• F5

    Deliver and secure every app

  • DevCentral

    Connect & learn in our hosted community

  • MyF5

    Your key to everything F5, including support, registration keys, and subscriptions

  • NGINX

    Learn more about NGINX Open Source and read the community blog

  • Community Forum

    Engage with the broader NGINX community for discussions and troubleshooting

Permissions

Overview

NGINX Gateway Fabric uses a split-plane architecture with three components that require different permissions:

  • Control Plane: Manages Kubernetes APIs and data plane deployments. Needs broad API access but handles no user traffic.
  • Data Plane: Processes user traffic. Requires minimal permissions since configuration comes from control plane via secure gRPC.
  • Certificate Generator: One-time job that creates TLS certificates for inter-plane communication.

Security Context

All components share these security settings:

  • User ID: 101 (non-root)
  • Group ID: 1001
  • Capabilities: All dropped (drop: ALL)
  • Root Filesystem: Read-only except for specific writable volumes
  • Seccomp: Runtime default profile

Control Plane

Runs as a single container in the nginx-gateway deployment.

Additional Security Settings:

  • Privilege Escalation: Disabled

Volumes:

  • Secret mounts for TLS certificates

RBAC Permissions:

  • Secrets, ConfigMaps, Services: Create, update, delete, list, get, watch
  • Deployments, DaemonSets: Create, update, delete, list, get, watch
  • ServiceAccounts: Create, update, delete, list, get, watch
  • Namespaces, Pods: Get, list, watch
  • Events: Create, patch
  • EndpointSlices: List, watch
  • Gateway API resources: List, watch (read-only) + update status subresources only
  • NGF Custom resources: Get, list, watch (read-only) + update status subresources only
  • Leases: Create, get, update (for leader election)
  • CustomResourceDefinitions: List, watch
  • TokenReviews: Create (for authentication)

Data Plane

NGINX containers managed by the control plane. No RBAC permissions needed since configuration comes via secure gRPC.

Additional Security Settings:

  • Privilege Escalation: Disabled
  • Sysctl: net.ipv4.ip_unprivileged_port_start=0 (enables binding to ports < 1024)

Volumes:

  • EmptyDir volumes for NGINX configuration, runtime files, logs, and cache
  • Secret mounts for TLS certificates and the NGINX Plus JWT token
  • Projected token mounts for service account authentication

Volume Permissions:

  • EmptyDir: Read-write (required for NGINX operation)
  • Secret/ConfigMap/Projected: Read-only

Certificate Generator

Kubernetes Job that creates initial TLS certificates.

RBAC Permissions:

  • Secrets: Create, update, get (control plane namespace only)

Platform-Specific Considerations

OpenShift Compatibility

NGINX Gateway Fabric includes Security Context Constraints (SCCs) for OpenShift:

Control Plane SCC:

  • Privilege Escalation: Disabled
  • Host Access: Disabled (network, IPC, PID, ports)
  • User ID Range: 101-101 (fixed)
  • Group ID Range: 1001-1001 (fixed)
  • Volumes: Secret only

Data Plane SCC: Same restrictions as control plane, plus additional volume types:

  • Additional Volumes: EmptyDir, ConfigMap, Projected

Linux Capabilities

NGINX Gateway Fabric drops ALL Linux capabilities and adds none, following security best practices.

How It Works Without Capabilities:

  • Process Management: Standard Unix signals (no elevated privileges needed)
  • Port Binding: Uses sysctl net.ipv4.ip_unprivileged_port_start=0 for ports < 1024
  • File Operations: Volume mounts provide necessary write access

Security Features

  • Separation of concerns: Control plane (API access, no traffic) vs data plane (traffic, no API access)
  • Non-root execution: All components run as unprivileged user (UID 101)
  • Zero capabilities: All Linux capabilities dropped
  • Read-only root filesystem: Prevents runtime modifications
  • Ephemeral storage: Temporary volumes only, no persistent storage
  • Least privilege RBAC: Minimal required permissions per component
  • Secure communication: mTLS-encrypted gRPC (TLS 1.3+) between planes
View source
Edit this page
Create a new issue