Security recommendations

F5 NGINX Ingress Controller follows Kubernetes best practices: this page outlines configuration specific to NGINX Ingress Controller you may require, including links to examples in the GitHub repository.

For general guidance, we recommend the official Kubernetes documentation for Securing a Cluster.

Kubernetes recommendations

RBAC and Service Accounts

Kubernetes uses RBAC to control the resources and operations available to different types of users.

NGINX Ingress Controller requires RBAC to configure a ServiceUser, and provides least privilege access in its standard deployment configurations:

• Helm
• Manifests

By default, the ServiceAccount has access to all Secret resources in the cluster.

Secrets

Secrets are required by NGINX Ingress Controller for certificates and privacy keys, which Kubernetes stores unencrypted by default. We recommend following the Kubernetes documentation to store these Secrets using at-rest encryption.

NGINX Ingress Controller recommendations

Configure root filesystem as read-only

Caution:
This feature is not compatible with NGINX App Protect WAF or NGINX App Protect DoS.

NGINX Ingress Controller is designed to be resilient against attacks in various ways, such as running the service as non-root to avoid changes to files. We recommend setting filesystems to read-only so that the attack surface is further reduced by limiting changes to binaries and libraries.

This is not enabled by default, but can be enabled with Helm using the controller.readOnlyRootFilesystem argument.

For Manifests, uncomment the following sections of the deployment:

• readOnlyRootFilesystem: true
• The entire volumeMounts section
• The entire initContainers section

The block below shows the code you will look for:

#      volumes:
#      - name: nginx-etc
#        emptyDir: {}
#      - name: nginx-cache
#        emptyDir: {}
#      - name: nginx-lib
#        emptyDir: {}
#      - name: nginx-log
#        emptyDir: {}
.
.
.
#          readOnlyRootFilesystem: true
.
.
.
#        volumeMounts:
#        - mountPath: /etc/nginx
#          name: nginx-etc
#        - mountPath: /var/cache/nginx
#          name: nginx-cache
#        - mountPath: /var/lib/nginx
#          name: nginx-lib
#        - mountPath: /var/log/nginx
#          name: nginx-log

Prometheus

If Prometheus metrics are enabled, we recommend using HTTPS.

Snippets

Snippets allow raw NGINX configuration to be inserted into resources. They are intended for advanced NGINX users and could create vulnerabilities in a cluster if misused.

Snippets are disabled by default. To use snippets, set the enable-snippets command-line argument.

Caution:
Snippets are always enabled for ConfigMap.

For more information, read the following:

• Advanced configuration using Snippets
• Using Snippets with VirtualServer/VirtualServerRoute
• Using Snippets with TransportServer
• ConfigMap snippets and custom templates