Skip to content

[Bug]: ApPolicy CRD missing violations #7721

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
aknot242 opened this issue Apr 29, 2025 · 1 comment · May be fixed by #7723
Open

[Bug]: ApPolicy CRD missing violations #7721

aknot242 opened this issue Apr 29, 2025 · 1 comment · May be fixed by #7723
Labels
backlog Pull requests/issues that are backlog items bug An issue reporting a potential bug

Comments

@aknot242
Copy link
Contributor

Version

edge

What Kubernetes platforms are you running on?

Other

Steps to reproduce

  1. Create the following ApPolicy, and apply it to the cluster using kubectl
apiVersion: appprotect.f5.com/v1beta1
kind: APPolicy
metadata:
  name: blizzard-bot-exception-policy
spec:
  policy:
    name: blizzard-bot-exception-policy
    applicationLanguage: utf-8
    enforcementMode: blocking
    template:
      name: POLICY_TEMPLATE_NGINX_BASE
    blocking-settings:
      violations:
        - name: VIOL_BOT_CLIENT
          alarm: true
          block: true
        - name: VIOL_DATA_GUARD
          alarm: true
          block: false
  1. Note the following error in the NIC pod log:
2025-04-28 20:37:12.515036: Error: UPGRADE FAILED: failed to create resource: APPolicy.appprotect.f5.com "blizzard-bot-exception-policy" is invalid: spec.policy.blocking-settings.violations[0].name: Unsupported value: "VIOL_BOT_CLIENT": supported values: "VIOL_ACCESS_INVALID", "VIOL_ACCESS_MALFORMED", "VIOL_ACCESS_MISSING", "VIOL_ACCESS_UNAUTHORIZED", "VIOL_ASM_COOKIE_HIJACKING", "VIOL_ASM_COOKIE_MODIFIED", "VIOL_BLACKLISTED_IP", "VIOL_COOKIE_EXPIRED", "VIOL_COOKIE_LENGTH", "VIOL_COOKIE_MALFORMED", "VIOL_COOKIE_MODIFIED", "VIOL_CSRF", "VIOL_DATA_GUARD", "VIOL_ENCODING", "VIOL_EVASION", "VIOL_FILE_UPLOAD", "VIOL_FILE_UPLOAD_IN_BODY", "VIOL_FILETYPE", "VIOL_GRAPHQL_ERROR_RESPONSE", "VIOL_GRAPHQL_FORMAT", "VIOL_GRAPHQL_INTROSPECTION_QUERY", "VIOL_GRAPHQL_MALFORMED", "VIOL_GRPC_FORMAT", "VIOL_GRPC_MALFORMED", "VIOL_GRPC_METHOD", "VIOL_HEADER_LENGTH", "VIOL_HEADER_METACHAR", "VIOL_HEADER_REPEATED", "VIOL_HTTP_PROTOCOL", "VIOL_HTTP_RESPONSE_STATUS", "VIOL_JSON_FORMAT", "VIOL_JSON_MALFORMED", "VIOL_JSON_SCHEMA", "VIOL_MANDATORY_HEADER", "VIOL_MANDATORY_PARAMETER", "VIOL_MANDATORY_REQUEST_BODY", "VIOL_METHOD", "VIOL_PARAMETER", "VIOL_PARAMETER_ARRAY_VALUE", "VIOL_PARAMETER_DATA_TYPE", "VIOL_PARAMETER_EMPTY_VALUE", "VIOL_PARAMETER_LOCATION", "VIOL_PARAMETER_MULTIPART_NULL_VALUE", "VIOL_PARAMETER_NAME_METACHAR", "VIOL_PARAMETER_NUMERIC_VALUE", "VIOL_PARAMETER_REPEATED", "VIOL_PARAMETER_STATIC_VALUE", "VIOL_PARAMETER_VALUE_BASE64", "VIOL_PARAMETER_VALUE_LENGTH", "VIOL_PARAMETER_VALUE_METACHAR", "VIOL_PARAMETER_VALUE_REGEXP", "VIOL_POST_DATA_LENGTH", "VIOL_QUERY_STRING_LENGTH", "VIOL_RATING_NEED_EXAMINATION", "VIOL_RATING_THREAT", "VIOL_REQUEST_LENGTH", "VIOL_REQUEST_MAX_LENGTH", "VIOL_THREAT_CAMPAIGN", "VIOL_URL", "VIOL_URL_CONTENT_TYPE", "VIOL_URL_LENGTH", "VIOL_URL_METACHAR", "VIOL_XML_FORMAT", "VIOL_XML_MALFORMED"
2025-04-28 20:37:12.524045: [33;1mWARNING: Command failed. Retrying in 5 seconds.[0m
@aknot242 aknot242 added bug An issue reporting a potential bug needs triage An issue that needs to be triaged labels Apr 29, 2025
@github-actions GitHub Actions
Copy link

Hi @aknot242 thanks for reporting!

Be sure to check out the docs and the Contributing Guidelines while you wait for a human to take a look at this 🙂

Cheers!

@aknot242 aknot242 linked a pull request Apr 29, 2025 that will close this issue
Open
6 tasks
@vepatel vepatel added backlog Pull requests/issues that are backlog items and removed needs triage An issue that needs to be triaged labels May 6, 2025
@vepatel vepatel moved this from Todo ☑ to Prioritized backlog in NGINX Ingress Controller May 6, 2025
aknot242 added a commit to aknot242/kubernetes-ingress that referenced this issue May 19, 2025
@aknot242
fix nginx#7721
cc75d5c
aknot242 added a commit to aknot242/kubernetes-ingress that referenced this issue May 20, 2025
@aknot242
fix nginx#7721
390948f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
backlog Pull requests/issues that are backlog items bug An issue reporting a potential bug
Projects
NGINX Ingress Controller
Status: Prioritized backlog
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update list of violations in ApPolicy CRD aknot242/kubernetes-ingress
2 participants
@aknot242 @vepatel