Kubernetes Ingress Controllers
A Kubernetes cluster can use different types of ingress controllers to expose Kubernetes services outside the cluster. Some ingress controllers include built-in support for using CRS, as this page outlines.
NGINX Ingress Controller
Refer to the upstream installation guide for a whirlwind tour to get started.
The upstream project provides many examples of how to configure the controller. These are a good starting point.
All of the configuration is done via the ConfigMap. All options for ModSecurity and CRS can be found in the annotations list.
The default ModSecurity configuration file is located at
/etc/nginx/modsecurity/modsecurity.conf. This is the only file located in this directory and it contains the default recommended configuration. Using a volume, this file can be replaced with the desired configuration. To enable the ModSecurity feature, specify
enable-modsecurity: "true" in the configuration ConfigMap.
/etc/nginx/owasp-modsecurity-crs contains the CRS repository. Use
enable-owasp-modsecurity-crs: "true" to enable use of the CRS rules.
To get individual rule alerts, if they’re not visible in the error log (for example, if only log entries for rule
949110 are present in the log file), make sure to set the annotation