This is a way to expose a OpenVAS / GSAD running in a GKE cluster (Google Kubernetes Engine) to the public internet securely with Google Identity-Aware Proxy in front of it.
This will display the normal GSAD login screen after the Google authentication since the GSAD app code can not handle the Google user identity per default.
With this configuration the default data directory is stored on a persistent disk to make all OpenVAS scan/task/target/etc data persistent.
- A OpenVAS image where you are able to modify the GSAD startup parameters (e.g. https://github.com/mikesplain/openvas-docker)
- A Nginx image (e.g. https://github.com/nginxinc/docker-nginx)
- A global static external IP address (https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address#reserve_new_static)
I have referenced some variables in my configuration files below. These variables need to be replaced either manually or by your preferred templating solution.
| Variable | Description |
|---|---|
| $NAMESPACE | The namespace you want to deploy your OpenVAS to. |
| $OPENVAS_IMAGE | The image path incl. version of your OpenVAS image. |
| $NGINX_IMAGE | The image path incl. version of your Nginx image. |
| $DOMAIN | The FQDN under which your OpenVAS will be reachable. |
| $IP | The actual IP address you reserved for OpenVAS. |
| $IP_NAME | The name of the IP address your reserved for OpenVAS. |
| $SECRET | The name of the secret where your OAuth credentials are stored. |
Feel free to adjust other values (e.g. the resource requests/limits) to your needs, these are just examples.
To prepare the IAP please follow this guide: https://cloud.google.com/iap/docs/enabling-kubernetes-howto You will need to store the OAuth ID and secret in a Kubernetes secret($SECRET in the variables section).
To make sure GSAD works as intended you need to make sure the "--allow-header-host" parameter is set to your FQDN.
--allow-header-host=$DOMAIN
As an example, I am using the following command:
gsad -f --listen=0.0.0.0 --port=9392 --mlisten=127.0.0.1 --mport=9390 --timeout=60 --http-only --allow-header-host=$DOMAIN
I did increase the session timeout to 60 minutes and disabled https. I am fine with the Google managed certificate and want to avoid warning due to the self signed certificate. With https disabled GSAD will display a warning message on the login screen. This should be fine on GKE since afaik the underlying K8S network is encrypted by Google. This depends on your situation and risk profile of course.
I did not test this with https enabled!
The reason why we need a seperate reverse proxy in front of OpenVAS is described in this issue: mikesplain/openvas-docker#188 (comment)
Essentially we need to provide the X-Real-IP header containing the actual IP of your client to GSAD. The real ip module for Nginx is used. With this module we are able to extract the client IP from the X-Forwarded-For header, which is then automatically stored in $remote_addr. We also need to add the source IP ranges of the Google HTTP(S) load balancer with set_real_ip_from. These IP ranges can be found here: https://cloud.google.com/load-balancing/docs/https#source_ip_addresses
The X-Forwarded-For header is sent from the Google Ingress with the client IP and the external IP of the Ingress.