diff options
| author |   JingLu5 <lvjing5@huawei.com> | 2018-09-07 16:18:15 +0800 |
|---|---|---|
| committer | JingLu5 <lvjing5@huawei.com> | 2018-09-07 17:15:05 +0800 |
| commit | 0ade6b1a529828c72d68ae2c42d17a33dd61586e (patch) | |
| tree | 9f896a86522652cc662a2d3565428cdb90caae80 /samples | |
| parent | 9919161fee48f5f212611ade97d513f146f0139f (diff) | |
Add ModSecurity config guide
This patch adds ModSecurity config guide.
This patch also deploy the modsecurity and ext_authz filter to clover-gateway namespace.
Change-Id: I5ab21e6337b8f8b839ddd028370df378686bd017
Signed-off-by: JingLu5 <lvjing5@huawei.com>
Diffstat (limited to 'samples')
| -rw-r--r-- | samples/scenarios/ingressgateway_ext_authz_filter.yaml (renamed from samples/scenarios/istio_ingressgateway_envoyfilter.yaml) | 6 | ||||
| -rw-r--r-- | samples/scenarios/modsecurity_all_in_one.yaml | 65 | ||||
| -rw-r--r-- | samples/services/modsecurity/yaml/manifest.template | 2 | ||||
| -rw-r--r-- | samples/services/modsecurity/yaml/modsecurity-deployment.yaml | 1 | ||||
| -rw-r--r-- | samples/services/modsecurity/yaml/modsecurity-service.yaml | 1 | ||||
| -rw-r--r-- | samples/services/modsecurity/yaml/render_yaml.py | 4 |
6 files changed, 76 insertions, 3 deletions
diff --git a/samples/scenarios/istio_ingressgateway_envoyfilter.yaml b/samples/scenarios/ingressgateway_ext_authz_filter.yaml index 46f730c..0960a50 100644 --- a/samples/scenarios/istio_ingressgateway_envoyfilter.yaml +++ b/samples/scenarios/ingressgateway_ext_authz_filter.yaml @@ -2,7 +2,7 @@ apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: ext-authz - namespace: istio-system + namespace: clover-gateway spec: workloadLabels: app: istio-ingressgateway @@ -18,7 +18,7 @@ spec: filterConfig: http_service: server_uri: - uri: "http://modsecurity-crs.istio-system.svc.cluster.local" - cluster: "outbound|80||modsecurity-crs.istio-system.svc.cluster.local" + uri: "http://modsecurity-crs.clover-gateway.svc.cluster.local" + cluster: "outbound|80||modsecurity-crs.clover-gateway.svc.cluster.local" timeout: 0.5s failure_mode_allow: false diff --git a/samples/scenarios/modsecurity_all_in_one.yaml b/samples/scenarios/modsecurity_all_in_one.yaml new file mode 100644 index 0000000..aa92b13 --- /dev/null +++ b/samples/scenarios/modsecurity_all_in_one.yaml @@ -0,0 +1,65 @@ +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: modsecurity-crs + namespace: clover-gateway +spec: + replicas: 1 + selector: + matchLabels: + app: modsecurity-crs + template: + metadata: + labels: + app: modsecurity-crs + spec: + containers: + - name: modsecurity-crs + image: clover/clover-ns-modsecurity-crs + ports: + - containerPort: 80 + env: + - name: PARANOIA + value: '1' +--- +apiVersion: v1 +kind: Service +metadata: + name: modsecurity-crs + namespace: clover-gateway +spec: + type: NodePort + ports: + - port: 80 + name: http-modsecurity-crs + protocol: TCP + targetPort: 80 + selector: + app: modsecurity-crs +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: ext-authz + namespace: clover-gateway +spec: + workloadLabels: + app: istio-ingressgateway + filters: + - insertPosition: + index: FIRST + listenerMatch: + portNumber: 80 + listenerType: GATEWAY + listenerProtocol: HTTP + filterType: HTTP + filterName: "envoy.ext_authz" + filterConfig: + http_service: + server_uri: + uri: "http://modsecurity-crs.clover-gateway.svc.cluster.local" + cluster: "outbound|80||modsecurity-crs.clover-gateway.svc.cluster.local" + timeout: 0.5s + failure_mode_allow: false +--- diff --git a/samples/services/modsecurity/yaml/manifest.template b/samples/services/modsecurity/yaml/manifest.template index afeb9dc..2206e6d 100644 --- a/samples/services/modsecurity/yaml/manifest.template +++ b/samples/services/modsecurity/yaml/manifest.template @@ -3,6 +3,7 @@ apiVersion: extensions/v1beta1 kind: Deployment metadata: name: {{ deploy_name }} + namespace: {{ deploy_namespace }} labels: app: {{ deploy_name }} spec: @@ -26,6 +27,7 @@ apiVersion: v1 kind: Service metadata: name: {{ deploy_name }} + namespace: {{ deploy_namespace }} labels: app: {{ deploy_name }} spec: diff --git a/samples/services/modsecurity/yaml/modsecurity-deployment.yaml b/samples/services/modsecurity/yaml/modsecurity-deployment.yaml index 450ede5..1e88f30 100644 --- a/samples/services/modsecurity/yaml/modsecurity-deployment.yaml +++ b/samples/services/modsecurity/yaml/modsecurity-deployment.yaml @@ -2,6 +2,7 @@ apiVersion: extensions/v1beta1 kind: Deployment
metadata:
name: modsecurity-crs
+ namespace: clover-gateway
spec:
replicas: 1
selector:
diff --git a/samples/services/modsecurity/yaml/modsecurity-service.yaml b/samples/services/modsecurity/yaml/modsecurity-service.yaml index 8548dca..7432630 100644 --- a/samples/services/modsecurity/yaml/modsecurity-service.yaml +++ b/samples/services/modsecurity/yaml/modsecurity-service.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Service
metadata:
name: modsecurity-crs
+ namespace: clover-gateway
spec:
type: NodePort
ports:
diff --git a/samples/services/modsecurity/yaml/render_yaml.py b/samples/services/modsecurity/yaml/render_yaml.py index 54f8069..67622d6 100644 --- a/samples/services/modsecurity/yaml/render_yaml.py +++ b/samples/services/modsecurity/yaml/render_yaml.py @@ -22,6 +22,7 @@ def render_yaml(args): image_name=args['image_name'], image_tag=args['image_tag'], deploy_name=args['deploy_name'], + deploy_namespace=args['deploy_namespace'], http_port=args['http_port'], paranoia_level=args['paranoia_level'] ) @@ -49,6 +50,9 @@ if __name__ == '__main__': '--deploy_name', default='modsecurity-crs', help='The k8s deploy name to use') parser.add_argument( + '--deploy_namespace', default='clover-gateway', + help='The k8s namespace to deploy pod and service') + parser.add_argument( '--http_port', default='80', help='Analyze http traffic on this port') parser.add_argument( |