application-gateway-kubernetes-ingress icon indicating copy to clipboard operation
application-gateway-kubernetes-ingress copied to clipboard

Published 20 hours ago verified publisher icon Azure

Using Azure Waf Policy For Path on a specific ingress when policy doesn't exist breaks entire app gateway

Open Poltergeisen opened this issue 1 year ago • 2 comments
trafficstars

Describe the bug We have an app gateway that is shared for an entire AKS cluster. When a team accidentally references a WAF policy that doesn't exist yet, it breaks the app gateway backend connections for the entire App Gateway, and not for the ingress in question.

To Reproduce Steps to reproduce the behavior: Create an AKS cluster Create 2 applications to run on the cluster, one using no WAF policy and one using a WAF policy that doesn't exist yet

Both applications fail to resolve IP addresses from the backend pool.

Example ingress:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-api
  annotations:
    kubernetes.io/ingress.class: azure/application-gateway
    cert-manager.io/cluster-issuer: sectigo-issuer
    appgw.ingress.kubernetes.io/backend-protocol: http
    appgw.ingress.kubernetes.io/use-private-ip: "true"
    appgw.ingress.kubernetes.io/waf-policy-for-path: "subscriptions/xxx-xxx-xxx/resourceGroups/my-rg/providers/Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies/my-policy-that-doesnt-exist"
spec:
  tls:
  - hosts:
    - my.host.tld
    secretName: sbx-tls
  rules:
  - host:my.host.tld
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: my-service
            port: 
              number: 80

Ingress Controller details

  • Output of kubectl describe pod <ingress controller> . The pod name can be obtained by running helm list.
  • I'm running this via AKS, i can send more additional info as needed. We don't have any custom configuration here
  • Output of `kubectl logs .
    • I am not comfortable sharing those on github, but I can share privately through the support ticket if necessary.
  • Any Azure support tickets associated with this issue.
    • 2405220040017720

Poltergeisen avatar May 22 '24 21:05 Poltergeisen

The issue is there and will break the whole AKS ingresses created, after one of the ingress rules would have non-existing WAF rule reference.

waf_issue

erkkov2lja avatar Jun 26 '24 15:06 erkkov2lja

The issue is there and will break the whole AKS ingresses created, after one of the ingress rules would have non-existing WAF rule reference.

waf_issue

Yes, this is what we experienced. We are working with a CSA on this, but there doesn't seem to be any good solutions. Waiting to hear back more and can update this issue if I do

Poltergeisen avatar Jun 28 '24 01:06 Poltergeisen

They basically just said that we are SOL :)

Going to swap to a different WAF / gateway probably.

Poltergeisen avatar Sep 04 '25 14:09 Poltergeisen