Is it possible to inject a WAF sidecar in the Istio Ingress Gateway deployment?
Currently the default Istio Ingress-gateway setup looks like this.
I want to Inject a ModSecurity Docker container as a Sidecar Proxy to the Istio Ingress-Gateway deployment itself and bring in the WAF functionality. What’s the right way to do it?
I tried to manually modify the istio-ingressgateway Deployment to inject the ModSecurity sidecar and also update the istio-ingressgateway Service to point to ModSecurity container first. But it seems ModSec pod can not route traffic to the Envoy container correctly. It shows 500 error message.
containers:
- name: modsecurity-apache
image: owasp/modsecurity-crs:v3.2-modsec2-apache
ports:
- containerPort: 7070
env:
- name: SETPROXY
value: "True"
- name: PROXYLOCATION
value: "http://127.0.0.1:8080/"
- args:
- proxy
- router
...
...
After I deploy this config it shows an error message in the logs saying the port 7070 is already in use. Initially I thought it conflicts with one of the ports of Envoy since they are both running on the same pod. So I built a custom image and changed the port to something completely random, but it still shows the same error message!
Does the Envoy in the istio-ingressgateway listen on all ports of the pod or something? I am not sure what to try anymore. Any hint would really help.