Security recommendations

F5 NGINX Ingress Controller LTS follows Kubernetes best practices: this page outlines configuration specific to NGINX Ingress Controller LTS you may require, including links to examples in the GitHub repository.

For general guidance, we recommend the official Kubernetes documentation for Securing a Cluster.

Kubernetes recommendations

RBAC and Service Accounts

Kubernetes uses RBAC to control the resources and operations available to different types of users.

NGINX Ingress Controller LTS requires RBAC to configure a ServiceUser, and provides least privilege access in its standard deployment configurations:

• Helm
• Manifests

By default, the ServiceAccount has access to all Secret resources in the cluster.

Secrets

Secrets are required by NGINX Ingress Controller LTS for certificates and privacy keys, which Kubernetes stores unencrypted by default. We recommend following the Kubernetes documentation to store these Secrets using at-rest encryption.

NGINX Ingress Controller LTS recommendations

Configure root filesystem as read-only

NGINX Ingress Controller LTS is designed to be resilient against attacks in various ways, such as running the service as non-root to avoid changes to files. We recommend setting filesystems on nginx-ingress-controller container to read-only. This is so that the attack surface is further reduced by limiting changes to binaries and libraries.

This is not enabled by default, but can be enabled with Helm using the readOnlyRootFilesystem argument in security contexts.

For Manifests, uncomment the following sections of the deployment:

• readOnlyRootFilesystem: true
• The entire volumeMounts section
• The entire initContainers section

The block below shows the code you will look for:

#      volumes:
#      - name: nginx-etc
#        emptyDir: {}
#      - name: nginx-cache  # do not set this value in statefulset if volumeclaimtemplate is set
#        emptyDir: {}       # do not set this value in statefulset if volumeclaimtemplate is set
#      - name: nginx-lib
#        emptyDir: {}
#      - name: nginx-lib-state
#        emptyDir: {}
#      - name: nginx-log
#        emptyDir: {}
.
.
.
#          readOnlyRootFilesystem: true
.
.
.
#        volumeMounts:
#        - mountPath: /etc/nginx
#          name: nginx-etc
#        - mountPath: /var/cache/nginx
#          name: nginx-cache
#        - mountPath: /var/lib/nginx
#          name: nginx-lib
#        - mountPath: /var/lib/nginx/state
#          name: nginx-lib-state
#        - mountPath: /var/log/nginx
#          name: nginx-log

Prometheus

If Prometheus metrics are enabled, we recommend using HTTPS.

Snippets

Snippets allow raw NGINX configuration to be inserted into resources. They are intended for advanced NGINX users and could create vulnerabilities in a cluster if misused.

Snippets are disabled by default. To use snippets, set the enable-snippets command-line argument.

Caution

Snippets are always enabled for ConfigMap.

For more information, read the following:

• Advanced configuration using Snippets
• Using Snippets with VirtualServer/VirtualServerRoute
• Using Snippets with TransportServer
• ConfigMap snippets and custom templates