Enable modsecurity logging sidecar for ingress controller

Enables a sidecar container within the ingress controller pod for streaming the modsecurity audit log. To properly handle the multiline datastream the logging format has been changed to JSON. This work contributes to https://gitlab.com/gitlab-org/gitlab/issues/14707 in setting up initial logging infrastructure

Enable modsecurity logging sidecar for ingress controller
Enables a sidecar container within the ingress controller pod for streaming the modsecurity audit log. To properly handle the multiline datastream the logging format has been changed to JSON. This work contributes to https://gitlab.com/gitlab-org/gitlab/issues/14707 in setting up initial logging infrastructure
4eaacff8 · Lucas Charles · febfd21e · 4eaacff8 · 4eaacff8 · 4eaacff8
Commit 4eaacff8 authored Nov 04, 2019 by Lucas Charles
5 changed files
--- a/app/models/clusters/applications/ingress.rb
+++ b/app/models/clusters/applications/ingress.rb
@@ -21,6 +21,7 @@ module Clusters
      }

      FETCH_IP_ADDRESS_DELAY = 30.seconds
+      MODSEC_SIDECAR_INITIAL_DELAY_SECONDS = 10

      state_machine :status do
        after_transition any => [:installed] do |application|
@@ -81,11 +82,39 @@ module Clusters
              "enable-owasp-modsecurity-crs" => "true",
              "modsecurity.conf" => modsecurity_config_content
            },
+            "extraContainers" => [
+              {
+                "name" => "modsecurity-log",
+                "image" => "busybox",
+                "args" => [
+                  "/bin/sh",
+                  "-c",
+                  "tail -f /var/log/modsec/audit.log"
+                ],
+                "volumeMounts" => [
+                  {
+                    "name" => "modsecurity-log-volume",
+                    "mountPath" => "/var/log/modsec",
+                    "readOnly" => true
+                  }
+                ],
+                "startupProbe" => {
+                  "exec" => {
+                    "command" => ["ls", "/var/log/modsec"]
+                  },
+                  "initialDelaySeconds" => MODSEC_SIDECAR_INITIAL_DELAY_SECONDS
+                }
+              }
+            ],
            "extraVolumeMounts" => [
              {
                "name" => "modsecurity-template-volume",
                "mountPath" => "/etc/nginx/modsecurity/modsecurity.conf",
                "subPath" => "modsecurity.conf"
+              },
+              {
+                "name" => "modsecurity-log-volume",
+                "mountPath" => "/var/log/modsec"
              }
            ],
            "extraVolumes" => [
@@ -100,6 +129,10 @@ module Clusters
                    }
                  ]
                }
+              },
+              {
+                "name" => "modsecurity-log-volume",
+                "emptyDir" => {}
              }
            ]
          }

--- a/changelogs/unreleased/14707-add-modsec-logging-sidecar-to-ingress-controller.yml
+++ b/changelogs/unreleased/14707-add-modsec-logging-sidecar-to-ingress-controller.yml
+---
+title: Add modsecurity logging sidecar to ingress controller
+merge_request: 19600
+author:
+type: added
--- a/doc/user/clusters/applications.md
+++ b/doc/user/clusters/applications.md
@@ -263,7 +263,7 @@ This feature:
  For example:

  ```sh
-  kubectl -n gitlab-managed-apps exec -it $(kubectl get pods -n gitlab-managed-apps | grep 'ingress-controller' | awk '{print $1}') -- tail -f /var/log/modsec_audit.log
+  kubectl -n gitlab-managed-apps exec -it $(kubectl get pods -n gitlab-managed-apps | grep 'ingress-controller' | awk '{print $1}') -- tail -f /var/log/modsec/audit.log
  ```

 There is a small performance overhead by enabling `modsecurity`. However, if this is

--- a/spec/models/clusters/applications/ingress_spec.rb
+++ b/spec/models/clusters/applications/ingress_spec.rb
@@ -165,6 +165,12 @@ describe Clusters::Applications::Ingress do
        expect(subject.values).to include('extraVolumes')
        expect(subject.values).to include('extraVolumeMounts')
      end
+
+      it 'includes modsecurity sidecar container' do
+        expect(subject.values).to include('modsecurity-log-volume')
+
+        expect(subject.values).to include('extraContainers')
+      end
    end

    context 'when ingress_modsecurity is disabled' do
@@ -190,6 +196,12 @@ describe Clusters::Applications::Ingress do
        expect(subject.values).not_to include('extraVolumes')
        expect(subject.values).not_to include('extraVolumeMounts')
      end
+
+      it 'excludes modsecurity sidecar container' do
+        expect(subject.values).not_to include('modsecurity-log-volume')
+
+        expect(subject.values).not_to include('extraContainers')
+      end
    end
  end
 end
--- a/vendor/ingress/modsecurity.conf
+++ b/vendor/ingress/modsecurity.conf
@@ -236,7 +236,8 @@ SecAuditLogParts ABIJDEFHZ
 # assumes that you will use the audit log only ocassionally.
 #
 # SecAuditLogType Serial
-SecAuditLog /var/log/modsec_audit.log
+SecAuditLogFormat JSON
+SecAuditLog /var/log/modsec/audit.log

 # Specify the path for concurrent audit logging.
 #SecAuditLogStorageDir /opt/modsecurity/var/audit/