Commit 4eaacff8 authored by Lucas Charles's avatar Lucas Charles

Enable modsecurity logging sidecar for ingress controller

Enables a sidecar container within the ingress controller pod for
streaming the modsecurity audit log.

To properly handle the multiline datastream the logging format has
been changed to JSON.

This work contributes to https://gitlab.com/gitlab-org/gitlab/issues/14707
in setting up initial logging infrastructure
parent febfd21e
......@@ -21,6 +21,7 @@ module Clusters
}
FETCH_IP_ADDRESS_DELAY = 30.seconds
MODSEC_SIDECAR_INITIAL_DELAY_SECONDS = 10
state_machine :status do
after_transition any => [:installed] do |application|
......@@ -81,11 +82,39 @@ module Clusters
"enable-owasp-modsecurity-crs" => "true",
"modsecurity.conf" => modsecurity_config_content
},
"extraContainers" => [
{
"name" => "modsecurity-log",
"image" => "busybox",
"args" => [
"/bin/sh",
"-c",
"tail -f /var/log/modsec/audit.log"
],
"volumeMounts" => [
{
"name" => "modsecurity-log-volume",
"mountPath" => "/var/log/modsec",
"readOnly" => true
}
],
"startupProbe" => {
"exec" => {
"command" => ["ls", "/var/log/modsec"]
},
"initialDelaySeconds" => MODSEC_SIDECAR_INITIAL_DELAY_SECONDS
}
}
],
"extraVolumeMounts" => [
{
"name" => "modsecurity-template-volume",
"mountPath" => "/etc/nginx/modsecurity/modsecurity.conf",
"subPath" => "modsecurity.conf"
},
{
"name" => "modsecurity-log-volume",
"mountPath" => "/var/log/modsec"
}
],
"extraVolumes" => [
......@@ -100,6 +129,10 @@ module Clusters
}
]
}
},
{
"name" => "modsecurity-log-volume",
"emptyDir" => {}
}
]
}
......
---
title: Add modsecurity logging sidecar to ingress controller
merge_request: 19600
author:
type: added
......@@ -263,7 +263,7 @@ This feature:
For example:
```sh
kubectl -n gitlab-managed-apps exec -it $(kubectl get pods -n gitlab-managed-apps | grep 'ingress-controller' | awk '{print $1}') -- tail -f /var/log/modsec_audit.log
kubectl -n gitlab-managed-apps exec -it $(kubectl get pods -n gitlab-managed-apps | grep 'ingress-controller' | awk '{print $1}') -- tail -f /var/log/modsec/audit.log
```
There is a small performance overhead by enabling `modsecurity`. However, if this is
......
......@@ -165,6 +165,12 @@ describe Clusters::Applications::Ingress do
expect(subject.values).to include('extraVolumes')
expect(subject.values).to include('extraVolumeMounts')
end
it 'includes modsecurity sidecar container' do
expect(subject.values).to include('modsecurity-log-volume')
expect(subject.values).to include('extraContainers')
end
end
context 'when ingress_modsecurity is disabled' do
......@@ -190,6 +196,12 @@ describe Clusters::Applications::Ingress do
expect(subject.values).not_to include('extraVolumes')
expect(subject.values).not_to include('extraVolumeMounts')
end
it 'excludes modsecurity sidecar container' do
expect(subject.values).not_to include('modsecurity-log-volume')
expect(subject.values).not_to include('extraContainers')
end
end
end
end
......@@ -236,7 +236,8 @@ SecAuditLogParts ABIJDEFHZ
# assumes that you will use the audit log only ocassionally.
#
# SecAuditLogType Serial
SecAuditLog /var/log/modsec_audit.log
SecAuditLogFormat JSON
SecAuditLog /var/log/modsec/audit.log
# Specify the path for concurrent audit logging.
#SecAuditLogStorageDir /opt/modsecurity/var/audit/
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment