Skip to content

Notify owners of 5 pre-existing inverted-paranoia TrafficProtectionPolicies (remediate blocking<=detection) #267

Description

@ecv

Summary

Five pre-existing TrafficProtectionPolicy (TPP) objects on prod carry an inverted OWASP CRS paranoia configuration (blocking > detection). All were created before the CEL admission rule that now rejects this shape, so they were grandfathered in. This issue tracks notifying their owners so they self-remediate.

All five are on networking.datumapis.com, generation: 1, detection: 1 / blocking: 2 (inverted).

Why inverted paranoia is a hazard

CRS rule 901500 fails closed when the blocking paranoia level exceeds the detection paranoia level. In Enforce mode this makes the coraza WAF return HTTP 500 on 100% of traffic to every route the policy attaches to — a hard outage for the affected hostname, not a partial degradation. See #242 for the full failure signature.

Current neutralization status (verified on prod, 2026-07-13)

Good news: none of the five are currently serving 500s. NSO v0.23.12 (which includes #252) is live, and the coraza data-plane delivery path is currently inert for tenant namespaces. Two independent facts establish this:

  1. fix: flag inverted TrafficProtectionPolicy paranoia levels via status condition #252 skip-attachment is working for the newest/reconciled policies: NSO renders no tpp-<name> EnvoyPatchPolicy for them at all.
  2. For the remaining three, NSO did render a tpp-<name> EnvoyPatchPolicy that still embeds the inverted paranoia_level=2 / paranoia_level=1 coraza SecRules — but that patch is Accepted=False / reason=Disabled on every edge checked (ae-north-1, us-central-1, us-east-1), because EnvoyPatchPolicy is disabled in the EnvoyGateway configuration that watches the projected ns-<uid> tenant namespaces. There are zero EnvoyExtensionPolicy objects cluster-wide, so there is no alternate live WAF path. The broken patch never reaches a running Envoy.

Latent risk: those three still carry the broken config in a rendered EnvoyPatchPolicy. If EnvoyPatchPolicy is ever re-enabled for tenant namespaces — or if the coraza delivery path migrates off the disabled flag — before these TPPs are fixed, they would immediately begin 500ing. They should be remediated regardless. (Propagation-lag caveats: see #266.)

Note: the TPP .status is stripped on both the karmada aggregated read and the edge projections, so the Accepted=False/Invalid ancestor condition written by #252 could not be confirmed directly from those views; the assessment above rests on data-plane attachment state.

The five policies

Namespace / name Project (ProjectControlPlane) Owner mode det/blk Neutralization status
ns-1b46bde2…/tunnel-72tt5 test-proj-gyrkna personal-org-ba109032 (unknown) Observe 1/2 Neutralized — no EPP rendered (skipped) and mode: Observe (would not block)
ns-29e6c0fd…/tunnel-2252m personal-project-cecba11a personal-org-cecba11a (unknown) Enforce 1/2 Inert — inverted EPP rendered but Disabled; latent
ns-46a5d45f…/pcep-lol-hnqr6o personal-project-4fc7cf82 (hosts pcep.lol) personal-org-4fc7cf82 (unknown) Enforce 1/2 Inert — inverted EPP rendered but Disabled; latent
ns-46f4e730…/rfxn-cdn-t0jxi3 personal-project-02f2388c personal-org-02f2388c (unknown) Enforce 1/2 Inert — inverted EPP rendered but Disabled; latent
ns-c5f1cf4e…/kev-httpbin default-ec6p8s Kevin Williams Enforce 1/2 Neutralized — no EPP rendered (skipped); created after v0.23.12

Owner mapping method: ns-<uid>ProjectControlPlane (via the meta.datumapis.com/upstream-cluster-name label on the projected object) → resourcemanager.miloapis.com/owner-name annotation. These are all personal orgs; the human behind each personal-org-<hash> is not resolvable from the infra/karmada clusters (no organizations/users API is served there). kev-httpbin is the personal project of Kevin Williams (same project as kev1n-proxy).

What owners must do

Edit the offending TPP so detection >= blocking. Concretely, under each spec.ruleSets[].owaspCoreRuleSet.paranoiaLevels, set detection to be at least blocking (e.g. detection: 2 with blocking: 2, or lower blocking to 1). Once corrected, the policy will pass validation and can safely attach and enforce.

References

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions