Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using Azure Waf Policy For Path on a specific ingress when policy doesn't exist breaks entire app gateway #1615

Open
Poltergeisen opened this issue May 22, 2024 · 2 comments
Open

Using Azure Waf Policy For Path on a specific ingress when policy doesn't exist breaks entire app gateway #1615

Poltergeisen opened this issue May 22, 2024 · 2 comments

Comments

@Poltergeisen
Copy link

Poltergeisen commented May 22, 2024
edited
Loading

Describe the bug
We have an app gateway that is shared for an entire AKS cluster. When a team accidentally references a WAF policy that doesn't exist yet, it breaks the app gateway backend connections for the entire App Gateway, and not for the ingress in question.

To Reproduce
Steps to reproduce the behavior:
Create an AKS cluster
Create 2 applications to run on the cluster, one using no WAF policy and one using a WAF policy that doesn't exist yet

Both applications fail to resolve IP addresses from the backend pool.

Example ingress:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-api
  annotations:
    kubernetes.io/ingress.class: azure/application-gateway
    cert-manager.io/cluster-issuer: sectigo-issuer
    appgw.ingress.kubernetes.io/backend-protocol: http
    appgw.ingress.kubernetes.io/use-private-ip: "true"
    appgw.ingress.kubernetes.io/waf-policy-for-path: "subscriptions/xxx-xxx-xxx/resourceGroups/my-rg/providers/Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies/my-policy-that-doesnt-exist"
spec:
  tls:
  - hosts:
    - my.host.tld
    secretName: sbx-tls
  rules:
  - host:my.host.tld
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: my-service
            port: 
              number: 80

Ingress Controller details

  • Output of kubectl describe pod <ingress controller> . The pod name can be obtained by running helm list.
  • I'm running this via AKS, i can send more additional info as needed. We don't have any custom configuration here
  • Output of `kubectl logs .
    • I am not comfortable sharing those on github, but I can share privately through the support ticket if necessary.
  • Any Azure support tickets associated with this issue.
    • 2405220040017720
@erkkov2lja
Copy link

The issue is there and will break the whole AKS ingresses created, after one of the ingress rules would have non-existing WAF rule reference.

waf_issue

@Poltergeisen
Copy link
Author

The issue is there and will break the whole AKS ingresses created, after one of the ingress rules would have non-existing WAF rule reference.

waf_issue

Yes, this is what we experienced. We are working with a CSA on this, but there doesn't seem to be any good solutions. Waiting to hear back more and can update this issue if I do

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@erkkov2lja @Poltergeisen