Enable ModSecurity Web Application Firewall on cluster ingress controller
NOTE: This feature is ~"devops:defend", but for now it has the ~"devops:secure" label to be sure it will be properly tracked and shown. We should switch labels as soon as we verify everything is working with the ~"devops:defend" one.
Problem to solve
We want to introduce a Web Application Firewall (WAF) to protect applications that are deployed to Kubernetes using our GitLab integration.
The nginx ingress controller supports ModSecurity and allows to enable it via annotations:
- https://kubernetes.github.io/ingress-nginx/user-guide/third-party-addons/modsecurity/
- https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#modsecurity
We should enable ModSecurity when we install the ingress, and allow users to leverage it.
Proposal
Enable ModSecurity when installing the cluster ingress, in detection-only mode. We should allow also to enable/upgrade it for existing clusters.
Once the WAF is enabled, enable also the default OWASP rules to provide some initial coverage.
Logs will be created to track malicious requests for deployed applications. We should define if we want to enable rules for all the sites during the installation, or to allow applications to enable tracking (Auto DevOps will enable by default).
A product discovery is available in https://gitlab.com/gitlab-org/gitlab-ee/issues/9520.
What does success look like, and how can we measure that?
Ingress controllers with ModSecurity enabled.