If AWS resource is an Application Load Balancer(ALB) using the AWS Load Balancer Controller in Amazon Elastic Kubernetes Service(EKS), a web ACL and Application Load Balancer(ALB) association in the AWS WAF console could be automatically disconnected in case of modifying and deploying Amazon EKS Cluster when you connect a Web ACL and AWS resources.
If Amazon EKS Cluster is used, the problem can be solved by adding a web ACL ARN annotation and connecting a Web ACL and AWS resource to ALB Ingress created in Amazon EKS Cluster.
Choose the below one of the two methods for adding a web ACL ARN annotation to ALB Ingress.
[Advance Preparation] Copy a web ACL ARN for applying WMS to add ALB Ingress
Copy Method: AWS WAF Console -> Web ACLs tab -> Check Web ACL to associate resource -> Click Copy ARN in the top right corner
[Setup Method 1] Modify and Deploy after declaring to yaml file.
1) Input additional "alb.ingress.kubernetes.io/wafv2-acl-arn: {Associating Web ACL ARN}" in metadata -> annotations field declaration of ingress object’s declaration section in yaml file of connecting EKS Cluster
2) Update (kubectl apply -f "File Name")
3) Check the registration status of EKS Cluster ALB in a Web ACL resource
[Setup Method 2] Use kubectl edit command in CLI.
1) Modify ingress object resource with configured aws alb controller using kubectl: kubectl edit ingress/[Name] -n[NameSpace]
2) Input additional "alb.ingress.kubernetes.io/wafv2-acl-arn: {Associating Web ACL ARN}" in metadata -> annotations field declaration and save.
3) Check the registration status of EKS Cluster ALB in a Web ACL resource
※ Refer to ‘Add the AWS WAF web ACL ARN annotation to your ALB Ingress';
https://aws.amazon.com/premiumsupport/knowledge-center/eks-alb-ingress-aws-waf/?nc1=h_ls
Comments