Merge branch '14707-add-modsec-logging-sidecar-to-ingress-controller' into 'master'

Enable modsecurity logging sidecar for ingress controller See merge request gitlab-org/gitlab!19600

Merge branch '14707-add-modsec-logging-sidecar-to-ingress-controller' into 'master'
Enable modsecurity logging sidecar for ingress controller See merge request gitlab-org/gitlab!19600
cc09e305 · Dmitriy Zaporozhets · 18be584d · 4eaacff8 · cc09e305 · cc09e305
Commit cc09e305 authored Nov 13, 2019 by Dmitriy Zaporozhets
5 changed files
--- a/app/models/clusters/applications/ingress.rb
+++ b/app/models/clusters/applications/ingress.rb
@@ -21,6 +21,7 @@ module Clusters
      }

      FETCH_IP_ADDRESS_DELAY = 30.seconds
+      MODSEC_SIDECAR_INITIAL_DELAY_SECONDS = 10

      state_machine :status do
        after_transition any => [:installed] do |application|
@@ -81,11 +82,39 @@ module Clusters
              "enable-owasp-modsecurity-crs" => "true",
              "modsecurity.conf" => modsecurity_config_content
            },
+            "extraContainers" => [
+              {
+                "name" => "modsecurity-log",
+                "image" => "busybox",
+                "args" => [
+                  "/bin/sh",
+                  "-c",
+                  "tail -f /var/log/modsec/audit.log"
+                ],
+                "volumeMounts" => [
+                  {
+                    "name" => "modsecurity-log-volume",
+                    "mountPath" => "/var/log/modsec",
+                    "readOnly" => true
+                  }
+                ],
+                "startupProbe" => {
+                  "exec" => {
+                    "command" => ["ls", "/var/log/modsec"]
+                  },
+                  "initialDelaySeconds" => MODSEC_SIDECAR_INITIAL_DELAY_SECONDS
+                }
+              }
+            ],
            "extraVolumeMounts" => [
              {
                "name" => "modsecurity-template-volume",
                "mountPath" => "/etc/nginx/modsecurity/modsecurity.conf",
                "subPath" => "modsecurity.conf"
+              },
+              {
+                "name" => "modsecurity-log-volume",
+                "mountPath" => "/var/log/modsec"
              }
            ],
            "extraVolumes" => [
@@ -100,6 +129,10 @@ module Clusters
                    }
                  ]
                }
+              },
+              {
+                "name" => "modsecurity-log-volume",
+                "emptyDir" => {}
              }
            ]
          }

--- a/changelogs/unreleased/14707-add-modsec-logging-sidecar-to-ingress-controller.yml
+++ b/changelogs/unreleased/14707-add-modsec-logging-sidecar-to-ingress-controller.yml
+---
+title: Add modsecurity logging sidecar to ingress controller
+merge_request: 19600
+author:
+type: added
--- a/doc/user/clusters/applications.md
+++ b/doc/user/clusters/applications.md
@@ -263,7 +263,7 @@ This feature:
  For example:

  ```sh
-  kubectl -n gitlab-managed-apps exec -it $(kubectl get pods -n gitlab-managed-apps | grep 'ingress-controller' | awk '{print $1}') -- tail -f /var/log/modsec_audit.log
+  kubectl -n gitlab-managed-apps exec -it $(kubectl get pods -n gitlab-managed-apps | grep 'ingress-controller' | awk '{print $1}') -- tail -f /var/log/modsec/audit.log
  ```

 There is a small performance overhead by enabling `modsecurity`. However, if this is

--- a/spec/models/clusters/applications/ingress_spec.rb
+++ b/spec/models/clusters/applications/ingress_spec.rb
@@ -165,6 +165,12 @@ describe Clusters::Applications::Ingress do
        expect(subject.values).to include('extraVolumes')
        expect(subject.values).to include('extraVolumeMounts')
      end
+
+      it 'includes modsecurity sidecar container' do
+        expect(subject.values).to include('modsecurity-log-volume')
+
+        expect(subject.values).to include('extraContainers')
+      end
    end

    context 'when ingress_modsecurity is disabled' do
@@ -190,6 +196,12 @@ describe Clusters::Applications::Ingress do
        expect(subject.values).not_to include('extraVolumes')
        expect(subject.values).not_to include('extraVolumeMounts')
      end
+
+      it 'excludes modsecurity sidecar container' do
+        expect(subject.values).not_to include('modsecurity-log-volume')
+
+        expect(subject.values).not_to include('extraContainers')
+      end
    end
  end
 end
--- a/vendor/ingress/modsecurity.conf
+++ b/vendor/ingress/modsecurity.conf
@@ -236,7 +236,8 @@ SecAuditLogParts ABIJDEFHZ
 # assumes that you will use the audit log only ocassionally.
 #
 # SecAuditLogType Serial
-SecAuditLog /var/log/modsec_audit.log
+SecAuditLogFormat JSON
+SecAuditLog /var/log/modsec/audit.log

 # Specify the path for concurrent audit logging.
 #SecAuditLogStorageDir /opt/modsecurity/var/audit/