Protect Your Kubernetes Cluster Against The Apache Log4j2 Vulnerability Using BIG-IP

Whenever a high profile vulnerability like Apache Log4j2 is announced, it is often a race to patch and remediate. Luckily, for those of us with BIG-IP's with AWAF (Advanced Web Application Firewall) in our environment, we can take care of some mitigation through updating and applying signatures.


When there is a consolidation of duties, or both SecOps and NetOps work together on the same cluster of BIG-IP's then an AWAF policy can simply be applied to a virtual server. However, as we move into a world of modern application architectures, the Kubernetes administrators are very often a different set of individuals falling within DevOps. The DevOps team will work with NetOps to incorporate BIG-IP as the Ingress to the Kubernetes environment through the use of Container Ingress Services. This allows for a declarative configuration and objects can be called upon to incorporate into the Ingress configuration.


In Container Ingress Services version 2.7, using the Policy CRD (Custom Resource Definitions) feature, an AWAF policy can be one of these objects incorporated. Here is some example code for defining the Policy CRD and specifying the WAF policy:



apiVersion: cis.f5.com/v1
kind: Policy
metadata:
  labels:
    f5cr: "true"
  name: policy-mysite
  namespace: default
spec:
  l7Policies:
    waf: /Common/WAF_Policy
  profiles:
    http: /Common/Custom_HTTP
    logProfiles:
      - /Common/Log all requests


And here is an example of associating this Policy CRD with the VirtualServer CRD:



apiVersion: "cis.f5.com/v1"
kind: VirtualServer
metadata:
  name: vs-myapp
  labels:
    f5cr: "true"
spec:
  # This is an insecure virtual, Please use TLSProfile to secure the virtual
  # check out tls examples to understand more.
  virtualServerAddress: "10.192.75.117"
  virtualServerHTTPSPort: 443
  httpTraffic: redirect
  tlsProfileName: reencrypt-tls
  policyName: policy-mysite
  host: myapp.f5demo.com
  pools:
  - path: /
    service: f5-demo
    servicePort: 443


Mark Dittmer, Sr. Product Management Engineer here at F5, recently teamed up with Brandon Frelich, Security Solutions Architect, to create a how-to video on this.




Mark's associated Github repo: https://github.com/mdditt2000/kubernetes-1-19/blob/master/cis%202.7/log4j/README.md


This is going to now allow for the SecOps teams to focus on creating and providing AWAF policies while the DevOps can focus on their domain and incorporate the AWAF policy quickly. As we see microservices sprawl, we need every speed advantage we can get!

Published Jan 12, 2022
Version 1.0
No CommentsBe the first to comment