diff options
| author |   JingLu5 <lvjing5@huawei.com> | 2018-09-07 16:18:15 +0800 |
|---|---|---|
| committer | JingLu5 <lvjing5@huawei.com> | 2018-09-07 17:15:05 +0800 |
| commit | 0ade6b1a529828c72d68ae2c42d17a33dd61586e (patch) | |
| tree | 9f896a86522652cc662a2d3565428cdb90caae80 /samples/scenarios | |
| parent | 9919161fee48f5f212611ade97d513f146f0139f (diff) | |
Add ModSecurity config guide
This patch adds ModSecurity config guide.
This patch also deploy the modsecurity and ext_authz filter to clover-gateway namespace.
Change-Id: I5ab21e6337b8f8b839ddd028370df378686bd017
Signed-off-by: JingLu5 <lvjing5@huawei.com>
Diffstat (limited to 'samples/scenarios')
| -rw-r--r-- | samples/scenarios/ingressgateway_ext_authz_filter.yaml (renamed from samples/scenarios/istio_ingressgateway_envoyfilter.yaml) | 6 | ||||
| -rw-r--r-- | samples/scenarios/modsecurity_all_in_one.yaml | 65 |
2 files changed, 68 insertions, 3 deletions
diff --git a/samples/scenarios/istio_ingressgateway_envoyfilter.yaml b/samples/scenarios/ingressgateway_ext_authz_filter.yaml index 46f730c..0960a50 100644 --- a/samples/scenarios/istio_ingressgateway_envoyfilter.yaml +++ b/samples/scenarios/ingressgateway_ext_authz_filter.yaml @@ -2,7 +2,7 @@ apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: ext-authz - namespace: istio-system + namespace: clover-gateway spec: workloadLabels: app: istio-ingressgateway @@ -18,7 +18,7 @@ spec: filterConfig: http_service: server_uri: - uri: "http://modsecurity-crs.istio-system.svc.cluster.local" - cluster: "outbound|80||modsecurity-crs.istio-system.svc.cluster.local" + uri: "http://modsecurity-crs.clover-gateway.svc.cluster.local" + cluster: "outbound|80||modsecurity-crs.clover-gateway.svc.cluster.local" timeout: 0.5s failure_mode_allow: false diff --git a/samples/scenarios/modsecurity_all_in_one.yaml b/samples/scenarios/modsecurity_all_in_one.yaml new file mode 100644 index 0000000..aa92b13 --- /dev/null +++ b/samples/scenarios/modsecurity_all_in_one.yaml @@ -0,0 +1,65 @@ +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: modsecurity-crs + namespace: clover-gateway +spec: + replicas: 1 + selector: + matchLabels: + app: modsecurity-crs + template: + metadata: + labels: + app: modsecurity-crs + spec: + containers: + - name: modsecurity-crs + image: clover/clover-ns-modsecurity-crs + ports: + - containerPort: 80 + env: + - name: PARANOIA + value: '1' +--- +apiVersion: v1 +kind: Service +metadata: + name: modsecurity-crs + namespace: clover-gateway +spec: + type: NodePort + ports: + - port: 80 + name: http-modsecurity-crs + protocol: TCP + targetPort: 80 + selector: + app: modsecurity-crs +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: ext-authz + namespace: clover-gateway +spec: + workloadLabels: + app: istio-ingressgateway + filters: + - insertPosition: + index: FIRST + listenerMatch: + portNumber: 80 + listenerType: GATEWAY + listenerProtocol: HTTP + filterType: HTTP + filterName: "envoy.ext_authz" + filterConfig: + http_service: + server_uri: + uri: "http://modsecurity-crs.clover-gateway.svc.cluster.local" + cluster: "outbound|80||modsecurity-crs.clover-gateway.svc.cluster.local" + timeout: 0.5s + failure_mode_allow: false +--- |