Enable modsecurity in nginx-ingress deployments

Update the default ingress chart to enable modsecurity along with the default Core Rule Set. This functionality uses the default settings of "detection-only" mode to log requests to the audit log but blocks no traffic by default Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/65192

Enable modsecurity in nginx-ingress deployments
Update the default ingress chart to enable modsecurity along with the default Core Rule Set. This functionality uses the default settings of "detection-only" mode to log requests to the audit log but blocks no traffic by default Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/65192
79a41c50 · Lucas Charles · Mayra Cabrera · 461a6b90 · 79a41c50 · 79a41c50
Commit 79a41c50 authored Sep 17, 2019 by Lucas Charles Committed by Mayra Cabrera Sep 17, 2019
4 changed files
--- a/app/models/clusters/applications/ingress.rb
+++ b/app/models/clusters/applications/ingress.rb
@@ -35,6 +35,10 @@ module Clusters
        'stable/nginx-ingress'
      end

+      def values
+        content_values.to_yaml
+      end
+
      def allowed_to_uninstall?
        external_ip_or_hostname? && application_jupyter_nil_or_installable?
      end
@@ -67,6 +71,23 @@ module Clusters

      private

+      def specification
+        return {} unless Feature.enabled?(:ingress_modsecurity)
+
+        {
+          "controller" => {
+            "config" => {
+              "enable-modsecurity" => "true",
+              "enable-owasp-modsecurity-crs" => "true"
+            }
+          }
+        }
+      end
+
+      def content_values
+        YAML.load_file(chart_values_file).deep_merge!(specification)
+      end
+
      def application_jupyter_nil_or_installable?
        cluster.application_jupyter.nil? || cluster.application_jupyter&.installable?
      end

--- a/changelogs/unreleased/65192-enable-modsecurity-in-ingress.yml
+++ b/changelogs/unreleased/65192-enable-modsecurity-in-ingress.yml
+---
+title: Enable modsecurity in nginx-ingress apps
+merge_request: 15774
+author:
+type: added
--- a/doc/user/clusters/applications.md
+++ b/doc/user/clusters/applications.md
@@ -129,6 +129,34 @@ chart is used to install this application with a
 [`values.yaml`](https://gitlab.com/gitlab-org/gitlab-foss/blob/master/vendor/ingress/values.yaml)
 file.

+#### Modsecurity Application Firewall
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/issues/65192) in GitLab 12.3 (enabled using `ingress_modsecurity` [feature flag](../../development/feature_flags/development.md#enabling-a-feature-flag-in-development)).
+
+GitLab supports
+[`modsecurity`](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#modsecurity)
+to check requests against [OWASP's Core Rule Set](https://www.modsecurity.org/CRS/Documentation/).
+This feature:
+
+- Runs in "Detection-only mode" unless configured otherwise.
+- Is viewable by checking your ingress controller's `modsec` log for rule violations.
+  For example:
+
+  ```sh
+  kubectl -n gitlab-managed-apps exec -it $(kubectl get pods -n gitlab-managed-apps | grep 'ingress-controller' | awk '{print $1}') -- tail -f /var/log/modsec_audit.log
+  ```
+
+There is a small performance overhead by enabling `modsecurity`. However, if this is
+considered significant for your application, you can toggle the feature flag back to
+false by running the following command within the Rails console:
+
+```ruby
+Feature.disable(:ingress_modsecurity)
+```
+
+Once disabled, you must reinstall your ingress application for the changes to
+take effect.
+
 ### JupyterHub

 > - Introduced in GitLab 11.0 for project-level clusters.

--- a/spec/models/clusters/applications/ingress_spec.rb
+++ b/spec/models/clusters/applications/ingress_spec.rb
@@ -131,4 +131,41 @@ describe Clusters::Applications::Ingress do
      expect(values).to include('podAnnotations')
    end
  end
+
+  describe '#values' do
+    let(:project) { build(:project) }
+    let(:cluster) { build(:cluster, projects: [project]) }
+
+    context 'when ingress_modsecurity is enabled' do
+      before do
+        stub_feature_flags(ingress_modsecurity: true)
+
+        allow(subject).to receive(:cluster).and_return(cluster)
+      end
+
+      it 'includes modsecurity module enablement' do
+        expect(subject.values).to include("enable-modsecurity: 'true'")
+      end
+
+      it 'includes modsecurity core ruleset enablement' do
+        expect(subject.values).to include("enable-owasp-modsecurity-crs: 'true'")
+      end
+    end
+
+    context 'when ingress_modsecurity is disabled' do
+      before do
+        stub_feature_flags(ingress_modsecurity: false)
+
+        allow(subject).to receive(:cluster).and_return(cluster)
+      end
+
+      it 'excludes modsecurity module enablement' do
+        expect(subject.values).not_to include('enable-modsecurity')
+      end
+
+      it 'excludes modsecurity core ruleset enablement' do
+        expect(subject.values).not_to include('enable-owasp-modsecurity-crs')
+      end
+    end
+  end
 end