This post follows this blog
Add and update the nginx repo for helm
helm repo add nginx-stable https://helm.nginx.com/stable
helm repo updateCreate the helm overridess to enable ModSecurity
echo "
controller:
config:
enable-modsecurity: \"true\"
enable-owasp-modsecurity-crs: \"true\"
" > custom-values.yamlInstall the chart
helm install nginx nginx-stable/nginx-ingress -f custom-values.yaml Deploy Jenkins from Helm
helm repo add jenkins https://charts.jenkins.io
helm repo update
helm install jenkins jenkins/jenkins Wait for the Jenkins pod to get ready
kubectl wait --for=condition=Ready pod -l app.kubernetes.io/component=jenkins-controller --timeout=240sCreate the ingress Object
kubectl apply -f -<<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
creationTimestamp: null
name: starburst
annotations:
nginx.ingress.kubernetes.io/modsecurity-snippet: |
SecRuleEngine On
spec:
ingressClassName: nginx
rules:
- host: "redhat.com"
http:
paths:
- backend:
service:
name: jenkins
port:
number: 8080
path: /
pathType: Prefix
EOFTest Ingress (This should work)
curl -v -H "Host: redhat.com" $(k get svc nginx-nginx-ingress -ojsonpath='{.status.loadBalancer.ingress[0].hostname}')/output
<html><head><meta http-equiv='refresh' content='1;url=/login?from=%2F'/><script>window.location.replace('/login?from=%2F');</script></head><body style='background-color:white; color:white;'>
Authentication required
<!--
-->
</body></html> Test WAF with Ingress (This should return 403 according to blog)
curl -H "Host: redhat.com" "$(k get svc nginx-nginx-ingress -ojsonpath='{.status.loadBalancer.ingress[0].hostname}')/?username='%20or%20'1'%20=%20'"output
<html><head><meta http-equiv='refresh' content='1;url=/login?from=%2F%3Fusername%3D%27%2520or%2520%271%27%2520%3D%2520%27'/><script>window.location.replace('/login?from=%2F%3Fusername%3D%27%2520or%2520%271%27%2520%3D%2520%27');</script></head><body style='background-color:white; color:white;'>
Authentication required
<!--
-->
</body></html> kubectl delete ing --all
helm uninstall jenkins nginx