Nginx: Ingress Issue while having modsecurity rules defined

[Hemapriya0611]

Resource: "networking.k8s.io/v1, Resource=ingresses", GroupVersionKind: "networking.k8s.io/v1, Kind=Ingress" Name: "xxx", Namespace: "yyy" for: "a1a.yaml": Internal error occurred: failed calling webhook "validate.nginx.ingress.kubernetes.io": failed to call webhook: Post "https://nginx-ingress-nginx-controller-admission.nginx.svc:443/networking/v1/ingresses?timeout=30s": net/http: request canceled (Client.Timeout exceeded while awaiting headers)

Sample modsec rule defined in the ingress

**nginx.ingress.kubernetes.io/enable-modsecurity: "true" nginx.ingress.kubernetes.io/modsecurity-snippet: | Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf SecRuleEngine On SecRequestBodyAccess Off SecRule REQUEST_COOKIES_NAMES "@contains JSESSIONID" "id:51,allow,ctl:ruleRemovebyID=932100,ctl:ruleRemovebyID=942430,ctl:ruleRemovebyID=942440,ctl:ruleRemovebyID=942450" SecRule ARGS_NAMES "@contains routineArgs" "id:52,allow,ctl:ruleRemovebyID=942110,ctl:ruleRemovebyID=942370" SecRule ARGS_NAMES "@contains LogicalScreenModel[1].IRIS" "id:53,allow,ctl:ruleRemovebyID=920230,ctl:ruleRemovebyID=942190,ctl:ruleRemovebyID=942400,ctl:ruleRemovebyID=942430" SecRule ARGS_NAMES "@contains ARGS" "id:54,allow,ctl:ruleRemovebyID=942200,ctl:ruleRemovebyID=942110" SecRule ARGS_NAMES "@contains code" "id:55,allow,ctl:ruleRemovebyID=942430" SecRule REQUEST_HEADERS_NAMES "@contains host" "id:56,allow,ctl:ruleRemovebyID=931130" SecRule ARGS_NAMES "@contains $select" "id:57,allow,ctl:ruleRemovebyID=942360" SecRule ARGS_NAMES "@contains baseIdToVersionMap" "id:58,allow,ctl:ruleRemovebyID=942200,ctl:ruleRemovebyID=942260,ctl:ruleRemyour textovebyID=942330,ctl:ruleRemovebyID=942340,ctl:ruleRemovebyID=942370" SecRule REQUEST_COOKIES_NAMES "@contains user_to_recent_app_map" "id:59,allow,ctl:ruleRemovebyID=942200,ctl:ruleRemovebyID=942260,ctl:ruleRemovebyID=942330,ctl:ruleRemovebyID=942340,ctl:ruleRemovebyID=942370" SecRule REQUEST_URI "@contains .profile" "id:60,allow" SecRule ARGS_NAMES "@beginsWith attributeListView" "id:61,allow" SecRuleRemoveById 913101 920300 942430 930130**

Does not consistently happen on the same ingress - happens on application of 6 or more ingress.yaml Each ingress does not have more than 6 paths defined

If the webhook validation is turned off , the ingresses get applied but nginx po ends up in crashloopbackoff error with pod logs giving below

"New leader elected" identity="nginx-ingress-nginx-controller-7794c6bf65-vxwcm"
I1230 15:28:52.859767 6 sigterm.go:36] "Received SIGTERM, shutting down"
I1230 15:28:52.859806 6 nginx.go:393] "Shutting down controller queues"
I1230 15:28:52.876000 6 nginx.go:401] "Stopping admission controller"
E1230 15:28:52.876089 6 nginx.go:340] "Error listening for TLS connections" err="http: Server closed"
I1230 15:28:52.876100 6 nginx.go:409] "Stopping NGINX process"
E1230 15:28:52.932112 6 controller.go:208] Unexpected failure reloading the backend:
signal: terminated
E1230 15:28:52.932235 6 queue.go:131] "requeuing" err=<
signal: terminated
"Stopping admission controller" E1230 15:19:35.638124 7 nginx.go:340] "Error listening for TLS connections" err="http: Server closed" I1230 15:19:35.638133 7 nginx.go:409] "Stopping NGINX process" W1230 15:19:39.035919 7 controller.go:244] Dynamic reconfiguration failed (retrying; 5 retries left): Post "http://127.0.0.1:10246/configuration/backend s": dial tcp 127.0.0.1:10246: connect: connection refused E1230 15:19:48.011109 7 queue.go:76] "queue has been shutdown, failed to enqueue" key="&ObjectMeta{Name:sync status,GenerateName:,Namespace:,SelfLink:,U ID:,ResourceVersion:,Generation:0,CreationTimestamp:0001-01-01 00:00:00 +0000 UTC,DeletionTimestamp:,DeletionGracePeriodSeconds:nil,Labels:map[string]str ing{},Annotations:map[string]string{},OwnerReferences:[]OwnerReference{},Finalizers:[],ManagedFields:[]ManagedFieldsEntry{},}" W1230 15:19:52.868706 7 controller.go:244] Dynamic reconfiguration failed (retrying; 4 retries left): Post "http://127.0.0.1:10246/configuration/backend s": dial tcp 127.0.0.1:10246: connect: connection refused 2024/12/30 15:19:35 [notice] 4580#4580: ModSecurity-nginx v1.0.3 (rules loaded inline/local/remote: 24802/0/0) 2024/12/30 15:19:35 [notice] 4580#4580: signal process started
signal process started E1230 15:20:48.011198 7 queue.go:76] "queue has been shutdown, failed to enqueue" key="&ObjectMeta{Name:sync status,GenerateName:,Namespace:,SelfLink:,U ID:,ResourceVersion:,Generation:0,CreationTimestamp:0001-01-01 00:00:00 +0000 UTC,DeletionTimestamp:,DeletionGracePeriodSeconds:nil,Labels:map[string]str ing{},Annotations:map[string]string{},OwnerReferences:[]OwnerReference{},Finalizers:[],ManagedFields:[]ManagedFieldsEntry{},}"

How to make nginx with modsecurity implemented.

[airween]

Hi @Hemapriya0611,

thanks for reporting this - unfortunately I never ever used Ingress so I can't help with this.

I just can add here that in "regular" way the connector and library works as we expect, so I assume this is some Ingress issue.