Hello!
I currently have a Kubernets cluster and AWS ingress controller with ALB installed.
Additionally, I created WAF and associated it to my application load balancer
Now, I'm trying to configure two (or more) separated ingress objects which have a different domains but I'm going to use the same application load balancer (by set the same value for alb.ingress.kubernetes.io/group.name)
Everything works fine till I try to enable WAF for only one ingress. Example config looks like the following:
First ingress:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-without-WAF
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}]'
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/group.name: alb-shared
spec:
rules:
- host: example-1.com
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: service-1
port:
number: 80
Second ingress:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-with-WAF
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}]'
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/group.name: alb-shared
alb.ingress.kubernetes.io/wafv2-acl-arn: "arn:aws:wafv2:AWS_REGION:ACCOUNT_ID:regional/webacl/example/WAF_ID"
spec:
rules:
- host: example-2.com
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: service-2
port:
number: 80
and it also works fine, but I noticed that WAF rules affect ingress-without-WAF even though I didn't add annotation : alb.ingress.kubernetes.io/wafv2-acl-arn to the ingress-without-WAF. To make sure I intentionally made a mistake in wafv2-acl-arn for ingress-with-WAF (I used wrong ARN) and then I checked what kubectl describe ingress-without-WAF shows:
Failed deploy model due to failed to update WAFv2 webACL association on LoadBalancer: WAFNonexistentItemException: AWS WAF couldn’t perform the operation because your resource doesn’t exist.
which in my understanding means that ingress-without-WAF uses WAF anyway despite the lack of annotation.
Have I missed something or is this correct behavior and cannot be separated?