Enable Gloo/Envoy to dynamically load WAF/mod_security rules from file mounted into pod

[bdecoste]

Is your feature request related to a problem? Please describe. Need to be able to dynamically load large mod_security rule files into Gloo/Envoy without requiring a restart. Do not want to rely on CRDs due to size concerns and format of generated rules (e.g. trustwave).

Describe the solution you'd like Possibly mount a native rules file into Gloo/Envoy pod to drive mod_security config.

[PankajMoolrajani]

We are still facing this issue. We use k8s configmaps as recommended by gloo enterprise, but the modsecurity rules are not getting picked up gloo-ee proxy whenever changes are made to the configmap.

[chrisgaun]

@PankajMoolrajani I moved this into priority list

[ianmacclancy]

@PankajMoolrajani can you help me better understand the request?

"We use k8s configmaps as recommended by gloo enterprise" - can you point me to the documentation you are using for my reference

I understand the ask as: When you modify your ModSecurity rule files specified in your VS or Gateway you want these changes to your file to be automatically picked up by envoy.

[PankajMoolrajani]

Yes that's the ask. Like any other config changes to VS or Gateway, these rules even though externalized in a config file should get picked up automatically.

[ianmacclancy]

Okay, I am working on API changes to separate configmap from file input as we can pick up changes from configmap dynamically. For now if you need changes picked up you can version the filename to indicate that there has been a change to the file content. That will be picked up.

[ianmacclancy]

@PankajMoolrajani - Im releasing the update in the latest 1.13.x, what minor version are you on? I can start backports if you need it in earlier minors.

[ianmacclancy]

Released to 1.13.0-beta9 - closing with this release

[PankajMoolrajani]

@ianmacclancy i will check on what version we have and will update u here.