Skip to content

Commit

Permalink
Add documentation for read-only root filesystem (#3661)
Browse files Browse the repository at this point in the history
  • Loading branch information
vepatel authored Mar 21, 2023
1 parent 04fe202 commit d9f4a7a
Showing 1 changed file with 64 additions and 1 deletion.
65 changes: 64 additions & 1 deletion docs/content/configuration/security.md
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,70 @@ We recommend the following for the most secure configuration:
we recommend [configuring HTTPS](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-prometheus-tls-secret) for Prometheus.

### Snippets

Snippets allow you to insert raw NGINX config into different contexts of NGINX configuration and are supported for [Ingress](/nginx-ingress-controller/configuration/ingress-resources/advanced-configuration-with-snippets/), [VirtualServer/VirtualServerRoute](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/#using-snippets), and [TransportServer](/nginx-ingress-controller/configuration/transportserver-resource/#using-snippets) resources. Additionally, the [ConfigMap](/nginx-ingress-controller/configuration/global-configuration/configmap-resource#snippets-and-custom-templates) resource configures snippets globally.

Snippets are disabled by default. To use snippets, set the [`enable-snippets`](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments#cmdoption-enable-snippets) command-line argument. Note that for the ConfigMap resource, snippets are always enabled.

### Configure root filesystem as read-only
> **Note**: This feature is available for both the NGINX and NGINX Plus editions. NGINX AppProtect WAF and NGINX AppProtect DoS are not yet supported by this feature.
The F5 Nginx Ingress Controller (NIC) has various protections against attacks, such as running the service as non-root to avoid changes to files. An additional industry best practice is having root filesystems set as read-only so that the attack surface is further reduced by limiting changes to binaries and libraries.

Currently we do not set read-only root filesystem as default. Instead, this is an opt-in feature available on the [helm-chart](/nginx-ingress-controller/installation-with-helm/#configuration) via `controller.readOnlyRootFilesystem`.
When using manifests instead of Helm, uncomment the following sections of the deployment:
* `readOnlyRootFilesystem: true`,
* The entire `volumeMounts` section,
* The entire `initContiners` section,
* For `initContainers:image:`, use exact same image used for regular NIC installation.
Refer to the below code-block for guidance:

```
# fsGroup: 101 #nginx
.
.
.
# volumes:
# - name: nginx-etc
# emptyDir: {}
# - name: nginx-cache
# emptyDir: {}
# - name: nginx-lib
# emptyDir: {}
# - name: nginx-log
# emptyDir: {}
.
.
.
# readOnlyRootFilesystem: true
.
.
.
# volumeMounts:
# - mountPath: /etc/nginx
# name: nginx-etc
# - mountPath: /var/cache/nginx
# name: nginx-cache
# - mountPath: /var/lib/nginx
# name: nginx-lib
# - mountPath: /var/log/nginx
# name: nginx-log
.
.
.
# initContainers:
# - image: <repository>:<tag>
# imagePullPolicy: IfNotPresent
# name: init-nginx-ingress
# command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc']
# securityContext:
# allowPrivilegeEscalation: false
# readOnlyRootFilesystem: true
# runAsUser: 101 #nginx
# runAsNonRoot: true
# capabilities:
# drop:
# - ALL
# volumeMounts:
# - mountPath: /mnt/etc
# name: nginx-etc
```

0 comments on commit d9f4a7a

Please sign in to comment.