wallarm / ingress Goto Github PK
View Code? Open in Web Editor NEWKubernetes Ingress controller with integrated Wallarm services
Home Page: https://wallarm.com/solutions/waf-for-kubernetes/
License: Apache License 2.0
Kubernetes Ingress controller with integrated Wallarm services
Home Page: https://wallarm.com/solutions/waf-for-kubernetes/
License: Apache License 2.0
As per the recommendation under Kubernetes Policy CKV_K8S_35, $subject would help us avoid introducing Secret values via environment variables to Wallarm containers.
It is highly recommended to stick to $subject - CKV_K8S_22.
Wallarm Ingress Controller Helm chart allows us to set controller.containerSecurityContext.readOnlyRootFilesystem
but this leads to container restarts due to application failures.
F0503 20:26:13.471636 7 ssl.go:390] unexpected error storing fake SSL Cert: could not create PEM certificate file
/etc/ingress-controller/ssl/default-fake-certificate.pem: open /etc/ingress-controller/ssl/default-fake-certificate.pem:
read-only file system
When an empty directory is set for container path /etc/ingress-controller/ssl
along with a read only file system, we experience the following.
F0517 19:40:33.463422 9 main.go:138] Error creating prometheus collector: listen unix /tmp/nginx/prometheus-nginx.socket: bind: read-only file system
Once the container path /tmp/nginx
path is set with an empty directory, we experience the following.
E0517 19:44:03.872256 7 queue.go:130] "requeuing" err="open /etc/nginx/opentracing.json: read-only file system" key="initial-sync"
I0517 19:44:03.872367 7 event.go:285] Event(v1.ObjectReference{Kind:"Pod", Namespace:"wallarm-ingress", Name:"wallarm-ingress-controller-5dc89958b4-49lnp",
UID:"9d1af921-212c-4e21-9723-d6614dce32cc", APIVersion:"v1", ResourceVersion:"17657554", FieldPath:""}): type: 'Warning' reason: 'RELOAD' Error reloading NGINX:
open /etc/nginx/opentracing.json: read-only file system
I0517 19:44:03.872770 7 status.go:84] "New leader elected" identity="wallarm-ingress-controller-5d6c8455cc-c9l6d"
I0517 19:44:07.202046 7 controller.go:190] "Configuration changes detected, backend reload required"
E0517 19:44:07.205390 7 controller.go:202] Unexpected failure reloading the backend:
open /etc/nginx/opentracing.json: read-only file system
...
E0517 19:45:00.542310 7 queue.go:130] "requeuing" err="open /etc/nginx/opentracing.json: read-only file system" key="neuvector/neuvector-svc-controller-whp8c"
I0517 19:45:00.542302 7 event.go:285] Event(v1.ObjectReference{Kind:"Pod", Namespace:"wallarm-ingress", Name:"wallarm-ingress-controller-5dc89958b4-49lnp",
UID:"9d1af921-212c-4e21-9723-d6614dce32cc", APIVersion:"v1", ResourceVersion:"17657554", FieldPath:""}): type: 'Warning' reason: 'RELOAD' Error reloading NGINX:
open /etc/nginx/opentracing.json: read-only file system
I0517 19:45:01.488782 7 sigterm.go:36] "Received SIGTERM, shutting down"
I0517 19:45:01.488823 7 nginx.go:380] "Shutting down controller queues"
I0517 19:45:01.504594 7 nginx.go:388] "Stopping admission controller"
E0517 19:45:01.504669 7 nginx.go:327] "Error listening for TLS connections" err="http: Server closed"
I0517 19:45:01.504682 7 nginx.go:396] "Stopping NGINX process"
2023/05/17 19:45:01 [notice] 36#36: signal process started
I0517 19:45:02.509588 7 nginx.go:409] "NGINX process has stopped"
I0517 19:45:02.509614 7 sigterm.go:44] Handled quit, delaying controller exit for 10 seconds
I0517 19:45:12.510504 7 sigterm.go:47] "Exiting" code=0
Wallarm team, can we please know the purpose of each Kubernetes API resource-action permission attached via the ClusterRole and Role?
This would help us identify which API permissions can be dropped based on our requirements (if feasible).
We would especially like to know understand the following.
Purpose of listing/watching clusterwide secrets - ClusterRole
Why is it required to patch cluster wide event resources as defined here?
We have noticed the following application error log in wallarm-appstructure
container of wallarm-ingress-controller-wallarm-tarantool
Kubernetes Deployment.
2023-05-23 13:08:55,710 INFO wallarm-appstructure[1] Creating the new Wallarm API client (host: us1.api.wallarm.com, port: 443, ca_verify: True, Node version: (4, 6))
2023-05-23 13:08:55,710 INFO wallarm-appstructure[1] Wallarm API observing job started
2023-05-23 13:09:55,766 INFO wallarm-appstructure[1] Wallarm API: Fetching client's ID...
2023-05-23 13:09:56,023 INFO wallarm-appstructure[1] Wallarm API: Client's ID -> 11332
2023-05-23 13:09:56,126 INFO wallarm-appstructure[1] Fetching requests job started
2023-05-23 13:09:56,126 INFO wallarm-appstructure[1] Creating the new Wallarm API client (host: us1.api.wallarm.com, port: 443, ca_verify: True, Node version: (4, 6))
2023-05-23 13:09:56,126 INFO wallarm-appstructure[1] Upload statistic job started
2023-05-23 13:09:56,127 INFO wallarm-appstructure[1] AppStructure Client's activity is enabled
2023-05-23 13:09:56,168 ERROR wallarm-appstructure[1] Unhandled exception in fetching requests job: list index out of range
Traceback (most recent call last):
File "/opt/wallarm/python/usr/lib/python3/dist-packages/wallarm/client/fetch_requests_job.py", line 54, in run
self.process()
File "/opt/wallarm/python/usr/lib/python3/dist-packages/wallarm/client/fetch_requests_job.py", line 80, in process
self.stats.add_request(request, stats_logger=self.stats_logger)
File "/opt/wallarm/python/usr/lib/python3/dist-packages/wallarm/client/stats_storage.py", line 60, in add_request
request, self._stats[instance], stats_logger=stats_logger
File "/opt/wallarm/python/usr/lib/python3/dist-packages/wallarm/client/request_preprocessor.py", line 111, in call
for entry in request.entries():
File "/opt/wallarm/python/usr/lib/python3/dist-packages/wallarm/proton/serialized_request.py", line 264, in entries
for entry in result.entries():
File "/opt/wallarm/python/usr/lib/python3/dist-packages/wallarm/proton/serialized_request.py", line 78, in entries
for e in value.entries():
File "/opt/wallarm/python/usr/lib/python3/dist-packages/wallarm/proton/serialized_request.py", line 72, in entries
types = cast(Dict[str, EntryParserT], self.value_types())
File "/opt/wallarm/python/usr/lib/python3/dist-packages/wallarm/proton/serialized_request.py", line 49, in value_types
types = self.data[1][9]
IndexError: list index out of range
2023-05-23 13:09:57,169 INFO wallarm-appstructure[1] Fetching requests job started
2023-05-23 13:09:57,171 ERROR wallarm-appstructure[1] Unhandled exception in fetching requests job: list index out of range
Traceback (most recent call last):
File "/opt/wallarm/python/usr/lib/python3/dist-packages/wallarm/client/fetch_requests_job.py", line 54, in run
self.process()
File "/opt/wallarm/python/usr/lib/python3/dist-packages/wallarm/client/fetch_requests_job.py", line 80, in process
self.stats.add_request(request, stats_logger=self.stats_logger)
File "/opt/wallarm/python/usr/lib/python3/dist-packages/wallarm/client/stats_storage.py", line 60, in add_request
request, self._stats[instance], stats_logger=stats_logger
File "/opt/wallarm/python/usr/lib/python3/dist-packages/wallarm/client/request_preprocessor.py", line 111, in call
for entry in request.entries():
File "/opt/wallarm/python/usr/lib/python3/dist-packages/wallarm/proton/serialized_request.py", line 264, in entries
for entry in result.entries():
File "/opt/wallarm/python/usr/lib/python3/dist-packages/wallarm/proton/serialized_request.py", line 78, in entries
for e in value.entries():
File "/opt/wallarm/python/usr/lib/python3/dist-packages/wallarm/proton/serialized_request.py", line 72, in entries
types = cast(Dict[str, EntryParserT], self.value_types())
File "/opt/wallarm/python/usr/lib/python3/dist-packages/wallarm/proton/serialized_request.py", line 49, in value_types
types = self.data[1][9]
IndexError: list index out of range
2023-05-23 13:09:58,172 INFO wallarm-appstructure[1] Fetching requests job started
2023-05-23 13:09:58,174 ERROR wallarm-appstructure[1] Unhandled exception in fetching requests job: list index out of range
Traceback (most recent call last):
No container level failures recorded.
Wallarm team, why do we experience the above?
It is highly recommended to stick to $subject - CKV_K8S_22.
Wallarm Ingress Controller Helm chart allows us to set controller.containerSecurityContext.readOnlyRootFilesystem
but this leads to container restarts due to application failures.
2023-05-03 20:26:29.564 [1] main/101/init.lua C> Tarantool 1.10.14-0-g95447943d
2023-05-03 20:26:29.564 [1] main/101/init.lua C> log level 4
2023-05-03 20:26:29.575 [1] snapshot/101/main xlog.c:878 !> open, [./00000000000000000000.snap.inprogress]:
Read-only file system
2023-05-03 20:26:29.576 [1] main/101/init.lua F> failed to create a checkpoint
2023-05-03 20:26:29.575 [1] main/101/init.lua xlog.c:879 !> SystemError failed to create file
'./00000000000000000000.snap.inprogress': Read-only file system
2023-05-03 20:26:29.576 [1] main/101/init.lua F> failed to create a checkpoint
$subject noted for sidecars of Wallarm Ingress Controller added when controller.wallarm.enabled
is set to true - cron
, collectd
and synccloud
.
Container definitions hard coded under chart helper functions.
Violation of Kubernetes policy - https://docs.bridgecrew.io/docs/bc_k8s_7
Suggesting $subject as currently user with ID 101
is in violation of Kubernetes policy - https://docs.bridgecrew.io/docs/bc_k8s_37.
10001
controller.image.runAsUser
F0504 08:52:08.389642 8 ssl.go:390] unexpected error storing fake SSL Cert: could not create PEM certificate file
/etc/ingress-controller/ssl/default-fake-certificate.pem: open /etc/ingress-controller/ssl/default-fake-certificate.pem: permission denied
Related issue: kubernetes/ingress-nginx#4061
cron
with user ID 10001
It was noticed that a connection failure doesn't resolve.
{"channel":"stdout","iteration":14,"job.command":"timeout 3h /opt/wallarm/ruby/usr/share/wallarm-common/export-metrics -l STDOUT",
"job.position":2,"job.schedule":"* * * * *","level":"info",
"msg":"2023-05-04 09:01:00 ERROR export-metrics[153]: Can't export metrics (Errno::ECONNREFUSED): Failed to open TCP connection to 127.0.0.1:10246 (Connection refused - connect(2)
for \"127.0.0.1\" port 10246)","time":"2023-05-04T09:01:00Z"}
collectd
with user ID 10001
Connection failure doesn't resolve
[2023-05-04 08:46:28] curl_json plugin: curl_easy_perform failed with status 7: Failed to connect to 127.0.0.1 port 10246: Connection refused (http://127.0.0.1:10246/wallarm-status)
[2023-05-04 08:46:28] read-function of plugin `curl_json-wallarm_nginx-http://127.0.0.1:10246/wallarm-status' failed. Will suspend it for 20.000 seconds.
[2023-05-04 08:46:48] curl_json plugin: curl_easy_perform failed with status 7: Failed to connect to 127.0.0.1 port 10246: Connection refused (http://127.0.0.1:10246/wallarm-status)
[2023-05-04 08:46:48] read-function of plugin `curl_json-wallarm_nginx-http://127.0.0.1:10246/wallarm-status' failed. Will suspend it for 40.000 seconds.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.