Is it possible to inject a WAF sidecar in the Istio Ingress Gateway deployment?
Currently the default Istio Ingress-gateway setup looks like this.
I want to Inject a ModSecurity Docker container as a Sidecar Proxy to the Istio Ingress-Gateway deployment itself and bring in the WAF functionality. What’s the right way to do it?
I tried to manually modify the
istio-ingressgateway Deployment to inject the ModSecurity sidecar and also update the
istio-ingressgateway Service to point to ModSecurity container first. But it seems ModSec pod can not route traffic to the Envoy container correctly. It shows 500 error message.
containers: - name: modsecurity-apache image: owasp/modsecurity-crs:v3.2-modsec2-apache ports: - containerPort: 7070 env: - name: SETPROXY value: "True" - name: PROXYLOCATION value: "http://127.0.0.1:8080/" - args: - proxy - router ... ...
After I deploy this config it shows an error message in the logs saying the port 7070 is already in use. Initially I thought it conflicts with one of the ports of Envoy since they are both running on the same pod. So I built a custom image and changed the port to something completely random, but it still shows the same error message!
Does the Envoy in the
istio-ingressgateway listen on all ports of the pod or something? I am not sure what to try anymore. Any hint would really help.