WAF configuration using K8s ConfigMap does't work in Gateway object

[htech7x]

Gloo Edge Product

Enterprise

Gloo Edge Version

1.16.7

Kubernetes Version

1.28.5

Describe the bug

WAF filter configuration in Gloo EE using k8s ConfigMap works with VirtualService object, works on "routes" level, but does not work with Gateway object.

Expected Behavior

WAF filtering works

Steps to reproduce the bug

1. Create ConfigMap from the file "wafip.conf":

SecRuleEngine On
SecRule REMOTE_ADDR "!@ipMatch 173.175.0.0/16,10.10.11.101" "phase:1,deny,status:403,id:1,msg:'block ip'"

kubectl create cm mywaf --from-file=wafip.conf -n gloo-system

2. Edit Gateway object:

apiVersion: gateway.solo.io/v1
kind: Gateway
metadata:
  labels:
    app: gloo
  name: gateway-proxy
  namespace: gloo-system
spec:
  bindAddress: '::'
  bindPort: 8080
  httpGateway:
    options:                                              # < --- add this line
      waf:                                                   # < --- add this line
        configMapRuleSets:                      # < --- add this line
        - configMapRef:                             # < --- add this line
            name: mywaf                              # < --- add this line
            namespace: gloo-system          # < --- add this line
  options:
    accessLoggingService:
      accessLog:
      - fileSink:
          path: /dev/stdout
          stringFormat: |
            [%START_TIME%] %REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH)% %REQ(:PATH)% %RESP(:PATH)% %PROTOCOL% %RESPONSE_CODE% %RESPONSE_FLAGS% %RESPONSE_CODE_DETAILS% %UPSTREAM_HOST% %UPSTREAM_CLUSTER%
  proxyNames:
  - gateway-proxy
  ssl: false
  useProxyProto: false

3. Check:

curl -H "Host: pet.com" ab4abd470440f492f9ae49fde56a48fc-652961447.us-east-2.elb.amazonaws.com/zoo -i
HTTP/1.1 200 OK
content-type: text/xml
date: Fri, 19 Apr 2024 17:32:31 GMT
content-length: 86
x-envoy-upstream-service-time: 0
server: envoy

[{"id":1,"name":"Dog","status":"available"},{"id":2,"name":"Cat","status":"pending"}]

logs:
[2024-04-19T17:32:24.697Z] GET /zoo /api/pets - HTTP/1.1 200 - via_upstream 192.168.12.227:8080 default-petstore-8080_gloo-system

---

Using the same ConfigMap in VirtualService, works as expected:

apiVersion: gateway.solo.io/v1
kind: VirtualService
metadata:
  name: pet-vs
  namespace: gloo-system
spec:
  virtualHost:
    options:
      waf:
        configMapRuleSets:
        - configMapRef:
            name: mywaf
            namespace: gloo-system
    domains:
    - pet.com
    routes:
    - matchers:
      - prefix: /zoo
      options:
        prefixRewrite: /api/pets
      routeAction:
        single:
          upstream:
            name: default-petstore-8080
            namespace: gloo-system

curl -H "Host: pet.com" ab4abd470440f492f9ae49fde56a48fc-652961447.us-east-2.elb.amazonaws.com/zoo -i
HTTP/1.1 403 Forbidden
content-length: 34
content-type: text/plain
date: Fri, 19 Apr 2024 18:33:44 GMT
server: envoy

ModSecurity: intervention occurred%

logs:
[2024-04-19T18:33:45.126Z] GET - /zoo - HTTP/1.1 403 UAEX [client_192.168.15.38]_ModSecurity:_Access_denied_with_code_403_(phase_1)._Matched_"Operator_`IpMatch'_with_parameter_`173.175.0.0/16,10.10.11.101'_against_variable_`REMOTE_ADDR'_(Value:_`192.168.15.38'_)_[file_"<<reference_missing_or_not_informed>>"]_[line_"2"]_[id_"1"]_[rev_""]_[msg_"block_ip"]_[data_""]_[severity_"0"]_[ver_""]_[maturity_"0"]_[accuracy_"0"]_[hostname_""]_[uri_"/zoo"]_[unique_id_"171355162570.596724"]_[ref_"v0,13"] - default-petstore-8080_gloo-system

Using WAF directly in Gateway, works as expected:

apiVersion: gateway.solo.io/v1
kind: Gateway
metadata:
  labels:
    app: gloo
  name: gateway-proxy
  namespace: gloo-system
spec:
  bindAddress: '::'
  bindPort: 8080
  httpGateway:
    options:
      waf:
        ruleSets:
        - ruleStr: |
            SecRuleEngine On
            SecRule REMOTE_ADDR "!@ipMatch 173.175.0.0/16,10.10.11.101" "phase:1,deny,status:403,id:1,msg:'block ip'"
  options:
    accessLoggingService:
      accessLog:
      - fileSink:
          path: /dev/stdout
          stringFormat: |
            [%START_TIME%] %REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH)% %REQ(:PATH)% %RESP(:PATH)% %PROTOCOL% %RESPONSE_CODE% %RESPONSE_FLAGS% %RESPONSE_CODE_DETAILS% %UPSTREAM_HOST% %UPSTREAM_CLUSTER%
  proxyNames:
  - gateway-proxy
  ssl: false
  useProxyProto: false

curl -H "Host: pet.com" ab4abd470440f492f9ae49fde56a48fc-652961447.us-east-2.elb.amazonaws.com/zoo -i
HTTP/1.1 403 Forbidden
content-length: 34
content-type: text/plain
date: Fri, 19 Apr 2024 18:50:24 GMT
server: envoy

ModSecurity: intervention occurred%

logs:
[2024-04-19T18:50:24.450Z] GET - /zoo - HTTP/1.1 403 UAEX [client_192.168.15.38]_ModSecurity:_Access_denied_with_code_403_(phase_1)._Matched_"Operator_`IpMatch'_with_parameter_`173.175.0.0/16,10.10.11.101'_against_variable_`REMOTE_ADDR'_(Value:_`192.168.15.38'_)_[file_"<<reference_missing_or_not_informed>>"]_[line_"2"]_[id_"1"]_[rev_""]_[msg_"block_ip"]_[data_""]_[severity_"0"]_[ver_""]_[maturity_"0"]_[accuracy_"0"]_[hostname_""]_[uri_"/zoo"]_[unique_id_"17135526242.949542"]_[ref_"v0,13"] - default-petstore-8080_gloo-system

Additional Environment Detail

No response

Additional Context

No response

[kcbabo]

@nfuden interesting this works from direct config or mounting from file but not from configMap?