application-gateway-kubernetes-ingress
application-gateway-kubernetes-ingress copied to clipboard
Azure
AGIC controller unable to update configs at Application gateway when custom policies are Associated
Describe the bug
Application Gateway Ingress Controller fails to update configuration when a Custom WAF Policy is associated with Application Gateway WAF
To Reproduce
Steps to reproduce the behavior:
- Must have a valid AGIC Integration with AKS
- AG must be WAFv2 Tier.
- AG must have a custom WAF Policy associated with it.
- Perform a new ingress update or perform a restart of any active deployment being used with ingress controller
- Check if AGIC Application Gateway backend pools are updated.
- Check ingress controller pods to find the logs attached below.
Ingress Controller details
- Output of
kubectl describe pod <ingress controller> . Thepod name can be obtained by running helm list. - Output of `kubectl logs
:
I0817 20:37:10.291689 1 routing_rules.go:97] [brownfield] Existing Rules AGIC will remove: n/a
I0817 20:37:10.315812 1 mutate_app_gateway.go:177] BEGIN AppGateway deployment
I0817 20:37:10.484484 1 mutate_app_gateway.go:183] END AppGateway deployment
E0817 20:37:10.484562 1 controller.go:141] network.ApplicationGatewaysClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: Code="ApplicationGatewayWafConfigurationCannotBeChangedWithWafPolicy" Message="WebApplicationFirewallConfiguration cannot be changed when there is a WAF Policy associated with it." Details=[]
E0817 20:37:10.484573 1 worker.go:62] Error processing event.network.ApplicationGatewaysClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: Code="ApplicationGatewayWafConfigurationCannotBeChangedWithWafPolicy" Message="WebApplicationFirewallConfiguration cannot be changed when there is a WAF Policy associated with it." Details=[]
I0817 21:06:41.457134 1 controller.go:123] Reset all ingress ip
I0817 21:06:41.457171 1 controller.go:125] Ignore mutating App Gateway as it is not mutable
I0817 21:08:39.019635 1 controller.go:123] Reset all ingress ip
I0817 21:08:39.029922 1 controller.go:125] Ignore mutating App Gateway as it is not mutable
I0817 21:08:55.009411 1 controller.go:123] Reset all ingress ip
I0817 21:08:55.009761 1 controller.go:125] Ignore mutating App Gateway as it is not mutable
I0817 21:09:11.604395 1 controller.go:123] Reset all ingress ip
I0817 21:09:11.623011 1 controller.go:125] Ignore mutating App Gateway as it is not mutable
Does anyone knows if this is a normal behaviour? Or if there's anyway you can Associate custom WAF policies without being prevented to update configs from AGIC configs?
Hey @williamalvvc, I'm just another user but thought you might want to know about this ongoing issue with app gateway API that we can't update an attribute (really any) of an existing app gateway (via TF in my case) if it has both an "inline" WAF configuration and a WAF policy associated with it. Leading to the same error as you mention above.
The workaround is to drop the inline WAF configuration. You are not mentioning how you got your app gateway deployed but if it was via Terraform you need a recent Azurerm provider version to be able to "nullify" the inline waf configuration.
For reference: https://github.com/Azure/application-gateway-kubernetes-ingress/issues/1417
