nginxinc · jjngx · Oct 21, 2024 · Oct 21, 2024 · Oct 21, 2024 · Oct 21, 2024
@@ -34,14 +34,14 @@ By default, the ServiceAccount has access to all Secret resources in the cluster
 ### Configure root filesystem as read-only
 
 {{< caution >}}
- This feature is not compatible with [NGINX App Protect WAF](https://docs.nginx.com/nginx-app-protect-waf/) or [NGINX App Protect DoS](https://docs.nginx.com/nginx-app-protect-dos/).
+ This feature is compatible with [NGINX App Protect WAFv5](https://docs.nginx.com/nginx-app-protect-waf-v5/). It is not compatible with [NGINX App Protect WAF](https://docs.nginx.com/nginx-app-protect-waf/) or [NGINX App Protect DoS](https://docs.nginx.com/nginx-app-protect-dos/).
 {{< /caution >}}
 
-NGINX Ingress Controller is designed to be resilient against attacks in various ways, such as running the service as non-root to avoid changes to files. We recommend setting filesystems to read-only so that the attack surface is further reduced by limiting changes to binaries and libraries.
+NGINX Ingress Controller is designed to be resilient against attacks in various ways, such as running the service as non-root to avoid changes to files. We recommend setting filesystems on all containers to read-only, this includes `nginx-ingress-controller`, though also includes `waf-enforcer` and `waf-config-mgr` when NGINX App Protect WAFv5 is in use.  This is so that the attack surface is further reduced by limiting changes to binaries and libraries.
 
-This is not enabled by default, but can be enabled with **Helm** using the [**controller.readOnlyRootFilesystem**]({{< relref "installation/installing-nic/installation-with-helm.md#configuration" >}}) argument.
+This is not enabled by default, but can be enabled with **Helm** using the [**readOnlyRootFilesystem**]({{< relref "installation/installing-nic/installation-with-helm.md#configuration" >}}) argument in security contexts on all containers: `nginx-ingress-controller`, `waf_enforcer` and `waf_config_mgr`.
 
-For **Manifests**, uncomment the following sections of the deployment:
+For **Manifests**, uncomment the following sections of the deployment and add sections for `waf-enforcer` and `waf-config-mgr` containers:
 
 - `readOnlyRootFilesystem: true`
 - The entire **volumeMounts** section
@@ -77,6 +77,9 @@ The block below shows the code you will look for:
 #          name: nginx-log
 ```
 
+- Add **waf-enforcer** and **waf-config-mgr** container sections
+- Add `readOnlyFilesystem: true` in both containers security context sections
+
 ### Prometheus
 
 If Prometheus metrics are [enabled]({{< relref "/logging-and-monitoring/prometheus.md" >}}), we recommend [using HTTPS]({{< relref "configuration/global-configuration/command-line-arguments.md#cmdoption-prometheus-tls-secret" >}}).

@@ -162,7 +162,7 @@ volumeMounts:
 
 ### Enabling WAF v5
 
-Start by setting `controller.appprotect.enable` to `true` in your Helm values. This will the standard App Protect WAF fetatures.
+Start by setting `controller.appprotect.enable` to `true` in your Helm values. This will the standard App Protect WAF features.
 Afterwords, set `controller.approtect.v5` to `true`.
 This ensures that both the `waf-enforcer` and `waf-config-mgr` containers are deployed alongside the NGINX Ingress Controller containers.
 These two additional containers are required when using App Protect WAF v5.
@@ -218,6 +218,70 @@ controller:
 ```
 {{< /note >}}
 
+### Configuring `readOnlyRootFilesystem`
+
+Create required volumes:
+
+```yaml
+volumes:
+  - name: nginx-etc
+    emptyDir: {}
+  - name: nginx-cache
+    emptyDir: {}
+  - name: nginx-lib
+    emptyDir: {}
+  - name: nginx-log
+    emptyDir: {}
+  - emptyDir: {}
+    name: app-protect-bd-config
+  - emptyDir: {}
+    name: app-protect-config
+  - emptyDir: {}
+    name: app-protect-bundles
+```
+
+Set `controller.securityContext.readOnlyRootFilesystem` to `true`.
+
+Example Helm values:
+
+```yaml
+controller:
+  ...
+  securityContext:
+    readOnlyRootFilesystem: true
+  ...
+```
+
+Set `controller.appprotect.enforcer.securityContext.readOnlyRootFilesystem` to `true`.
+
+Example Helm values:
+
+```yaml
+controller:
+  ...
+  appprotect:
+    ...
+    enforcer:
+      securityContext:
+        readOnlyRootFilesystem: true
+  ...
+```
+
+Set `controller.appprotect.configManager.securityContext.readOnlyRootFilesystem` to `true`.
+
+Example Helm values:
+
+```yaml
+controller:
+  ...
+  appprotect:
+    ...
+    configManager:
+      securityContext:
+        readOnlyRootFilesystem: true
+  ...
+```
+
 {{%/tab%}}
 
 {{%tab name="With Manifest"%}}
@@ -329,6 +393,74 @@ Add `volumeMounts` as below:
 ...
 ```
 
+### Configure `readOnlyRootFilesystem`
+
+Add `readOnlyRootFilesystem` to the NIC container and set valut to `true` as below:
+
+```yaml
+...
+- image: <my_docker_registery>:<version_tag>
+  imagePullPolicy: IfNotPresent
+  name: nginx-plus-ingress
+  ...
+  securityContext:
+    allowPrivilegeEscalation: false
+      capabilities:
+        add:
+        - NET_BIND_SERVICE
+        drop:
+        - ALL
+      readOnlyRootFilesystem: true
+      runAsNonRoot: true
+      runAsUser: 101
+    readOnlyRootFilesystem: true
+  ...
+  volumeMounts:
+    - mountPath: /etc/nginx
+      name: nginx-etc
+    - mountPath: /var/cache/nginx
+      name: nginx-cache
+    - mountPath: /var/lib/nginx
+      name: nginx-lib
+    - mountPath: /var/log/nginx
+      name: nginx-log
+    - mountPath: /opt/app_protect/bd_config
+      name: app-protect-bd-config
+    - mountPath: /opt/app_protect/config
+      name: app-protect-config
+    - mountPath: /etc/app_protect/bundles
+      name: app-protect-bundles
+...
+```
+
+Add `readOnlyRootFilesystem` to the `waf-config-mgr` container and set value to `true` as below:
+
+```yaml
+...
+- name: waf-config-mgr
+  image: private-registry.nginx.com/nap/waf-config-mgr:<version-tag>
+  imagePullPolicy: IfNotPresent
+  ...
+  securityContext:
+    readOnlyRootFilesystem: true
+    ...
+...
+```
+
+Add `readOnlyRootFilesystem` to the `waf-enforcer` container and set value to `true` as below:
+
+```yaml
+...
+- name: waf-enforcer
+  image: private-registry.nginx.com/nap/waf-enforcer:<version-tag>
+  imagePullPolicy: IfNotPresent
+  ...
+  securityContext:
+    readOnlyRootFilesystem: true
+    ...
+...
+```
+
 ### Using a Deployment
 
 {{< include "installation/manifests/deployment.md" >}}