在ingress-nginx上开启WAF组件modsecurity

ingress-nginx镜像本身已经集成了modsecurity组件,官网说明：https://kubernetes.github.io/ingress-nginx/user-guide/third-party-addons/modsecurity/

添加自定义配置项

创建一个custom-modsecurity.conf配置，用以覆盖ingress-nginx镜像中/etc/nginx/modsecurity.conf默认配置项

kind: ConfigMap
apiVersion: v1
metadata:
  name: modsecurity-config
  namespace: kube-system
data:
  custom-modsecurity.conf: |-
    SecRuleEngine On             # 仅检测模式（DetectionOnly），不会阻止任何请求
    SecAuditLog /dev/stdout      # 适配容器日志使用模式
    SecAuditLogFormat JSON       # 输出为JSON格式
    SecStatusEngine Off          # 关闭状态上报
    SecRuleRemoveById 920350      # 不拦截localhost请求

修改ingress-nginx配置

kind: ConfigMap
apiVersion: v1
metadata:
  name: ingress-nginx-controller
  namespace: kube-system
data:
  allow-snippet-annotations: 'false'
  enable-modsecurity: 'true'      # 启用modsecurity
  enable-owasp-modsecurity-crs: 'true'       # 启用owasp crs规则集
  modsecurity-snippet: |
    Include /etc/nginx/owasp-modsecurity-crs/custom/custom-modsecurity.conf       # 指定自定义配置文件

修改ingress-nginx负载

# deployment或者daemonset定义
    spec:
      volumes:
        - name: webhook-cert
          secret:
            secretName: ingress-nginx-admission
            defaultMode: 420
        - name: modsecurity-config  # 添加自定义配置
          configMap:
            name: modsecurity-config
            defaultMode: 420
      containers:
        - name: controller
          # 中间忽略
          volumeMounts:
            - name: webhook-cert
              readOnly: true
              mountPath: /usr/local/certificates/
            - name: modsecurity-config      # 挂载自定义配置
              mountPath: /etc/nginx/owasp-modsecurity-crs/custom/