You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Restructure the Gateway WAF section per review:
- make the category an empty expansion; move its landing content to overview
- drop the Get started page; put prerequisites on each task page
- add the tech-preview banner to every page
- convert procedures to numbered steps (the tutorial is now one list)
- rename the baseline page title to name the feature
- move the plugin slot table to overview; trim the Rego example on the validation page
Copy file name to clipboardExpand all lines: calico-enterprise/threat/deploying-waf-ingress-gateway.mdx
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,7 +15,7 @@ This feature is tech preview. Tech preview features may be subject to significan
15
15
16
16
:::caution
17
17
18
-
This page describes the original, Gateway-wide WAF for Calico Ingress Gateway. It is superseded by [Gateway WAF](./gateway-waf/index.mdx), which adds per-route and per-namespace policies, custom rules, and compliance validation. For Gateway-wide protection equivalent to this guide, attach a `WAFPolicy` to your `Gateway` — see [Attach WAF to a route](./gateway-waf/attach-waf-to-a-route.mdx). This page will be removed in a future release.
18
+
This page describes the original, Gateway-wide WAF for Calico Ingress Gateway. It is superseded by [Gateway WAF](./gateway-waf/overview.mdx), which adds per-route and per-namespace policies, custom rules, and compliance validation. For Gateway-wide protection equivalent to this guide, attach a `WAFPolicy` to your `Gateway` — see [Attach WAF to a route](./gateway-waf/attach-waf-to-a-route.mdx). This page will be removed in a future release.
Copy file name to clipboardExpand all lines: calico-enterprise/threat/gateway-waf/attach-waf-to-a-route.mdx
+68-48Lines changed: 68 additions & 48 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,9 +4,21 @@ description: Attach a WAFPolicy to a Gateway or HTTPRoute to turn on WAF inspect
4
4
5
5
# Attach WAF to a Gateway or route
6
6
7
+
:::note
8
+
9
+
This feature is tech preview. Tech preview features may be subject to significant changes before they become GA.
10
+
11
+
:::
12
+
7
13
Create a `WAFPolicy` in your namespace pointing at Gateway API targets — WAF inspection doesn't start automatically when the feature is enabled. It inherits the cluster baseline with namespace overrides layered on top.
8
14
9
-
**Prerequisites:** the cluster operator has created a `GlobalWAFPolicy`; you have write access to `WAFPolicy` in your namespace; a `Gateway`/`HTTPRoute` is already receiving traffic.
15
+
## Prerequisites
16
+
17
+
- The cluster operator has created the `GlobalWAFPolicy` baseline. See [Set a cluster-wide baseline for Gateway WAF](./set-a-baseline.mdx).
18
+
- You have write access to `WAFPolicy` in your namespace.
19
+
- A `Gateway` or `HTTPRoute` in your namespace is already receiving traffic.
20
+
21
+
## Choose a target
10
22
11
23
`WAFPolicy.spec.targetRefs[]` accepts two kinds of targets:
12
24
@@ -23,66 +35,74 @@ Each `targetRefs` entry generates a separate `EnvoyExtensionPolicy` (max 16 entr
23
35
24
36
:::
25
37
26
-
Attaching WAF to one `HTTPRoute`, overriding action and paranoia; the unset `coreRuleSet.state` still inherits from the baseline:
27
-
28
-
```yaml
29
-
apiVersion: applicationlayer.projectcalico.org/v3
30
-
kind: WAFPolicy
31
-
metadata:
32
-
name: payments-api-waf
33
-
namespace: payments
34
-
spec:
35
-
targetRefs:
36
-
- group: gateway.networking.k8s.io
37
-
kind: HTTPRoute
38
-
name: payments-api
39
-
action: Block # override: Block even if global baseline is Detect
40
-
coreRuleSet:
41
-
paranoiaLevel: 2# stricter than the cluster default
42
-
# coreRuleSet.state is unset → inherited from GlobalWAFPolicy
43
-
```
44
-
45
-
Apply with `kubectl apply -f wafpolicy.yaml`. For custom rules beyond the baseline, see [Write custom rules](./write-custom-rules.mdx); for inheritance details, see the [Overview](./index.mdx#inheritance-namespaces-override-they-dont-restart).
38
+
## Attach a WAFPolicy
46
39
47
-
## Conflict resolution
40
+
1. Create a `WAFPolicy` in your namespace pointing at the target. This example attaches to one `HTTPRoute`, overriding action and paranoia; the unset `coreRuleSet.state` still inherits from the baseline:
48
41
49
-
Only one `WAFPolicy` may be active per target. If two in the same namespace target the same Gateway/HTTPRoute, $[prodname] follows [GEP-713](https://gateway-api.sigs.k8s.io/geps/gep-713/): oldest `creationTimestamp` wins; the newer is marked `Accepted=False` reason `Conflicted`, and only the winner's directives are merged. Fix by deleting the newer policy or repointing its `targetRefs`.
42
+
```yaml
43
+
apiVersion: applicationlayer.projectcalico.org/v3
44
+
kind: WAFPolicy
45
+
metadata:
46
+
name: payments-api-waf
47
+
namespace: payments
48
+
spec:
49
+
targetRefs:
50
+
- group: gateway.networking.k8s.io
51
+
kind: HTTPRoute
52
+
name: payments-api
53
+
action: Block # override: Block even if global baseline is Detect
54
+
coreRuleSet:
55
+
paranoiaLevel: 2# stricter than the cluster default
56
+
# coreRuleSet.state is unset → inherited from GlobalWAFPolicy
57
+
```
50
58
51
-
## Verify the policy
59
+
Apply it with `kubectl apply -f wafpolicy.yaml`. For inheritance details, see the [Overview](./overview.mdx#inheritance-namespaces-override-they-dont-restart).
52
60
53
-
```bash
54
-
kubectl get wafpolicy payments-api-waf -n payments
55
-
```
61
+
1. Verify the policy was accepted and programmed:
56
62
57
-
```
58
-
NAME ACCEPTED PROGRAMMED AGE
59
-
payments-api-waf True True 45s
60
-
```
63
+
```bash
64
+
kubectl get wafpolicy payments-api-waf -n payments
65
+
```
61
66
62
-
`.status.conditions` reports `Accepted`, `Programmed`, and validation findings. Confirm Envoy Gateway received the filter with `kubectl get envoyextensionpolicies -n payments` (one per `targetRefs` entry).
67
+
```
68
+
NAME ACCEPTED PROGRAMMED AGE
69
+
payments-api-waf True True 45s
70
+
```
63
71
64
-
## Test the WAF
72
+
`.status.conditions` reports `Accepted`, `Programmed`, and validation findings. Confirm Envoy Gateway received the filter with `kubectl get envoyextensionpolicies -n payments` (one per `targetRefs` entry).
In `Detect` mode the request is allowed (200), but the WAF hit is still recorded in the `tigera_secure_ee_waf` log index (carrying `gateway_name`/`gateway_namespace`). On this release, gateway-WAF hits are not raised as Security Events — see [Observing WAF activity](./troubleshooting.mdx#observing-waf-activity).
88
+
:::tip
81
89
82
-
:::
90
+
In `Detect` mode the request is allowed (200), but the WAF hit is still recorded in the `tigera_secure_ee_waf` log index (carrying `gateway_name`/`gateway_namespace`). On this release, gateway-WAF hits are not raised as Security Events — see [Observing WAF activity](./troubleshooting.mdx#observing-waf-activity).
83
91
84
-
:::caution
92
+
:::
85
93
86
-
`ACCEPTED=False` reason `ValidationFailed` means a `GlobalWAFValidationPolicy` is blocking your config — the status message names the policy and rule. Contact your cluster operator or see [Validate configuration with Rego](./validate-config.mdx).
94
+
:::caution
87
95
88
-
:::
96
+
`ACCEPTED=False` reason `ValidationFailed` means a `GlobalWAFValidationPolicy` is blocking your config — the status message names the policy and rule. Contact your cluster operator or see [Validate configuration with Rego](./validate-config.mdx).
97
+
98
+
:::
99
+
100
+
## Conflict resolution
101
+
102
+
Only one `WAFPolicy` may be active per target. If two in the same namespace target the same Gateway/HTTPRoute, $[prodname] follows [GEP-713](https://gateway-api.sigs.k8s.io/geps/gep-713/): oldest `creationTimestamp` wins; the newer is marked `Accepted=False` reason `Conflicted`, and only the winner's directives are merged. Fix by deleting the newer policy or repointing its `targetRefs`.
103
+
104
+
## Next steps
105
+
106
+
-[Write custom rules with plugins](./write-custom-rules.mdx) — add app-specific detections beyond the baseline.
107
+
-[Validate configuration with Rego](./validate-config.mdx) — check the merged config against compliance guardrails.
108
+
-[Troubleshooting](./troubleshooting.mdx) — diagnose a policy that won't accept or program.
Copy file name to clipboardExpand all lines: calico-enterprise/threat/gateway-waf/enable.mdx
+50-42Lines changed: 50 additions & 42 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,62 +4,69 @@ description: Turn Gateway WAF on or off by setting the operator GatewayAPI CR's
4
4
5
5
# Enable Gateway WAF
6
6
7
+
:::note
8
+
9
+
This feature is tech preview. Tech preview features may be subject to significant changes before they become GA.
10
+
11
+
:::
12
+
7
13
Gateway WAF is off by default. Turning it on is a one-line change to the operator's `GatewayAPI` CR — no new workload is deployed, so there's no extra resource footprint to plan for.
8
14
9
-
## Enable Gateway WAF
15
+
## Prerequisites
10
16
11
-
Edit the operator `GatewayAPI` CR named `default` and set `spec.extensions.waf.state` to `Enabled`. The default value is `Disabled`.
17
+
- $[prodname] is installed with a valid license that includes the Gateway WAF feature.
18
+
- $[prodname] Ingress Gateway is already set up. See [About Calico Ingress Gateway](../../networking/ingress-gateway/about-calico-ingress-gateway.mdx).
19
+
- Cluster-admin rights — the `GatewayAPI` CR is a cluster-scoped operator resource.
12
20
13
-
```yaml
14
-
apiVersion: operator.tigera.io/v1
15
-
kind: GatewayAPI
16
-
metadata:
17
-
name: default
18
-
spec:
19
-
extensions:
20
-
waf:
21
-
state: Enabled # default is Disabled
22
-
```
21
+
:::note
23
22
24
-
Apply it:
23
+
Customer-installed (BYO) Envoy Gateway is not supported. Gateway WAF requires the Ingress Gateway that $[prodname] manages.
25
24
26
-
```bash
27
-
kubectl apply -f - <<'EOF'
28
-
apiVersion: operator.tigera.io/v1
29
-
kind: GatewayAPI
30
-
metadata:
31
-
name: default
32
-
spec:
33
-
extensions:
34
-
waf:
35
-
state: Enabled
36
-
EOF
37
-
```
25
+
:::
38
26
39
-
The operator installs the six WAF CRDs and the validating admission webhook, and wires the WAF reconcilers into the existing `calico-kube-controllers` pod in `calico-system`. No new workload is deployed.
27
+
## Enable Gateway WAF
40
28
41
-
Confirm the six CRDs are installed:
29
+
1. Edit the operator `GatewayAPI` CR named `default` and set `spec.extensions.waf.state` to `Enabled` (the default is `Disabled`):
42
30
43
-
```bash
44
-
kubectl get crd | grep applicationlayer.projectcalico.org
The operator installs the six WAF CRDs and the validating admission webhook, and wires the WAF reconcilers into the existing `calico-kube-controllers` pod in `calico-system`. No new workload is deployed.
55
45
56
-
All six CRDs must be present before you create any WAF resources.
46
+
1. Confirm the six CRDs are installed:
57
47
58
-
:::tip
48
+
```bash
49
+
kubectl get crd | grep applicationlayer.projectcalico.org
50
+
```
59
51
60
-
To confirm the admission webhook is active, run `kubectl get validatingwebhookconfigurations | grep waf`. You should see one entry. If it is absent, check the `calico-kube-controllers` pod logs in the `calico-system` namespace.
0 commit comments