diff --git a/site/content/configuration/security.md b/site/content/configuration/security.md index d435e73071..33104bec7e 100644 --- a/site/content/configuration/security.md +++ b/site/content/configuration/security.md @@ -34,14 +34,14 @@ By default, the ServiceAccount has access to all Secret resources in the cluster ### Configure root filesystem as read-only {{< caution >}} - This feature is not compatible with [NGINX App Protect WAF](https://docs.nginx.com/nginx-app-protect-waf/) or [NGINX App Protect DoS](https://docs.nginx.com/nginx-app-protect-dos/). + This feature is compatible with [NGINX App Protect WAFv5](https://docs.nginx.com/nginx-app-protect-waf-v5/). It is not compatible with [NGINX App Protect WAF](https://docs.nginx.com/nginx-app-protect-waf/) or [NGINX App Protect DoS](https://docs.nginx.com/nginx-app-protect-dos/). {{< /caution >}} -NGINX Ingress Controller is designed to be resilient against attacks in various ways, such as running the service as non-root to avoid changes to files. We recommend setting filesystems to read-only so that the attack surface is further reduced by limiting changes to binaries and libraries. +NGINX Ingress Controller is designed to be resilient against attacks in various ways, such as running the service as non-root to avoid changes to files. We recommend setting filesystems on all containers to read-only, this includes `nginx-ingress-controller`, though also includes `waf-enforcer` and `waf-config-mgr` when NGINX App Protect WAFv5 is in use. This is so that the attack surface is further reduced by limiting changes to binaries and libraries. -This is not enabled by default, but can be enabled with **Helm** using the [**controller.readOnlyRootFilesystem**]({{< relref "installation/installing-nic/installation-with-helm.md#configuration" >}}) argument. +This is not enabled by default, but can be enabled with **Helm** using the [**readOnlyRootFilesystem**]({{< relref "installation/installing-nic/installation-with-helm.md#configuration" >}}) argument in security contexts on all containers: `nginx-ingress-controller`, `waf_enforcer` and `waf_config_mgr`. -For **Manifests**, uncomment the following sections of the deployment: +For **Manifests**, uncomment the following sections of the deployment and add sections for `waf-enforcer` and `waf-config-mgr` containers: - `readOnlyRootFilesystem: true` - The entire **volumeMounts** section @@ -77,6 +77,9 @@ The block below shows the code you will look for: # name: nginx-log ``` +- Add **waf-enforcer** and **waf-config-mgr** container sections +- Add `readOnlyFilesystem: true` in both containers security context sections + ### Prometheus If Prometheus metrics are [enabled]({{< relref "/logging-and-monitoring/prometheus.md" >}}), we recommend [using HTTPS]({{< relref "configuration/global-configuration/command-line-arguments.md#cmdoption-prometheus-tls-secret" >}}). diff --git a/site/content/installation/integrations/app-protect-waf-v5/installation.md b/site/content/installation/integrations/app-protect-waf-v5/installation.md index e5aeb182f1..0a32561f04 100644 --- a/site/content/installation/integrations/app-protect-waf-v5/installation.md +++ b/site/content/installation/integrations/app-protect-waf-v5/installation.md @@ -162,7 +162,7 @@ volumeMounts: ### Enabling WAF v5 -Start by setting `controller.appprotect.enable` to `true` in your Helm values. This will the standard App Protect WAF fetatures. +Start by setting `controller.appprotect.enable` to `true` in your Helm values. This will the standard App Protect WAF features. Afterwords, set `controller.approtect.v5` to `true`. This ensures that both the `waf-enforcer` and `waf-config-mgr` containers are deployed alongside the NGINX Ingress Controller containers. These two additional containers are required when using App Protect WAF v5. @@ -218,6 +218,70 @@ controller: ``` {{< /note >}} +### Configuring `readOnlyRootFilesystem` + +Create required volumes: + +```yaml +volumes: + - name: nginx-etc + emptyDir: {} + - name: nginx-cache + emptyDir: {} + - name: nginx-lib + emptyDir: {} + - name: nginx-log + emptyDir: {} + - emptyDir: {} + name: app-protect-bd-config + - emptyDir: {} + name: app-protect-config + - emptyDir: {} + name: app-protect-bundles +``` + +Set `controller.securityContext.readOnlyRootFilesystem` to `true`. + +Example Helm values: + +```yaml +controller: + ... + securityContext: + readOnlyRootFilesystem: true + ... +``` + +Set `controller.appprotect.enforcer.securityContext.readOnlyRootFilesystem` to `true`. + +Example Helm values: + +```yaml +controller: + ... + appprotect: + ... + enforcer: + securityContext: + readOnlyRootFilesystem: true + ... +``` + +Set `controller.appprotect.configManager.securityContext.readOnlyRootFilesystem` to `true`. + +Example Helm values: + +```yaml +controller: + ... + appprotect: + ... + configManager: + securityContext: + readOnlyRootFilesystem: true + ... +``` + {{%/tab%}} {{%tab name="With Manifest"%}} @@ -329,6 +393,74 @@ Add `volumeMounts` as below: ... ``` +### Configure `readOnlyRootFilesystem` + +Add `readOnlyRootFilesystem` to the NIC container and set valut to `true` as below: + +```yaml +... +- image: : + imagePullPolicy: IfNotPresent + name: nginx-plus-ingress + ... + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 101 + readOnlyRootFilesystem: true + ... + volumeMounts: + - mountPath: /etc/nginx + name: nginx-etc + - mountPath: /var/cache/nginx + name: nginx-cache + - mountPath: /var/lib/nginx + name: nginx-lib + - mountPath: /var/log/nginx + name: nginx-log + - mountPath: /opt/app_protect/bd_config + name: app-protect-bd-config + - mountPath: /opt/app_protect/config + name: app-protect-config + - mountPath: /etc/app_protect/bundles + name: app-protect-bundles +... +``` + +Add `readOnlyRootFilesystem` to the `waf-config-mgr` container and set value to `true` as below: + +```yaml +... +- name: waf-config-mgr + image: private-registry.nginx.com/nap/waf-config-mgr: + imagePullPolicy: IfNotPresent + ... + securityContext: + readOnlyRootFilesystem: true + ... +... +``` + +Add `readOnlyRootFilesystem` to the `waf-enforcer` container and set value to `true` as below: + +```yaml +... +- name: waf-enforcer + image: private-registry.nginx.com/nap/waf-enforcer: + imagePullPolicy: IfNotPresent + ... + securityContext: + readOnlyRootFilesystem: true + ... +... +``` + ### Using a Deployment {{< include "installation/manifests/deployment.md" >}}