Investigate duplicate rule error when switching modsec ingress controller

[poornima-krishnasamy]

Background

When switching the modsec ingress controller using the runbook https://runbooks.cloud-platform.service.justice.gov.uk/Switch-ingress-to-v1-ingress-controller.html#resources-deployed-using-helm-chart, we found that if any of the modsec rules in the ingress manifest as part of snippet are also present in the https://github.com/ministryofjustice/cloud-platform-terraform-ingress-controller/blob/main/templates/modsecurity.conf, the ingress cannot be switched to modsec ingress controller.

The example manifest used for testing is

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: helloworld-second
  annotations:
    external-dns.alpha.kubernetes.io/set-identifier: heloworld-second-poornima-dev-green
    external-dns.alpha.kubernetes.io/aws-weight: "100"
    nginx.ingress.kubernetes.io/enable-modsecurity: "true"
    nginx.ingress.kubernetes.io/modsecurity-snippet: |
      SecRuleEngine On
      SecAction "id:900110,phase:1,nolog,pass,t:none,setvar:tx.inbound_anomaly_score_threshold=6,setvar:tx.outbound_anomaly_score_threshold=4"
      SecRuleUpdateActionById 949110 "t:none,deny,status:423,logdata:%{SERVER_NAME}"
      SecRuleUpdateActionById 959100 "t:none,deny,status:423,logdata:%{SERVER_NAME}"
      SecRuleRemoveById 921110
      SecRuleRemoveById 200003
      SecRule MULTIPART_UNMATCHED_BOUNDARY "@eq 1" "id:200004,phase:2,t:none,log,deny,msg:`Multipart parser detected a possible unmatched boundary.`"
spec:
  ingressClassName: modsec
  tls:
  - hosts:
    - helloworld-rubyapp.apps.yy-0205-0000.cloud-platform.service.justice.gov.uk
  rules:
  - host: helloworld-rubyapp.apps.yy-0205-0000.cloud-platform.service.justice.gov.uk
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: rubyapp-service
            port:
              number: 4567

And the same rule id 200004 is present in the ingress-controller modsecurity.conf.
The error got is

nginx: [emerg] "content_by_lua_block" directive Rule id: 200004 is duplicated

Investigate why the global rules are not overwritten by custom snippet rules and considering as duplicate.

Slack thread: https://mojdt.slack.com/archives/C514ETYJX/p1652963302824809

Definition of done

• Fixed the modsec ingress controller configuration to handle this scenario
• readme has been updated
• user docs have been updated
• another team member has reviewed
• smoke tests are green

Reference

How to write good user stories

[vijay-veeranki]

Maybe this is the reason for the cause of this issue, which got released in v1.1.1
kubernetes/ingress-nginx#8021

and this kubernetes/ingress-nginx#8388

[vijay-veeranki]

Duplicate error "nginx: [emerg] "content_by_lua_block" directive Rule id: 200006 is duplicated" is because we have the new rule in the config here

We reproduced duplicate errors in modsec01 ingress controller as well.

This "200006" rule id is not available in the modsec01 ingress controller, so we didn't see this error before

[vijay-veeranki]

We upgraded the chart from 4.0.19 to 4.1.1, and this modsec configuration stopped working.

config:
    enable-modsecurity: ${enable_modsec}
    enable-owasp-modsecurity-crs: ${enable_owasp}

Started a discussion here
kubernetes/ingress-nginx#8388 (comment)

[vijay-veeranki]

This PR fixed the modsec issue
https://github.com/ministryofjustice/cloud-platform-terraform-ingress-controller/pull/38/files

Settling below to false, let the modsec blocking requests.

controller:
  image:
    chroot: false