Deprecate GitLab WAF
GitLab WAF is being deprecated
%13.6 - WAF is officially deprecated and the deprecation will be mentioned in our release post
%14.0 - WAF is planned to be removed from the product entirely. As this is a breaking change, we plan to wait to do this in the next major release.
Why is WAF being deprecated?
The Web Application Firewall (WAF) market is well established with existing players in the space providing rich, enterprise-ready feature sets. Typically WAFs sit in front of a production application, which allows them to provide load balancing and protection against Distributed Denial-of-Service (DDoS) attacks. The architecture used by GitLab's WAF inserted the WAF capability inside the Kubernetes cluster in a way that made both load balancing and DDoS protection difficult, if not impossible. Additionally, GitLab's WAF was deployed in a single node in the Kubernetes cluster, which meant that High Availability (HA) was also not available.
Our research found that most customers expected a WAF to be able to address these use cases, and the cost for us to overcome the limitations inherent in our architecture was prohibitively expensive. Additionally, the support and maintenance burden to support the existing capabilities was detracting from our ability to deliver other critical security capabilities. Considering that most customers already have separate products that act as a WAF, GitLab has decided to focus its resources on furthering other areas in the product.
GitLab WAF leveraged modsecurity through a Kubernetes Nginx Ingress controller, which is a free and open-source project. Users can still use modsecurity, even after GitLab removes its integration with the project by installing and configuring modsecurity in their Kubernetes Ingress node. This article describes how this can be done.
GitLab will not actively uninstall modsecurity from any clusters that have GitLab WAF installed prior to migrating their server to %14.0; however, after migration, all capabilities to manage modsecurity in the cluster will be gone. Any action taken in GitLab %14.0 or later that re-deploys the Ingress node is also likely to result in modsecurity being removed from the cluster.
Gitlab's Ingress controller? Can I continue to use that?What about
Only the Modsecurity WAF capability is being deprecated with this announcement. Deprecation of Ingress is being discussed in a separate issue.