NAP(NGINX App Protect)은 WAF and DoS Protection을 제공 한다. NGINX Plus에서 제공을 하며 컨테이너 환경에서 App을 보호 하기 위한 솔루션이다. 대부분 컨테이너 환경에서 Ingress를 NGINX로 많이 사용 할 것이다. NGINX Plus 라이센스를 구매 하면 NAP을 사용 할 수 있다.
cd /var/tmp
## nap을 위한 yaml파일 다운로드git clone https://github.com/nginxinc/kubernetes-ingress/
## nap을 위한 helm repo 주소 추가helm repo add nginx-stable https://helm.nginx.com/stable
1
2
cd /var/tmp/kubernetes-ingress/deployments/helm-chart
git checkout v1.11.3
## vi 편집vi values-plus.yaml
## 내용 (imagePullSecretName의 경우 Harbor에 Public으로 만들었으면 상관 없음)controller:
replicaCount: 1 nginxplus: true image:
repository: 10.253.106.46/ingress-nginx/nginx-plus-ingress
tag: "1.11.3" service:
externalTrafficPolicy: Cluster
appprotect:
## Enable the App Protect module in the Ingress Controller. enable: true wildcardTLS:
## The base64-encoded TLS certificate for every Ingress host that has TLS enabled but no secret specified.## If the parameter is not set, for such Ingress hosts NGINX will break any attempt to establish a TLS connection. cert: ""## The base64-encoded TLS key for every Ingress host that has TLS enabled but no secret specified.## If the parameter is not set, for such Ingress hosts NGINX will break any attempt to establish a TLS connection. key: ""## The secret with a TLS certificate and key for every Ingress host that has TLS enabled but no secret specified.## The value must follow the following format: `<namespace>/<name>`.## Used as an alternative to specifying a certificate and key using `controller.wildcardTLS.cert` and `controller.wildcardTLS.key` parameters.## Format: <namespace>/<secret_name> secret: ingress-nginx/wildcard-tls
serviceAccount:
## The name of the service account of the Ingress controller pods. Used for RBAC.## Autogenerated if not set or set to "". name: ingress-nginx
## The name of the secret containing docker registry credentials.## Secret must exist in the same namespace as the helm release. imagePullSecretName: "regcred"
wget https://raw.githubusercontent.com/f5devcentral/f5-bd-tanzu-tkg-nginxplus/main/cafe-ingress-ap.yaml
kubectl get pod -n ingress-nginx -o wide
## vi 편집 실행vi cafe-ingress-ap.yaml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: cafe-ingress
annotations:
appprotect.f5.com/app-protect-policy: "test/dataguard-alarm" appprotect.f5.com/app-protect-enable: "True" appprotect.f5.com/app-protect-security-log-enable: "True" appprotect.f5.com/app-protect-security-log: "test/logconf" appprotect.f5.com/app-protect-security-log-destination: "syslog:server=SYSLOG:514"spec:
ingressClassName: nginx # use only with k8s version >= 1.18.0 tls: - hosts:
- cafe.vcf.local ## 인증서와 동일한 도메인으로 변경 rules:
- host: cafe.vcf.local ## 인증서와 동일한 도메인으로 변경 http:
paths:
- path: /tea
backend:
serviceName: tea-svc
servicePort: 80 - path: /coffee
backend:
serviceName: coffee-svc
servicePort: 80
1
2
3
4
5
6
7
8
9
10
11
## syslog service ipSYSLOG_IP=10.101.182.155
vi cafe-ingress-ap.yaml
sed -e "s/SYSLOG/$SYSLOG_IP/" cafe-ingress-ap.yaml > cafe-ingress-ap-syslog.yaml
kubectl apply -n test -f cafe-ingress-ap-syslog.yaml
kubectl get ingress -n test## 아래 명령어로 annotation을 확인 할 수 있다.kubrectl get ingress cafe-ingress -n test -o yaml
1
2
3
4
kubectl get pod -n ingress-nginx
LOG 확인
kubectl -n ingress-nginx exec -it syslog-65d847447d-ghbvq -- tail -f /var/log/messages
5. ELK
LOG를 좀 가시적이게 표현하기 위해 ELK를 구성
5.1. Elastic 연동
logstach를 5144로 구성한 이유는 Logstach 구성시 514가 well-known 포트라 5144로 변경
logstash yaml 파일, logstash_test.yaml.
ingress 설정에서 syslog server 를 logstash cluster IP로 설정