From 5454a0028ddd14f0c2d889968271ef99d6838d80 Mon Sep 17 00:00:00 2001 From: Jakub Jarosz Date: Mon, 21 Oct 2024 11:42:08 +0100 Subject: [PATCH 01/10] Add reference to WAFv5, enforcer and manager --- site/content/configuration/security.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/site/content/configuration/security.md b/site/content/configuration/security.md index d435e73071..4dc4f2a17b 100644 --- a/site/content/configuration/security.md +++ b/site/content/configuration/security.md @@ -34,12 +34,12 @@ By default, the ServiceAccount has access to all Secret resources in the cluster ### Configure root filesystem as read-only {{< caution >}} - This feature is not compatible with [NGINX App Protect WAF](https://docs.nginx.com/nginx-app-protect-waf/) or [NGINX App Protect DoS](https://docs.nginx.com/nginx-app-protect-dos/). + This feature is compatible with [NGINX App Protect WAFv5](https://docs.nginx.com/nginx-app-protect-waf-v5/). It is not compatible with [NGINX App Protect WAF](https://docs.nginx.com/nginx-app-protect-waf/) or [NGINX App Protect DoS](https://docs.nginx.com/nginx-app-protect-dos/). {{< /caution >}} -NGINX Ingress Controller is designed to be resilient against attacks in various ways, such as running the service as non-root to avoid changes to files. We recommend setting filesystems to read-only so that the attack surface is further reduced by limiting changes to binaries and libraries. +NGINX Ingress Controller is designed to be resilient against attacks in various ways, such as running the service as non-root to avoid changes to files. We recommend setting filesystems on all three containers: `nginx_ingress_controller`, `waf_enforcer` and `waf_config_mgr` to read-only, so that the attack surface is further reduced by limiting changes to binaries and libraries. -This is not enabled by default, but can be enabled with **Helm** using the [**controller.readOnlyRootFilesystem**]({{< relref "installation/installing-nic/installation-with-helm.md#configuration" >}}) argument. +This is not enabled by default, but can be enabled with **Helm** using the [**controller.readOnlyRootFilesystem**]({{< relref "installation/installing-nic/installation-with-helm.md#configuration" >}}) argument, and in security contexts in both: `waf_enforcer` [**controller.appprotect.enforcer.securityContext{}**]({{ < relref "installation/installing-nic/installation-with-helm.md#configuration" >}}) and `waf_config_mgr` [**controller.appprotect.configManager.securityContext{}**]({{ < relref "installation/installing-nic/installation-with-helm.md#configuration" >}}). For **Manifests**, uncomment the following sections of the deployment: @@ -77,6 +77,7 @@ The block below shows the code you will look for: # name: nginx-log ``` + ### Prometheus If Prometheus metrics are [enabled]({{< relref "/logging-and-monitoring/prometheus.md" >}}), we recommend [using HTTPS]({{< relref "configuration/global-configuration/command-line-arguments.md#cmdoption-prometheus-tls-secret" >}}). From 713c270c755e184e5fd7374b9f5a81511cb0654f Mon Sep 17 00:00:00 2001 From: Jakub Jarosz Date: Mon, 21 Oct 2024 13:35:22 +0100 Subject: [PATCH 02/10] Add manifest instructions --- site/content/configuration/security.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/site/content/configuration/security.md b/site/content/configuration/security.md index 4dc4f2a17b..0762ecb191 100644 --- a/site/content/configuration/security.md +++ b/site/content/configuration/security.md @@ -41,7 +41,7 @@ NGINX Ingress Controller is designed to be resilient against attacks in various This is not enabled by default, but can be enabled with **Helm** using the [**controller.readOnlyRootFilesystem**]({{< relref "installation/installing-nic/installation-with-helm.md#configuration" >}}) argument, and in security contexts in both: `waf_enforcer` [**controller.appprotect.enforcer.securityContext{}**]({{ < relref "installation/installing-nic/installation-with-helm.md#configuration" >}}) and `waf_config_mgr` [**controller.appprotect.configManager.securityContext{}**]({{ < relref "installation/installing-nic/installation-with-helm.md#configuration" >}}). -For **Manifests**, uncomment the following sections of the deployment: +For **Manifests**, uncomment the following sections of the deployment and add sections for `waf_enforcer` and `waf_config_mgr` containers: - `readOnlyRootFilesystem: true` - The entire **volumeMounts** section @@ -77,7 +77,6 @@ The block below shows the code you will look for: # name: nginx-log ``` - ### Prometheus If Prometheus metrics are [enabled]({{< relref "/logging-and-monitoring/prometheus.md" >}}), we recommend [using HTTPS]({{< relref "configuration/global-configuration/command-line-arguments.md#cmdoption-prometheus-tls-secret" >}}). From d1bf23cb766b59f1a05b8f417bb8fe8decde9aea Mon Sep 17 00:00:00 2001 From: Jakub Jarosz Date: Mon, 21 Oct 2024 13:41:23 +0100 Subject: [PATCH 03/10] Update containers' names --- site/content/configuration/security.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/site/content/configuration/security.md b/site/content/configuration/security.md index 0762ecb191..781f78925b 100644 --- a/site/content/configuration/security.md +++ b/site/content/configuration/security.md @@ -37,11 +37,11 @@ By default, the ServiceAccount has access to all Secret resources in the cluster This feature is compatible with [NGINX App Protect WAFv5](https://docs.nginx.com/nginx-app-protect-waf-v5/). It is not compatible with [NGINX App Protect WAF](https://docs.nginx.com/nginx-app-protect-waf/) or [NGINX App Protect DoS](https://docs.nginx.com/nginx-app-protect-dos/). {{< /caution >}} -NGINX Ingress Controller is designed to be resilient against attacks in various ways, such as running the service as non-root to avoid changes to files. We recommend setting filesystems on all three containers: `nginx_ingress_controller`, `waf_enforcer` and `waf_config_mgr` to read-only, so that the attack surface is further reduced by limiting changes to binaries and libraries. +NGINX Ingress Controller is designed to be resilient against attacks in various ways, such as running the service as non-root to avoid changes to files. We recommend setting filesystems on all three containers: `nginx-ingress-controller`, `waf-enforcer` and `waf-config-mgr` to read-only, so that the attack surface is further reduced by limiting changes to binaries and libraries. This is not enabled by default, but can be enabled with **Helm** using the [**controller.readOnlyRootFilesystem**]({{< relref "installation/installing-nic/installation-with-helm.md#configuration" >}}) argument, and in security contexts in both: `waf_enforcer` [**controller.appprotect.enforcer.securityContext{}**]({{ < relref "installation/installing-nic/installation-with-helm.md#configuration" >}}) and `waf_config_mgr` [**controller.appprotect.configManager.securityContext{}**]({{ < relref "installation/installing-nic/installation-with-helm.md#configuration" >}}). -For **Manifests**, uncomment the following sections of the deployment and add sections for `waf_enforcer` and `waf_config_mgr` containers: +For **Manifests**, uncomment the following sections of the deployment and add sections for `waf-enforcer` and `waf-config-mgr` containers: - `readOnlyRootFilesystem: true` - The entire **volumeMounts** section From 8170f8f05187bd0aa976c43beb20cf98ae1e7fb2 Mon Sep 17 00:00:00 2001 From: Jakub Jarosz Date: Mon, 21 Oct 2024 14:44:51 +0100 Subject: [PATCH 04/10] Update instructions for enforcer and manager --- site/content/configuration/security.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/site/content/configuration/security.md b/site/content/configuration/security.md index 781f78925b..117bb8a130 100644 --- a/site/content/configuration/security.md +++ b/site/content/configuration/security.md @@ -77,6 +77,10 @@ The block below shows the code you will look for: # name: nginx-log ``` +- Add **waf-enforcer** and **waf-config-mgr** container sections +- Add `readOnlyFilesystem: true` in both containers security context sections + + ### Prometheus If Prometheus metrics are [enabled]({{< relref "/logging-and-monitoring/prometheus.md" >}}), we recommend [using HTTPS]({{< relref "configuration/global-configuration/command-line-arguments.md#cmdoption-prometheus-tls-secret" >}}). From b5bae16978e07c4f6ee8b72642dce2bc4ac76819 Mon Sep 17 00:00:00 2001 From: Jakub Jarosz Date: Mon, 21 Oct 2024 17:54:26 +0100 Subject: [PATCH 05/10] Add config snippets --- .../app-protect-waf-v5/installation.md | 47 ++++++++++++++++++- 1 file changed, 46 insertions(+), 1 deletion(-) diff --git a/site/content/installation/integrations/app-protect-waf-v5/installation.md b/site/content/installation/integrations/app-protect-waf-v5/installation.md index e5aeb182f1..c415209a0f 100644 --- a/site/content/installation/integrations/app-protect-waf-v5/installation.md +++ b/site/content/installation/integrations/app-protect-waf-v5/installation.md @@ -162,7 +162,7 @@ volumeMounts: ### Enabling WAF v5 -Start by setting `controller.appprotect.enable` to `true` in your Helm values. This will the standard App Protect WAF fetatures. +Start by setting `controller.appprotect.enable` to `true` in your Helm values. This will the standard App Protect WAF features. Afterwords, set `controller.approtect.v5` to `true`. This ensures that both the `waf-enforcer` and `waf-config-mgr` containers are deployed alongside the NGINX Ingress Controller containers. These two additional containers are required when using App Protect WAF v5. @@ -227,6 +227,51 @@ You have two options for deploying NGINX Ingress Controller: - **Deployment**. Choose this method for the flexibility to dynamically change the number of NGINX Ingress Controller replicas. - **DaemonSet**. Choose this method if you want NGINX Ingress Controller to run on all nodes or a subset of nodes. + +### Configuring `readOnlyRootFilesystem` + +Set `controller.securityContext.readOnlyRootFilesystem` to `true`. + +Example helm values: + +```yaml +controller: + ... + securityContext: + readOnlyRootFilesystem: true + ... +``` + +Set `controller.appprotect.enforcer.securityContext.readOnlyRootFilesystem` to `true`. + +Example helm values: + +```yaml +controller: + ... + appprotect: + ... + enforcer: + securityContext: + readOnlyRootFilesystem: true + ... +``` + +Set `controller.appprotect.configManager.securityContext.readOnlyRootFilesystem` to `true`. + +Example helm values: + +```yaml +controller: + ... + appprotect: + ... + configManager: + securityContext: + readOnlyRootFilesystem: true + ... +``` + --- ### Set up role-based access control (RBAC) {#set-up-rbac} From ddae48870177128ca9b8a91bdc38f50c35114524 Mon Sep 17 00:00:00 2001 From: Jakub Jarosz Date: Tue, 22 Oct 2024 10:12:05 +0100 Subject: [PATCH 06/10] Update naming --- .../integrations/app-protect-waf-v5/installation.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/site/content/installation/integrations/app-protect-waf-v5/installation.md b/site/content/installation/integrations/app-protect-waf-v5/installation.md index c415209a0f..f273c55dec 100644 --- a/site/content/installation/integrations/app-protect-waf-v5/installation.md +++ b/site/content/installation/integrations/app-protect-waf-v5/installation.md @@ -232,7 +232,7 @@ You have two options for deploying NGINX Ingress Controller: Set `controller.securityContext.readOnlyRootFilesystem` to `true`. -Example helm values: +Example Helm values: ```yaml controller: @@ -244,7 +244,7 @@ controller: Set `controller.appprotect.enforcer.securityContext.readOnlyRootFilesystem` to `true`. -Example helm values: +Example Helm values: ```yaml controller: @@ -259,7 +259,7 @@ controller: Set `controller.appprotect.configManager.securityContext.readOnlyRootFilesystem` to `true`. -Example helm values: +Example Helm values: ```yaml controller: From 0e9e57bc1208fd69dcf20aa4d8a9aca762dc427e Mon Sep 17 00:00:00 2001 From: Jakub Jarosz Date: Wed, 23 Oct 2024 15:59:15 +0100 Subject: [PATCH 07/10] Update Helm and Manifest sections --- .../app-protect-waf-v5/installation.md | 63 ++++++++++++++++--- 1 file changed, 53 insertions(+), 10 deletions(-) diff --git a/site/content/installation/integrations/app-protect-waf-v5/installation.md b/site/content/installation/integrations/app-protect-waf-v5/installation.md index f273c55dec..3e738a4f7e 100644 --- a/site/content/installation/integrations/app-protect-waf-v5/installation.md +++ b/site/content/installation/integrations/app-protect-waf-v5/installation.md @@ -218,16 +218,6 @@ controller: ``` {{< /note >}} -{{%/tab%}} - -{{%tab name="With Manifest"%}} - -You have two options for deploying NGINX Ingress Controller: - -- **Deployment**. Choose this method for the flexibility to dynamically change the number of NGINX Ingress Controller replicas. -- **DaemonSet**. Choose this method if you want NGINX Ingress Controller to run on all nodes or a subset of nodes. - - ### Configuring `readOnlyRootFilesystem` Set `controller.securityContext.readOnlyRootFilesystem` to `true`. @@ -272,6 +262,15 @@ controller: ... ``` +{{%/tab%}} + +{{%tab name="With Manifest"%}} + +You have two options for deploying NGINX Ingress Controller: + +- **Deployment**. Choose this method for the flexibility to dynamically change the number of NGINX Ingress Controller replicas. +- **DaemonSet**. Choose this method if you want NGINX Ingress Controller to run on all nodes or a subset of nodes. + --- ### Set up role-based access control (RBAC) {#set-up-rbac} @@ -374,6 +373,50 @@ Add `volumeMounts` as below: ... ``` +### Configure `readOnlyRootFilesystem` + +Add `readOnlyRootFilesystem` to the NIC container as below: + +```yaml +... +- image: : + imagePullPolicy: IfNotPresent + name: nginx-plus-ingress + ... + securityContext: + readOnlyRootFilesystem: true + ... +... +``` + +Add `readOnlyRootFilesystem: true` to the `waf-config-mgr` container: + +```yaml +... +- name: waf-config-mgr + image: private-registry.nginx.com/nap/waf-config-mgr: + imagePullPolicy: IfNotPresent + ... + securityContext: + readOnlyRootFilesystem: true + ... +... +``` + +Add `readOnlyRootFilesystem: true` to the `waf-enforcer` container: + +```yaml +... +- name: waf-enforcer + image: private-registry.nginx.com/nap/waf-enforcer: + imagePullPolicy: IfNotPresent + ... + securityContext: + readOnlyRootFilesystem: true + ... +... +``` + ### Using a Deployment {{< include "installation/manifests/deployment.md" >}} From 625731798983cf0b7faf0d9ddbc694ce29353acc Mon Sep 17 00:00:00 2001 From: Jakub Jarosz Date: Wed, 23 Oct 2024 16:13:16 +0100 Subject: [PATCH 08/10] Update Helm and Manifest sections --- .../integrations/app-protect-waf-v5/installation.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/site/content/installation/integrations/app-protect-waf-v5/installation.md b/site/content/installation/integrations/app-protect-waf-v5/installation.md index 3e738a4f7e..da6fd692e6 100644 --- a/site/content/installation/integrations/app-protect-waf-v5/installation.md +++ b/site/content/installation/integrations/app-protect-waf-v5/installation.md @@ -375,7 +375,7 @@ Add `volumeMounts` as below: ### Configure `readOnlyRootFilesystem` -Add `readOnlyRootFilesystem` to the NIC container as below: +Add `readOnlyRootFilesystem` to the NIC container and set valut to `true` as below: ```yaml ... @@ -389,7 +389,7 @@ Add `readOnlyRootFilesystem` to the NIC container as below: ... ``` -Add `readOnlyRootFilesystem: true` to the `waf-config-mgr` container: +Add `readOnlyRootFilesystem` to the `waf-config-mgr` container and set value to `true` as below: ```yaml ... @@ -403,7 +403,7 @@ Add `readOnlyRootFilesystem: true` to the `waf-config-mgr` container: ... ``` -Add `readOnlyRootFilesystem: true` to the `waf-enforcer` container: +Add `readOnlyRootFilesystem` to the `waf-enforcer` container and set value to `true` as below: ```yaml ... From a41be869d24f4bce2616a1284508afe946b06027 Mon Sep 17 00:00:00 2001 From: Jakub Jarosz Date: Thu, 24 Oct 2024 18:07:46 +0100 Subject: [PATCH 09/10] Update docs --- site/content/configuration/security.md | 4 +- .../app-protect-waf-v5/installation.md | 46 ++++++++++++++++++- 2 files changed, 47 insertions(+), 3 deletions(-) diff --git a/site/content/configuration/security.md b/site/content/configuration/security.md index 117bb8a130..b28cfab031 100644 --- a/site/content/configuration/security.md +++ b/site/content/configuration/security.md @@ -37,9 +37,9 @@ By default, the ServiceAccount has access to all Secret resources in the cluster This feature is compatible with [NGINX App Protect WAFv5](https://docs.nginx.com/nginx-app-protect-waf-v5/). It is not compatible with [NGINX App Protect WAF](https://docs.nginx.com/nginx-app-protect-waf/) or [NGINX App Protect DoS](https://docs.nginx.com/nginx-app-protect-dos/). {{< /caution >}} -NGINX Ingress Controller is designed to be resilient against attacks in various ways, such as running the service as non-root to avoid changes to files. We recommend setting filesystems on all three containers: `nginx-ingress-controller`, `waf-enforcer` and `waf-config-mgr` to read-only, so that the attack surface is further reduced by limiting changes to binaries and libraries. +NGINX Ingress Controller is designed to be resilient against attacks in various ways, such as running the service as non-root to avoid changes to files. We recommend setting filesystems on all containers to read-only, this includes `nginx-ingress-controller`, though also includes `waf-enforcer` and `waf-config-mgr` when NGINX App Protect WAFv5 is in use. This is so that the attack surface is further reduced by limiting changes to binaries and libraries. -This is not enabled by default, but can be enabled with **Helm** using the [**controller.readOnlyRootFilesystem**]({{< relref "installation/installing-nic/installation-with-helm.md#configuration" >}}) argument, and in security contexts in both: `waf_enforcer` [**controller.appprotect.enforcer.securityContext{}**]({{ < relref "installation/installing-nic/installation-with-helm.md#configuration" >}}) and `waf_config_mgr` [**controller.appprotect.configManager.securityContext{}**]({{ < relref "installation/installing-nic/installation-with-helm.md#configuration" >}}). +This is not enabled by default, but can be enabled with **Helm** using the [**readOnlyRootFilesystem**]({{< relref "installation/installing-nic/installation-with-helm.md#configuration" >}}) argument in security contexts on all containers: `nginx-ingress-controller`, `waf_enforcer` and `waf_config_mgr`. For **Manifests**, uncomment the following sections of the deployment and add sections for `waf-enforcer` and `waf-config-mgr` containers: diff --git a/site/content/installation/integrations/app-protect-waf-v5/installation.md b/site/content/installation/integrations/app-protect-waf-v5/installation.md index da6fd692e6..0a32561f04 100644 --- a/site/content/installation/integrations/app-protect-waf-v5/installation.md +++ b/site/content/installation/integrations/app-protect-waf-v5/installation.md @@ -220,6 +220,26 @@ controller: ### Configuring `readOnlyRootFilesystem` +Create required volumes: + +```yaml +volumes: + - name: nginx-etc + emptyDir: {} + - name: nginx-cache + emptyDir: {} + - name: nginx-lib + emptyDir: {} + - name: nginx-log + emptyDir: {} + - emptyDir: {} + name: app-protect-bd-config + - emptyDir: {} + name: app-protect-config + - emptyDir: {} + name: app-protect-bundles +``` + Set `controller.securityContext.readOnlyRootFilesystem` to `true`. Example Helm values: @@ -384,8 +404,32 @@ Add `readOnlyRootFilesystem` to the NIC container and set valut to `true` as bel name: nginx-plus-ingress ... securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 101 readOnlyRootFilesystem: true - ... + ... + volumeMounts: + - mountPath: /etc/nginx + name: nginx-etc + - mountPath: /var/cache/nginx + name: nginx-cache + - mountPath: /var/lib/nginx + name: nginx-lib + - mountPath: /var/log/nginx + name: nginx-log + - mountPath: /opt/app_protect/bd_config + name: app-protect-bd-config + - mountPath: /opt/app_protect/config + name: app-protect-config + - mountPath: /etc/app_protect/bundles + name: app-protect-bundles ... ``` From d62e8837a10a1ff46a0ed7a9ff171cdb5fe5f85c Mon Sep 17 00:00:00 2001 From: Jakub Jarosz Date: Fri, 25 Oct 2024 16:43:33 +0100 Subject: [PATCH 10/10] Remove empty lines --- site/content/configuration/security.md | 1 - 1 file changed, 1 deletion(-) diff --git a/site/content/configuration/security.md b/site/content/configuration/security.md index b28cfab031..33104bec7e 100644 --- a/site/content/configuration/security.md +++ b/site/content/configuration/security.md @@ -80,7 +80,6 @@ The block below shows the code you will look for: - Add **waf-enforcer** and **waf-config-mgr** container sections - Add `readOnlyFilesystem: true` in both containers security context sections - ### Prometheus If Prometheus metrics are [enabled]({{< relref "/logging-and-monitoring/prometheus.md" >}}), we recommend [using HTTPS]({{< relref "configuration/global-configuration/command-line-arguments.md#cmdoption-prometheus-tls-secret" >}}).