Kubernetes Nginx ingress Controller Security Hardening

[muradmomani]

Is your feature request related to a problem? Please describe. I'm following CIS Benchmark documents for hardening Nginx, this seems easy and simple for standalone Nginx -downloaded through Nginx packages or Linux packages as well-, but when it comes to Kubernetes Nginx deployed using helm charts or other methods I found i hard to mirror those security hardening from the CIS Benchmark document to the ingress controller, like files and directory permissions, user accounts, and network configuration.

Describe the solution you'd like Is there any security hardening document suggested from your side as that supported by CIS Benchmark that is suitable for the ingress controller! or any other way to reflect those hardening from the CIS benchmark to the Nginx controller?

Describe alternatives you've considered I tried to follow the CIS document on the Nginx controller but it seems wired and no sense for some points.

Additional context Add any other context or screenshots about the feature request here.

Aha! Link: https://nginx.aha.io/features/IC-107

[pleshakov]

Hi @muradmomani

Is there any security hardening document suggested from your side as that supported by CIS Benchmark that is suitable for the ingress controller! or any other way to reflect those hardening from the CIS benchmark to the Nginx controller?

Unfortunately, we don't provide anything like that for the Ingress Controller.

At the same time, It should be possible to use ConfigMaps, annotations and custom templates to customize/fine-tune the security-related NGINX configuration (like disabling server tokens or configuring SSL ciphers).

[muradmomani]

HI @pleshakov

Thanks for your response,

yes that right we can fine-tune the configuration by configmaps, but regarding other configuration like file permissions and the user who runes the Nginx for privilege issues, how this handled?

Also, I would like to recommend if there is security documentation for the Nginx ingress controller for Kubernetes the describes the current security posture and what Nginx supports for that as you know the security, especially for Kubernetes and its component, is very important.

Thanks.

[timdeluxe]

Hi, from one of our customers we got the request to apply the CIS Benchmark recommendations to the nginx ingress solution. I went through each of the single points there and looked, if nginx ingress implemented it as default, if an action is possible by configuration (through configmaps, annotations or templates) or if a modification of the "core" code would be required. It is not 100% clean/done yet, but i would like to provide it publicly.

@pleshakov: Is there any place in the repo(s), where it would make sense? If yes i would provide a PR. If not i will publish it in an own repo...

[pleshakov]

Hi @timdeluxe

I think your knowledge could be helpful for the community. However, this seems like a specialized topic, so not sure if it makes sense to put that in our docs or examples.

Perhaps it would be appropriate to keep this issue open and have a link to your repo? Additionally, we can also create a section in our docs for links to external guides, so we can link to your guide.

What do you think?

[muradmomani]

@timdeluxe Hi, Thanks for your efforts, after this issue I went to checked all the points of CIS Benchmark and made a document with each point, and if there a possible configuration or implemented by default, it not also completed but at the same time it may be helpful. Also would like to check your one which will help the community, Thanks for your efforts.

[timdeluxe]

@pleshakov Sounds like a good plan! Will inform here, once a repo with a document is pushed/public.

@muradmomani Sounds good, because my research is not 100% complete - so maybe we can complement each other. Unfortunately i needed to park the topic a bit, because other topics became more urgent. Will be a question of days/weeks. I will update here once there is something.

[timdeluxe]

In the meantime i had the chance to work on this.

I now published a markdown document: https://github.com/dodevops/k8s-ingress-nginx-hardening It is not complete yet, there are still open topics marked with question marks. Pull requests are welcome @muradmomani :)

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days.

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days.

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days.

[brianehlert]

I believe the spirit of this has been addresses with the capabilities of removing elevated privileges and the option for readOnlyRootFileSystem Beyond that, any customer can harden their own image and use that as the base image to build their image. That is commonly where CIS hardening comes to play.