Security recommendations

F5 NGINX Ingress Controller follows Kubernetes best practices: this page outlines configuration specific to NGINX Ingress Controller you may require, including links to examples in the GitHub repository.

For general guidance, we recommend the official Kubernetes documentation for Securing a Cluster.

Kubernetes recommendations

RBAC and Service Accounts

Kubernetes uses RBAC to control the resources and operations available to different types of users.

NGINX Ingress Controller requires RBAC to configure a ServiceUser, and provides least privilege access in its standard deployment configurations:

By default, the ServiceAccount has access to all Secret resources in the cluster.

Secrets

Secrets are required by NGINX Ingress Controller for certificates and privacy keys, which Kubernetes stores unencrypted by default. We recommend following the Kubernetes documentation to store these Secrets using at-rest encryption.

NGINX Ingress Controller recommendations

Configure root filesystem as read-only

Caution:
This feature is compatible with NGINX App Protect WAFv5. It is not compatible with NGINX App Protect WAF or NGINX App Protect DoS.

NGINX Ingress Controller is designed to be resilient against attacks in various ways, such as running the service as non-root to avoid changes to files. We recommend setting filesystems on all containers to read-only, this includes nginx-ingress-controller, though also includes waf-enforcer and waf-config-mgr when NGINX App Protect WAFv5 is in use. This is so that the attack surface is further reduced by limiting changes to binaries and libraries.

This is not enabled by default, but can be enabled with Helm using the readOnlyRootFilesystem argument in security contexts on all containers: nginx-ingress-controller, waf_enforcer and waf_config_mgr.

For Manifests, uncomment the following sections of the deployment and add sections for waf-enforcer and waf-config-mgr containers:

  • readOnlyRootFilesystem: true
  • The entire volumeMounts section
  • The entire initContainers section

The block below shows the code you will look for:

#      volumes:
#      - name: nginx-etc
#        emptyDir: {}
#      - name: nginx-cache
#        emptyDir: {}
#      - name: nginx-lib
#        emptyDir: {}
#      - name: nginx-log
#        emptyDir: {}
.
.
.
#          readOnlyRootFilesystem: true
.
.
.
#        volumeMounts:
#        - mountPath: /etc/nginx
#          name: nginx-etc
#        - mountPath: /var/cache/nginx
#          name: nginx-cache
#        - mountPath: /var/lib/nginx
#          name: nginx-lib
#        - mountPath: /var/log/nginx
#          name: nginx-log
  • Add waf-enforcer and waf-config-mgr container sections
  • Add readOnlyFilesystem: true in both containers security context sections

Prometheus

If Prometheus metrics are enabled, we recommend using HTTPS.

Snippets

Snippets allow raw NGINX configuration to be inserted into resources. They are intended for advanced NGINX users and could create vulnerabilities in a cluster if misused.

Snippets are disabled by default. To use snippets, set the enable-snippets command-line argument.

Caution:
Snippets are always enabled for ConfigMap.

For more information, read the following:


Last modified November 13, 2024