Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docs/waf v5 docs #6694

Open
wants to merge 21 commits into
base: main
Choose a base branch
from
Open

Docs/waf v5 docs #6694

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
5454a00
Add reference to WAFv5, enforcer and manager
jjngx Oct 21, 2024
713c270
Add manifest instructions
jjngx Oct 21, 2024
d1bf23c
Update containers' names
jjngx Oct 21, 2024
8170f8f
Update instructions for enforcer and manager
jjngx Oct 21, 2024
b5bae16
Add config snippets
jjngx Oct 21, 2024
0db7b5c
Merge branch 'main' into docs/waf-v5-docs
jjngx Oct 22, 2024
ddae488
Update naming
jjngx Oct 22, 2024
d067706
Merge branch 'main' into docs/waf-v5-docs
jjngx Oct 22, 2024
e5c65ab
Merge branch 'main' into docs/waf-v5-docs
jjngx Oct 22, 2024
0e9e57b
Update Helm and Manifest sections
jjngx Oct 23, 2024
6257317
Update Helm and Manifest sections
jjngx Oct 23, 2024
e0ddfac
Merge branch 'main' into docs/waf-v5-docs
jjngx Oct 23, 2024
b933b52
Merge branch 'main' into docs/waf-v5-docs
jjngx Oct 24, 2024
a41be86
Update docs
jjngx Oct 24, 2024
c279266
Merge branch 'main' into docs/waf-v5-docs
jjngx Oct 24, 2024
9c7bed3
Merge branch 'main' into docs/waf-v5-docs
jjngx Oct 25, 2024
d62e883
Remove empty lines
jjngx Oct 25, 2024
076ca4b
Merge branch 'main' into docs/waf-v5-docs
jjngx Oct 30, 2024
23e66e1
Merge branch 'main' into docs/waf-v5-docs
jjngx Oct 30, 2024
26eedfd
Merge branch 'main' into docs/waf-v5-docs
jjngx Oct 31, 2024
44912b7
Merge branch 'main' into docs/waf-v5-docs
jjngx Oct 31, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 8 additions & 4 deletions site/content/configuration/security.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,14 +34,14 @@ By default, the ServiceAccount has access to all Secret resources in the cluster
### Configure root filesystem as read-only

{{< caution >}}
This feature is not compatible with [NGINX App Protect WAF](https://docs.nginx.com/nginx-app-protect-waf/) or [NGINX App Protect DoS](https://docs.nginx.com/nginx-app-protect-dos/).
This feature is compatible with [NGINX App Protect WAFv5](https://docs.nginx.com/nginx-app-protect-waf-v5/). It is not compatible with [NGINX App Protect WAF](https://docs.nginx.com/nginx-app-protect-waf/) or [NGINX App Protect DoS](https://docs.nginx.com/nginx-app-protect-dos/).
{{< /caution >}}

NGINX Ingress Controller is designed to be resilient against attacks in various ways, such as running the service as non-root to avoid changes to files. We recommend setting filesystems to read-only so that the attack surface is further reduced by limiting changes to binaries and libraries.
NGINX Ingress Controller is designed to be resilient against attacks in various ways, such as running the service as non-root to avoid changes to files. We recommend setting filesystems on all three containers: `nginx-ingress-controller`, `waf-enforcer` and `waf-config-mgr` to read-only, so that the attack surface is further reduced by limiting changes to binaries and libraries.
jjngx marked this conversation as resolved.
Show resolved Hide resolved

This is not enabled by default, but can be enabled with **Helm** using the [**controller.readOnlyRootFilesystem**]({{< relref "installation/installing-nic/installation-with-helm.md#configuration" >}}) argument.
This is not enabled by default, but can be enabled with **Helm** using the [**controller.readOnlyRootFilesystem**]({{< relref "installation/installing-nic/installation-with-helm.md#configuration" >}}) argument, and in security contexts in both: `waf_enforcer` [**controller.appprotect.enforcer.securityContext{}**]({{ < relref "installation/installing-nic/installation-with-helm.md#configuration" >}}) and `waf_config_mgr` [**controller.appprotect.configManager.securityContext{}**]({{ < relref "installation/installing-nic/installation-with-helm.md#configuration" >}}).
jjngx marked this conversation as resolved.
Show resolved Hide resolved

For **Manifests**, uncomment the following sections of the deployment:
For **Manifests**, uncomment the following sections of the deployment and add sections for `waf-enforcer` and `waf-config-mgr` containers:

- `readOnlyRootFilesystem: true`
- The entire **volumeMounts** section
Expand Down Expand Up @@ -77,6 +77,10 @@ The block below shows the code you will look for:
# name: nginx-log
```

- Add **waf-enforcer** and **waf-config-mgr** container sections
- Add `readOnlyFilesystem: true` in both containers security context sections


### Prometheus

If Prometheus metrics are [enabled]({{< relref "/logging-and-monitoring/prometheus.md" >}}), we recommend [using HTTPS]({{< relref "configuration/global-configuration/command-line-arguments.md#cmdoption-prometheus-tls-secret" >}}).
Expand Down
47 changes: 46 additions & 1 deletion site/content/installation/integrations/app-protect-waf-v5/installation.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -162,7 +162,7 @@ volumeMounts:

### Enabling WAF v5

Start by setting `controller.appprotect.enable` to `true` in your Helm values. This will the standard App Protect WAF fetatures.
Start by setting `controller.appprotect.enable` to `true` in your Helm values. This will the standard App Protect WAF features.
Afterwords, set `controller.approtect.v5` to `true`.
This ensures that both the `waf-enforcer` and `waf-config-mgr` containers are deployed alongside the NGINX Ingress Controller containers.
These two additional containers are required when using App Protect WAF v5.
Expand Down Expand Up @@ -227,6 +227,51 @@ You have two options for deploying NGINX Ingress Controller:
- **Deployment**. Choose this method for the flexibility to dynamically change the number of NGINX Ingress Controller replicas.
- **DaemonSet**. Choose this method if you want NGINX Ingress Controller to run on all nodes or a subset of nodes.


### Configuring `readOnlyRootFilesystem`

jjngx marked this conversation as resolved.
Show resolved Hide resolved
Set `controller.securityContext.readOnlyRootFilesystem` to `true`.

Example helm values:
jjngx marked this conversation as resolved.
Show resolved Hide resolved

```yaml
controller:
...
securityContext:
readOnlyRootFilesystem: true
...
```

Set `controller.appprotect.enforcer.securityContext.readOnlyRootFilesystem` to `true`.

Example helm values:
jjngx marked this conversation as resolved.
Show resolved Hide resolved

```yaml
controller:
...
appprotect:
...
enforcer:
securityContext:
readOnlyRootFilesystem: true
...
```

Set `controller.appprotect.configManager.securityContext.readOnlyRootFilesystem` to `true`.

Example helm values:
jjngx marked this conversation as resolved.
Show resolved Hide resolved

```yaml
controller:
...
appprotect:
...
configManager:
securityContext:
readOnlyRootFilesystem: true
...
```

---

### Set up role-based access control (RBAC) {#set-up-rbac}
Expand Down