2. Deploy NGINX Plus Ingress Controller with NAP to provide security for the Arcadia application

2.1. Deployment Overview

In Module 1, we have already deployed the NGINX Ingress Controller, so we will focus on configuring NGINX App Protect in this module. For the complete installation of the NGINX Plus Ingress Controller, refer to the official documentation Installation with Manifests

At a high level, we will:

  1. Configure role-based access control (RBAC)
  2. Create the common Kubernetes resources
  3. Install the Ingress Controller with NGINX App Protect WAF
  4. Configure the NGINX App Protect WAF module
  5. Attach NAP Policy to the NGINX Ingress Controller’s Virtual Server

Clone the Ingress Controller repository and navigate to the deployments folder by running the following commands:

git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.0.1
cd kubernetes-ingress/deployments

2.2. Configure role-based access control (RBAC)

In Module 1, we created a namespace and a service account for the Ingress Controller, as well as a cluster role and a cluster role binding for the service account. To use the App Protect WAF module, we need to create the App Protect role and role binding by running the following command:

oc apply -f rbac/ap-rbac.yaml

2.3. Create the common Kubernetes resources

In Module 1, we created:

  • a secret with a TLS certificate and a key for the default server in NGINX:
  • a config map for customizing NGINX configuration
  • an IngressClass resource

No additional common resource is needed for the App Protect WAF module.

2.4. Create Custom Resources

In Module 1, we created custom resource definitions for VirtualServer and VirtualServerRoute, TransportServer, and Policy resources. To use the App Protect WAF module, we need to create custom resource definitions for APPolicy, APLogConf, and APUserSig. Run the following commands to create these resources:

oc apply -f common/crds/appprotect.f5.com_aplogconfs.yaml
oc apply -f common/crds/appprotect.f5.com_appolicies.yaml
oc apply -f common/crds/appprotect.f5.com_apusersigs.yaml

2.5. Update the Ingress Controller with NGINX App Protect WAF

Steps

  1. Enable the App Protect module in the Ingress Controller.

    Enable the App Protect module in the Ingress Controller by clicking on “Operators” and then “Installed Operators” in the OpenShift Console’s left navigation column. On the page that opens, click the Nginx Ingress Controller link in the “Provided APIs” column, select “my-nginx-ingress-controller,” and then click YAML to change the apppotect ‘enable’ field to true under spec: controller:

    apiVersion: charts.nginx.org/v1alpha1
kind: NginxIngress

spec:
controller:
    appprotect:
    enable: True

    Example:

    Note

    Please be aware that the line numbers mentioned in this guide may have changed due to updates or revisions in the code.

    ../../_images/ingress-controller-nap.png

    Click Save, and Reload

    Note

    Make sure that you have pulled the Ingress Controller image with App Protect. In this lab, we have already loaded the NGINX Plus image with App Protect to a local registry.

  2. After reloading, wait for the KIC pod to become available by running the command:

    oc get pod -n nginx-ingress --watch

  3. When it’s ready, press ctrl-c to stop the watch.

    ../../_images/ingress-ready.png

2.6. Configure the NGINX App Protect WAF module

Now, it is time to configure the Ingress Controller with CRD ressources (WAF policy, Log profile, Ingress routing …)

Steps

Execute the following commands to deploy the different resources. In the terminal window, copy the below text and paste+enter:

cd /home/lab-user/kubernetes-ingress/examples/custom-resources/app-protect-waf

oc apply -f syslog.yaml
oc apply -f ap-apple-uds.yaml
oc apply -f ap-dataguard-alarm-policy.yaml
oc apply -f ap-logconf.yaml
oc apply -f waf.yaml

Out of above commands, we focus on the following files:

  1. The ap-dataguard-alarm-policy.yaml file creates the WAF policy that specifies the rules for protecting the application from layer 7 attacks. It is recommended to customize this policy according to the specific application requirements.

In this lab, we will proceed by disregarding the “apple_sigs” signature set. Kindly remove the subsequent lines from ap-dataguard-alarm-policy.yaml:

signature-requirements:
- tag: Fruits
signature-sets:
- name: apple_sigs
  block: true
  signatureSet:
    filter:
      tagValue: Fruits
      tagFilter: eq

If preferred, you can also accomplish this using the ‘sed’ command as follows:

sed -i '/signature-requirements:/,/eq/d' ap-dataguard-alarm-policy.yaml

Once modified, your ap-dataguard-alarm-policy.yaml should resemble this:

apiVersion: appprotect.f5.com/v1beta1
kind: APPolicy
metadata:
  name: dataguard-alarm
spec:
  policy:
    applicationLanguage: utf-8
    blocking-settings:
      violations:
      - alarm: true
        block: false
        name: VIOL_DATA_GUARD
    data-guard:
      creditCardNumbers: true
      enabled: true
      enforcementMode: ignore-urls-in-list
      enforcementUrls: []
      lastCcnDigitsToExpose: 4
      lastSsnDigitsToExpose: 4
      maskData: true
      usSocialSecurityNumbers: true
    enforcementMode: blocking
    name: dataguard-alarm
    template:
      name: POLICY_TEMPLATE_NGINX_BASE

In the terminal window, copy the below text and paste+enter, to reapply the ap-dataguard-alarm-policy.yaml:

oc apply -f ap-dataguard-alarm-policy.yaml

  1. The ap-logconf.yaml file creates the Log Profile that specifies the format of the logs to be generated when the policy detects an attack.

    apiVersion: appprotect.f5.com/v1beta1
kind: APLogConf
metadata:
  name: logconf
spec:
  content:
    format: default
    max_message_size: 64k
    max_request_size: any
  filter:
    request_type: all

  2. The waf.yaml file creates the WAF configuration that links the WAF policy and Log Profile to the NGINX Ingress Controller.

apiVersion: k8s.nginx.org/v1
kind: Policy
metadata:
  name: waf-policy
spec:
  waf:
    enable: true
    apPolicy: "default/dataguard-alarm"
    securityLogs:
    - enable: true
      apLogConf: "default/logconf"
      logDest: "syslog:server=syslog-svc.default:514"

2.7. Attach NAP Policy to the NGINX Ingress Controller’s Virtual Server

It is important that the application always has a WAF protecting it.

To enable NAP for an application, a Virtual Server in NGINX Ingress Controller requires both a Policy and an APPolicy custom resource to be attached to it. You simply need to add the reference to the Virtual Server.

Steps

  1. Examine the contents of the VirtualServer resource oc get virtualserver arcadia.

    oc get virtualserver arcadia

  2. update VirtualServer oc edit virtualserver arcadia

    oc edit virtualserver arcadia

  3. Add the following content to the lines immediately following host: $nginx_ingress, at the same indentation level:

    policies:
- name: waf-policy

    Once modified, your virtualserver yaml should resemble this:

    apiVersion: k8s.nginx.org/v1
kind: VirtualServer
metadata:
  name: arcadia
spec:
  host: $nginx_ingress
  policies:
  - name: waf-policy
  upstreams:
  - name: arcadia-main
    service: arcadia-main
    port: 80
  - name: arcadia-app2
    service: arcadia-app2
    port: 80
  - name: arcadia-app3
    service: arcadia-app3
    port: 80

    The waf-policy should match the name of the WAF policy created in step 2.6.

  4. Save the file and exit the editor.