Aws-load-balancer-controller: Specify WAF web ACL by name

Created on 11 Sep 2019  路  10Comments  路  Source: kubernetes-sigs/aws-load-balancer-controller

Currently alb.ingress.kubernetes.io/waf-acl-id only supports WAF web ACL IDs (uuids). Example:

alb.ingress.kubernetes.io/waf-acl-id: 499e8b99-6671-4614-a86d-adb1810b7fbe

I'd like this to support selecting a WAF web ACL to attach by name as well. Example:

alb.ingress.kubernetes.io/waf-acl-id: my-waf-acl

The use case for this is I'd like to declare one WAF web ACL in my nonprod and prod accounts named AcmeCorpWafAcl and attach it to many nonprod and prod ALBs. I dont want each consuming application team to have to know the WAF web ACL ID in my nonprod and prod account and also to have to make this ID a parameter to their kubernetes deployment via helm value or whatever. To make it easier on consumers of the WAF web ACL, I'd like them to be able to simply specify the WAF web ACL name which can be consistent in each account we run our EKS clusters in.

This is setup is already supported for security groups - alb.ingress.kubernetes.io/security-groups both name or ID of securityGroups are supported.

picture atheiman
👍6

Most helpful comment

This is valid use case.
I think we need to add a new annotation for this like alb.ingress.kubernetes.io/waf-acl-name. Since you can have two different web acl one with ID 499e8b99-6671-4614-a86d-adb1810b7fbe and another one with name 499e8b99-6671-4614-a86d-adb1810b7fbe too.
I can do a PR later this week

picture M00nF1sh on 17 Sep 2019
👍7

All 10 comments

This is valid use case.
I think we need to add a new annotation for this like alb.ingress.kubernetes.io/waf-acl-name. Since you can have two different web acl one with ID 499e8b99-6671-4614-a86d-adb1810b7fbe and another one with name 499e8b99-6671-4614-a86d-adb1810b7fbe too.
I can do a PR later this week

M00nF1sh picture M00nF1sh on 17 Sep 2019
👍7

@M00nF1sh Any progress on this PR? This would be a very useful feature for us as well.

rdubya16 picture rdubya16 on 12 Nov 2019

@M00nF1sh Is this feature still planned? Would make deployment a lot easier for us as well.

mike-stewart picture mike-stewart on 26 Nov 2019

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

fejta-bot picture fejta-bot on 24 Feb 2020

/remove-lifecycle stale

mike-stewart picture mike-stewart on 24 Feb 2020

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

fejta-bot picture fejta-bot on 24 May 2020

/remove-lifecycle stale

mike-stewart picture mike-stewart on 24 May 2020

Any update on this?

fforloff picture fforloff on 2 Jul 2020
👍1

/remove-lifecycle stale

absolutarin picture absolutarin on 23 Aug 2020

Hi guys,
The waf v1 have been deprecated, and we have added wafv2 support in both v1.1.9 and latest v2.0.0.
however, due to wafv2's API behavior, see comment-1 comment-2, we have to use an ARN instead name.

closing this issue.

M00nF1sh picture M00nF1sh on 28 Oct 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

JakubJecminek picture JakubJecminek  路  5Comments
NickEAVE picture NickEAVE  路  3Comments
hieu29791 picture hieu29791  路  4Comments
benwilson512 picture benwilson512  路  5Comments
jcderr picture jcderr  路  3Comments