nginxinc · vepatel · Dec 6, 2023 · Dec 6, 2023 · Dec 6, 2023 · Dec 6, 2023
@@ -105,6 +105,8 @@ If you are installing the CRDs this way, ensure that you have first [cloned the
     ```
 ### Optional custom resource definitions
 
+{{<  note >}} This step can be skipped if you are using App Protect WAF module with policy bundles. {{<  /note >}}
+
 1. For the NGINX App Protect WAF module, create CRDs for `APPolicy`, `APLogConf` and `APUserSig`:
 
     ```shell

@@ -18,7 +18,7 @@ NGINX Ingress Controller has a set of global configuration parameters that align
 
 You can enable and configure NGINX App Protect WAF on the Custom Resources (VirtualServer, VirtualServerRoute) or on the Ingress-resource basis.
 
-To configure NGINX App Protect WAF on a VirtualServer resource, you would create a Policy Custom Resource referencing the APPolicy Custom Resource, and add this to the VirtualServer definition. See the documentation on the [NGINX App Protect WAF Policy]({{< relref "configuration/policy-resource.md#waf" >}}).
+To configure NGINX App Protect WAF on a VirtualServer resource, you would create a Policy Custom Resource referencing the `APPolicy` Custom Resource or `APPolicy` Bundle, and add this to the VirtualServer definition. See the documentation on the [NGINX App Protect WAF Policy]({{< relref "configuration/policy-resource.md#waf" >}}).
 
 To configure NGINX App Protect WAF on an Ingress resource, you would apply the [`app-protect` annotations]({{< relref "configuration/ingress-resources/advanced-configuration-with-annotations.md#app-protect" >}}) to each desired resource.
 
@@ -207,6 +207,27 @@ spec:
   tag: Fruits
 ```
 
+## App Protect WAF Bundles
+
+You can define App Protect WAF bundles for VirtualServers by creating policy bundles and putting them on a mounted volume accessible from NGINX Ingress Controller.
+
+
+For example, you can configure a policy by referencing generated WAF Policy Bundle:
+
+> **Note**: Currently we do not support `securityLogs` for policy bundles.
+```yaml
+apiVersion: k8s.nginx.org/v1
+kind: Policy
+metadata:
+  name: <policy_name>
+spec:
+  waf:
+    enable: true
+    apBundle: "<policy_bundle_name>.tgz"
+```
+
+> **Note**: Before applying the policy, a WAF Policy Bundle must be created, copied to a volume, and the volume must be mounted to `/etc/nginx/waf/bundles`.
+
 ## OpenAPI Specification in NGINX Ingress Controller
 
 The OpenAPI Specification defines the spec file format needed to describe RESTful APIs. The spec file can be written either in JSON or YAML. Using a spec file simplifies the work of implementing API protection. Refer to the [OpenAPI Specification](https://github.com/OAI/OpenAPI-Specification) (formerly called Swagger) for details.

@@ -63,6 +63,31 @@ Take the steps below to set up and deploy the NGINX Ingress Controller and App P
 
 2. [Create the common Kubernetes resources]({{< relref "installation/installing-nic/installation-with-manifests.md#create-common-resources" >}}).
 3. Enable the App Protect WAF module by adding the `enable-app-protect` [cli argument]({{< relref "configuration/global-configuration/command-line-arguments.md#cmdoption-enable-app-protect" >}}) to your Deployment or DaemonSet file.
+    If you intend to use the NGINX Ingress Controller with the AppProtect WAF module and policy bundles, follow these additional steps:
+    - Skip configuring custom resource definition for `APPolicy` `APLogConf` and `APUserSig`.
+    - Create and configure [Persistent Volume and Persistent Volume Claim](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) in your Kubernetes cluster.
+    - Modify NGINX Ingress Controller Deployment or DaemonSet file to include volumes and volume mounts.
+
+    Make the following changes:
+        Add `volumes` section to deployment template spec:
+        ```yaml
+        ...
+        volumes:
+        - name: <volume_name>
+        persistentVolumeClaim:
+            claimName: <claim_name>
+        ...
+        ```
+        Add volume mounts to `containers` section:
+        ```yaml
+        ...
+        volumeMounts:
+        - name: <volume_mount_name>
+            mountPath: /etc/nginx/waf/bundles
+        ...
+        ```
+        > **Important**: NGINX Ingress Controller requires the volume mount path to be `/etc/nginx/waf/bundles`
+
 4. [Deploy the Ingress Controller]({{< relref "installation/installing-nic/installation-with-manifests.md#deploy-ingress-controller" >}}).
 
 For more information, see the [Configuration guide]({{< relref "installation/integrations/app-protect-waf/configuration.md" >}}) and the NGINX Ingress Controller with App Protect example resources on GitHub [for VirtualServer resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.3.2/examples/custom-resources/app-protect-waf) and [for Ingress resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.3.2/examples/ingress-resources/app-protect-waf" >}}).