Kubernetes Ingress Controllers
A Kubernetes cluster can use different types of ingress controllers to expose Kubernetes services outside the cluster. Some ingress controllers include built-in support for using CRS, as this page outlines.
NGINX Ingress Controller
The NGINX Ingress Controller is built around the Kubernetes Ingress resource. It uses a ConfigMap to store the controller configuration.
Refer to the official Kubernetes documentation to learn more about using the Ingress resource.
Installing
Refer to the upstream installation guide for a whirlwind tour to get started.
Configuration
The upstream project provides many examples of how to configure the controller. These are a good starting point.
Info
All of the configuration is done via the ConfigMap. All options for ModSecurity and CRS can be found in the annotations list.
The default ModSecurity configuration file is located at /etc/nginx/modsecurity/modsecurity.conf
. This is the only file located in this directory and it contains the default recommended configuration. Using a volume, this file can be replaced with the desired configuration. To enable the ModSecurity feature, specify enable-modsecurity: "true"
in the configuration ConfigMap.
The directory /etc/nginx/owasp-modsecurity-crs
contains the CRS repository. Use enable-owasp-modsecurity-crs: "true"
to enable use of the CRS rules.
Common Problems
Tip
To get individual rule alerts, if they’re not visible in the error log (for example, if only log entries for rule 949110
are present in the log file), make sure to set the annotation error-log-level: warn
.