You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Five pre-existing TrafficProtectionPolicy (TPP) objects on prod carry an inverted OWASP CRS paranoia configuration (blocking > detection). All were created before the CEL admission rule that now rejects this shape, so they were grandfathered in. This issue tracks notifying their owners so they self-remediate.
All five are on networking.datumapis.com, generation: 1, detection: 1 / blocking: 2 (inverted).
Why inverted paranoia is a hazard
CRS rule 901500 fails closed when the blocking paranoia level exceeds the detection paranoia level. In Enforce mode this makes the coraza WAF return HTTP 500 on 100% of traffic to every route the policy attaches to — a hard outage for the affected hostname, not a partial degradation. See #242 for the full failure signature.
Current neutralization status (verified on prod, 2026-07-13)
Good news: none of the five are currently serving 500s. NSO v0.23.12 (which includes #252) is live, and the coraza data-plane delivery path is currently inert for tenant namespaces. Two independent facts establish this:
For the remaining three, NSO did render a tpp-<name>EnvoyPatchPolicy that still embeds the inverted paranoia_level=2 / paranoia_level=1 coraza SecRules — but that patch is Accepted=False / reason=Disabled on every edge checked (ae-north-1, us-central-1, us-east-1), because EnvoyPatchPolicy is disabled in the EnvoyGateway configuration that watches the projected ns-<uid> tenant namespaces. There are zero EnvoyExtensionPolicy objects cluster-wide, so there is no alternate live WAF path. The broken patch never reaches a running Envoy.
Latent risk: those three still carry the broken config in a rendered EnvoyPatchPolicy. If EnvoyPatchPolicy is ever re-enabled for tenant namespaces — or if the coraza delivery path migrates off the disabled flag — before these TPPs are fixed, they would immediately begin 500ing. They should be remediated regardless. (Propagation-lag caveats: see #266.)
Note: the TPP .status is stripped on both the karmada aggregated read and the edge projections, so the Accepted=False/Invalid ancestor condition written by #252 could not be confirmed directly from those views; the assessment above rests on data-plane attachment state.
The five policies
Namespace / name
Project (ProjectControlPlane)
Owner
mode
det/blk
Neutralization status
ns-1b46bde2…/tunnel-72tt5
test-proj-gyrkna
personal-org-ba109032 (unknown)
Observe
1/2
Neutralized — no EPP rendered (skipped) andmode: Observe (would not block)
ns-29e6c0fd…/tunnel-2252m
personal-project-cecba11a
personal-org-cecba11a (unknown)
Enforce
1/2
Inert — inverted EPP rendered but Disabled; latent
ns-46a5d45f…/pcep-lol-hnqr6o
personal-project-4fc7cf82 (hosts pcep.lol)
personal-org-4fc7cf82 (unknown)
Enforce
1/2
Inert — inverted EPP rendered but Disabled; latent
ns-46f4e730…/rfxn-cdn-t0jxi3
personal-project-02f2388c
personal-org-02f2388c (unknown)
Enforce
1/2
Inert — inverted EPP rendered but Disabled; latent
ns-c5f1cf4e…/kev-httpbin
default-ec6p8s
Kevin Williams
Enforce
1/2
Neutralized — no EPP rendered (skipped); created after v0.23.12
Owner mapping method: ns-<uid> → ProjectControlPlane (via the meta.datumapis.com/upstream-cluster-name label on the projected object) → resourcemanager.miloapis.com/owner-name annotation. These are all personal orgs; the human behind each personal-org-<hash> is not resolvable from the infra/karmada clusters (no organizations/users API is served there). kev-httpbin is the personal project of Kevin Williams (same project as kev1n-proxy).
What owners must do
Edit the offending TPP so detection >= blocking. Concretely, under each spec.ruleSets[].owaspCoreRuleSet.paranoiaLevels, set detection to be at least blocking (e.g. detection: 2 with blocking: 2, or lower blocking to 1). Once corrected, the policy will pass validation and can safely attach and enforce.
Summary
Five pre-existing
TrafficProtectionPolicy(TPP) objects on prod carry an inverted OWASP CRS paranoia configuration (blocking > detection). All were created before the CEL admission rule that now rejects this shape, so they were grandfathered in. This issue tracks notifying their owners so they self-remediate.All five are on
networking.datumapis.com,generation: 1,detection: 1 / blocking: 2(inverted).Why inverted paranoia is a hazard
CRS rule
901500fails closed when the blocking paranoia level exceeds the detection paranoia level. InEnforcemode this makes the coraza WAF return HTTP 500 on 100% of traffic to every route the policy attaches to — a hard outage for the affected hostname, not a partial degradation. See #242 for the full failure signature.Current neutralization status (verified on prod, 2026-07-13)
Good news: none of the five are currently serving 500s. NSO
v0.23.12(which includes #252) is live, and the coraza data-plane delivery path is currently inert for tenant namespaces. Two independent facts establish this:tpp-<name>EnvoyPatchPolicyfor them at all.tpp-<name>EnvoyPatchPolicythat still embeds the invertedparanoia_level=2 / paranoia_level=1coraza SecRules — but that patch isAccepted=False / reason=Disabledon every edge checked (ae-north-1, us-central-1, us-east-1), becauseEnvoyPatchPolicyis disabled in the EnvoyGateway configuration that watches the projectedns-<uid>tenant namespaces. There are zeroEnvoyExtensionPolicyobjects cluster-wide, so there is no alternate live WAF path. The broken patch never reaches a running Envoy.Latent risk: those three still carry the broken config in a rendered
EnvoyPatchPolicy. IfEnvoyPatchPolicyis ever re-enabled for tenant namespaces — or if the coraza delivery path migrates off the disabled flag — before these TPPs are fixed, they would immediately begin 500ing. They should be remediated regardless. (Propagation-lag caveats: see #266.)Note: the TPP
.statusis stripped on both the karmada aggregated read and the edge projections, so theAccepted=False/Invalidancestor condition written by #252 could not be confirmed directly from those views; the assessment above rests on data-plane attachment state.The five policies
ns-1b46bde2…/tunnel-72tt5test-proj-gyrknapersonal-org-ba109032(unknown)mode: Observe(would not block)ns-29e6c0fd…/tunnel-2252mpersonal-project-cecba11apersonal-org-cecba11a(unknown)Disabled; latentns-46a5d45f…/pcep-lol-hnqr6opersonal-project-4fc7cf82(hostspcep.lol)personal-org-4fc7cf82(unknown)Disabled; latentns-46f4e730…/rfxn-cdn-t0jxi3personal-project-02f2388cpersonal-org-02f2388c(unknown)Disabled; latentns-c5f1cf4e…/kev-httpbindefault-ec6p8sv0.23.12Owner mapping method:
ns-<uid>→ProjectControlPlane(via themeta.datumapis.com/upstream-cluster-namelabel on the projected object) →resourcemanager.miloapis.com/owner-nameannotation. These are all personal orgs; the human behind eachpersonal-org-<hash>is not resolvable from the infra/karmada clusters (no organizations/users API is served there).kev-httpbinis the personal project of Kevin Williams (same project askev1n-proxy).What owners must do
Edit the offending TPP so detection >= blocking. Concretely, under each
spec.ruleSets[].owaspCoreRuleSet.paranoiaLevels, setdetectionto be at leastblocking(e.g.detection: 2withblocking: 2, or lowerblockingto1). Once corrected, the policy will pass validation and can safely attach and enforce.References
v0.23.12)