-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WebACL get's disassociated right after association #490
Comments
I can confirm that this is working now, thanks @bigkraig! Bas |
Hello @smitb @bigkraig @kishorj I got a very strange behaviour of WAF v2 as well. its association with alb get removed automatically. we couldn't find what's wrong and how to prevent that from happening. any clues about this please. We're newbies and we're going on production very soon. need to figure it out. your help will be highly appreciated. JSON view |
The same problem in my system, WAF was disassociated from my load balancer by "AmazonEKSLoadBalancerControllerRole" automatically. I removed permission "waf-regional: DisassociateWebACL" and "wafv2:DisassociateWebACL". But it did not work and my WAF was still removed. |
This other issue post has helped me: Just add the following notation to your kubernetes ingress yaml definition:
|
Hi,
Evaluating the aws-alb-ingress-controller. Great work! Using beta4 an associated webacl gets disassociated right after associating:
I0726 16:00:59.013823 1 loadbalancer.go:751] [ALB-INGRESS] [test/website] [DEBUG]: WAF needs to be changed: ( != "9006a537-1905-416d-a098-7a35bfc7bdfb")
I0726 16:00:59.013939 1 loadbalancer.go:573] [ALB-INGRESS] [test/website] [INFO]: Associating 0xc0003c7550 Web ACL.
I0726 16:00:59.014099 1 session.go:35] [ALB-INGRESS] [session] [INFO]: Request: waf-regional/AssociateWebACL, Payload: { ResourceArn: "arn:aws:elasticloadbalancing:eu-central-1:434116275719:loadbalancer/app/c3a2dacb-test-website-3002/18281268ec7b94ea", WebACLId: "9006a537-1905-416d-a098-7a35bfc7bdfb"}
I0726 16:01:00.185582 1 loadbalancer.go:584] [ALB-INGRESS] [test/website] [INFO]: Disassociating Web ACL.
I0726 16:01:00.185959 1 session.go:35] [ALB-INGRESS] [session] [INFO]: Request: waf-regional/DisassociateWebACL, Payload: { ResourceArn: "arn:aws:elasticloadbalancing:eu-central-1:434116275719:loadbalancer/app/c3a2dacb-test-website-3002/18281268ec7b94ea"}
With the AWS API keys I can do lookups of the webacl with the aws commandline tool, and I'm able to associate the ACL to the ALB via the AWS API, so it looks like it it's not an acl issue.
Any idea what is missing?
Thanks in advance.
Bas
The text was updated successfully, but these errors were encountered: