbers: true
usSocialSecurityNumbers: true
enforcementMode: ignore-urls-in-list
enforcementUrls: []
### App Protect Logs ###
---
apiVersion: appprotect.f5.com/v1beta1
kind: APLogConf
metadata:
name: logconf
spec:
filter:
request_type: all
content:
format: default
max_request_size: any
max_message_size: 5k
### Create Ingress Service ####
---
apiVersion: v1
kind: Service
metadata:
name: webapp-nginx-ingress
namespace: nginx-ingress
spec:
type: NodePort
ports:
- port: 80
targetPort: 80
nodePort: 30274
protocol: TCP
name: http
- port: 443
targetPort: 443
nodePort: 30275
protocol: TCP
name: https
selector:
app: webapp-nginx-ingress
### Deploy Arcadia Ingress Service #####
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: webapp-arcadia-ingress
annotations:
kubernetes.io/ingress.class: "webapp-arcadia-ingress-class"
appprotect.f5.com/app-protect-policy: "default/webapp-dataguard-blocking"
appprotect.f5.com/app-protect-enable: "True"
appprotect.f5.com/app-protect-security-log-enable: "True"
appprotect.f5.com/app-protect-security-log: "default/logconf"
appprotect.f5.com/app-protect-security-log-destination: "syslog:server=10.1.20.6:5144"
spec:
rules:
- host: k8s.arcadia-finance.io
http:
paths:
- path: /
backend:
serviceName: main
servicePort: 80
- path: /files
backend:
serviceName: backend
servicePort: 80
- path: /api
backend:
serviceName: app2
servicePort: 80
- path: /app3
backend:
serviceName: app3
servicePort: 80
#### Deploy WebAPI NGINX Plus Ingress for WebAPI from Gitlab.com #####
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: webapi-nginx-ingress
namespace: nginx-ingress
spec:
replicas: 1
selector:
matchLabels:
app: webapi-nginx-ingress
template:
metadata:
labels:
app: webapi-nginx-ingress
#annotations:
#prometheus.io/scrape: "true"
#prometheus.io/port: "9113"
spec:
serviceAccountName: nginx-ingress
imagePullSecrets:
- name:
containers:
- image:
name: webapi-nginx-plus-ingress
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443
#- name: prometheus
#containerPort: 9113
securityContext:
allowPrivilegeEscalation: true
runAsUser: 101 #nginx
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
args:
- -nginx-plus
- -nginx-configmaps=$(POD_NAMESPACE)/nginx-config
- -default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret
- -enable-app-protect
- -ingress-class=webapi-arcadia-ingress-class
#- -v=3 # Enables extensive logging. Useful for troubleshooting.
#- -report-ingress-status
#- -external-service=nginx-ingress
#- -enable-leader-election
#- -enable-prometheus-metrics
#### App Protect Policy ###
---
apiVersion: appprotect.f5.com/v1beta1
kind: APPolicy
metadata:
name: webapi-blocking
spec:
policy:
name: webapi-blocking
template:
name: POLICY_TEMPLATE_NGINX_BASE
open-api-files:
- link: "http://10.1.20.4/root/nap_kic_openapi/-/raw/master/App/openapi3-arcadia-kic.json"
applicationLanguage: utf-8
enforcementMode: blocking
blocking-settings:
violations:
- name: VIOL_MANDATORY_REQUEST_BODY
alarm: true
block: true
- name: VIOL_PARAMETER_LOCATION
alarm: true
block: true
- name: VIOL_MANDATORY_PARAMETER
alarm: true
block: true
- name: VIOL_JSON_SCHEMA
alarm: true
block: true
- name: VIOL_PARAMETER_ARRAY_VALUE
alarm: true
block: true
- name: VIOL_PARAMETER_VALUE_BASE64
alarm: true
block: true
- name: VIOL_FILE_UPLOAD
alarm: true
block: true
- name: VIOL_URL_CONTENT_TYPE
alarm: true
block: true
- name: VIOL_PARAMETER_STATIC_VALUE
alarm: true
block: true
- name: VIOL_PARAMETER_VALUE_LENGTH
alarm: true
block: true
- name: VIOL_PARAMETER_DATA_TYPE
alarm: true
block: true
- name: VIOL_PARAMETER_NUMERIC_VALUE
alarm: true
block: true
- name: VIOL_PARAMETER_VALUE_REGEXP
alarm: true
block: true
- name: VIOL_URL
alarm: true
block: true
- name: VIOL_PARAMETER
alarm: true
block: true
- name: VIOL_PARAMETER_EMPTY_VALUE
alarm: true
block: true
- name: VIOL_PARAMETER_REPEATED
alarm: true
block: true
### Create Ingress Service ####
---
apiVersion: v1
kind: Service
metadata:
name: webapi-nginx-ingress
namespace: nginx-ingress
spec:
type: NodePort
ports:
- port: 80
targetPort: 80
nodePort: 30276
protocol: TCP
name: http
- port: 443
targetPort: 443
nodePort: 30277
protocol: TCP
name: https
selector:
app: webapi-nginx-ingress
### Deploy Arcadia Ingress Service #####
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: webapi-arcadia-ingress
annotations:
kubernetes.io/ingress.class: "webapi-arcadia-ingress-class"
appprotect.f5.com/app-protect-policy: "default/webapi-blocking"
appprotect.f5.com/app-protect-enable: "True"
appprotect.f5.com/app-protect-security-log-enable: "True"
appprotect.f5.com/app-protect-security-log: "default/logconf"
appprotect.f5.com/app-protect-security-log-destination: "syslog:server=10.1.20.25:5144"
spec:
rules:
- host: k8s.arcadia-finance.io
http:
paths:
- path: /trading
backend:
serviceName: main
servicePort: 80
- path: /api
backend:
serviceName: app2
servicePort: 80 Tested this on version:
No Version FoundPublished Feb 08, 2021
Version 1.0
Valentin_Tobi
Employee
EmployeeValentin_TobiEmployee
EmployeeNo CommentsBe the first to comment