From 6a86b395e7dbe9553663e75e3d463abd2b7373cf Mon Sep 17 00:00:00 2001 From: Saylor Berman Date: Mon, 28 Aug 2023 10:55:39 -0600 Subject: [PATCH 1/2] Ensure NKG has least privileges Problem: NKG wasn't running with the least privileges necessary, which could lead to potential security issues. Solution: Remove unnecessary RBAC, and add security restrictions where necessary. --- conformance/provisioner/static-deployment.yaml | 3 +++ conformance/tests/conformance-rbac.yaml | 1 + deploy/helm-chart/templates/deployment.yaml | 3 +++ deploy/helm-chart/templates/rbac.yaml | 7 ------- deploy/manifests/nginx-gateway.yaml | 10 +++------- 5 files changed, 10 insertions(+), 14 deletions(-) diff --git a/conformance/provisioner/static-deployment.yaml b/conformance/provisioner/static-deployment.yaml index b5e25bc37b..96270fd823 100644 --- a/conformance/provisioner/static-deployment.yaml +++ b/conformance/provisioner/static-deployment.yaml @@ -41,11 +41,13 @@ spec: imagePullPolicy: Always name: nginx-gateway securityContext: + allowPrivilegeEscalation: false capabilities: add: - KILL drop: - ALL + readOnlyRootFilesystem: true runAsUser: 102 runAsGroup: 1001 volumeMounts: @@ -82,6 +84,7 @@ spec: shareProcessNamespace: true securityContext: fsGroup: 1001 + runAsNonRoot: true volumes: - name: nginx-conf emptyDir: {} diff --git a/conformance/tests/conformance-rbac.yaml b/conformance/tests/conformance-rbac.yaml index 3378881af0..a67e8726a6 100644 --- a/conformance/tests/conformance-rbac.yaml +++ b/conformance/tests/conformance-rbac.yaml @@ -27,6 +27,7 @@ rules: - deployments verbs: - create + - update - delete - get - list diff --git a/deploy/helm-chart/templates/deployment.yaml b/deploy/helm-chart/templates/deployment.yaml index e89ba7bcb5..676e88a4e0 100644 --- a/deploy/helm-chart/templates/deployment.yaml +++ b/deploy/helm-chart/templates/deployment.yaml @@ -36,11 +36,13 @@ spec: imagePullPolicy: {{ .Values.nginxGateway.image.pullPolicy }} name: nginx-gateway securityContext: + allowPrivilegeEscalation: false capabilities: add: - KILL drop: - ALL + readOnlyRootFilesystem: true runAsUser: 102 runAsGroup: 1001 volumeMounts: @@ -77,6 +79,7 @@ spec: shareProcessNamespace: true securityContext: fsGroup: 1001 + runAsNonRoot: true volumes: - name: nginx-conf emptyDir: {} diff --git a/deploy/helm-chart/templates/rbac.yaml b/deploy/helm-chart/templates/rbac.yaml index 6bb156898f..0c245f4ee5 100644 --- a/deploy/helm-chart/templates/rbac.yaml +++ b/deploy/helm-chart/templates/rbac.yaml @@ -48,13 +48,6 @@ rules: verbs: - list - watch -- apiGroups: - - gateway.nginx.org - resources: - - gatewayconfigs - verbs: - - list - - watch - apiGroups: - gateway.networking.k8s.io resources: diff --git a/deploy/manifests/nginx-gateway.yaml b/deploy/manifests/nginx-gateway.yaml index 2036234985..a160c94bbd 100644 --- a/deploy/manifests/nginx-gateway.yaml +++ b/deploy/manifests/nginx-gateway.yaml @@ -59,13 +59,6 @@ rules: verbs: - list - watch -- apiGroups: - - gateway.nginx.org - resources: - - gatewayconfigs - verbs: - - list - - watch - apiGroups: - gateway.networking.k8s.io resources: @@ -149,11 +142,13 @@ spec: imagePullPolicy: Always name: nginx-gateway securityContext: + allowPrivilegeEscalation: false capabilities: add: - KILL drop: - ALL + readOnlyRootFilesystem: true runAsUser: 102 runAsGroup: 1001 volumeMounts: @@ -190,6 +185,7 @@ spec: shareProcessNamespace: true securityContext: fsGroup: 1001 + runAsNonRoot: true volumes: - name: nginx-conf emptyDir: {} From 44113410c4f2a470a4305fdc7e1b2a33127b63ee Mon Sep 17 00:00:00 2001 From: Saylor Berman Date: Tue, 29 Aug 2023 09:10:43 -0600 Subject: [PATCH 2/2] Read only filesystem --- conformance/provisioner/static-deployment.yaml | 9 +++++++++ conformance/tests/conformance-rbac.yaml | 1 - deploy/helm-chart/templates/deployment.yaml | 9 +++++++++ deploy/manifests/nginx-gateway.yaml | 9 +++++++++ 4 files changed, 27 insertions(+), 1 deletion(-) diff --git a/conformance/provisioner/static-deployment.yaml b/conformance/provisioner/static-deployment.yaml index 96270fd823..184fb4c996 100644 --- a/conformance/provisioner/static-deployment.yaml +++ b/conformance/provisioner/static-deployment.yaml @@ -71,6 +71,7 @@ spec: - NET_BIND_SERVICE drop: - ALL + readOnlyRootFilesystem: true runAsUser: 101 runAsGroup: 1001 volumeMounts: @@ -80,6 +81,10 @@ spec: mountPath: /etc/nginx/secrets - name: nginx-run mountPath: /var/run/nginx + - name: nginx-cache + mountPath: /var/cache/nginx + - name: nginx-lib + mountPath: /var/lib/nginx serviceAccountName: nginx-gateway shareProcessNamespace: true securityContext: @@ -92,3 +97,7 @@ spec: emptyDir: {} - name: nginx-run emptyDir: {} + - name: nginx-cache + emptyDir: {} + - name: nginx-lib + emptyDir: {} diff --git a/conformance/tests/conformance-rbac.yaml b/conformance/tests/conformance-rbac.yaml index a67e8726a6..3378881af0 100644 --- a/conformance/tests/conformance-rbac.yaml +++ b/conformance/tests/conformance-rbac.yaml @@ -27,7 +27,6 @@ rules: - deployments verbs: - create - - update - delete - get - list diff --git a/deploy/helm-chart/templates/deployment.yaml b/deploy/helm-chart/templates/deployment.yaml index 676e88a4e0..d662174283 100644 --- a/deploy/helm-chart/templates/deployment.yaml +++ b/deploy/helm-chart/templates/deployment.yaml @@ -66,6 +66,7 @@ spec: - NET_BIND_SERVICE drop: - ALL + readOnlyRootFilesystem: true runAsUser: 101 runAsGroup: 1001 volumeMounts: @@ -75,6 +76,10 @@ spec: mountPath: /etc/nginx/secrets - name: nginx-run mountPath: /var/run/nginx + - name: nginx-cache + mountPath: /var/cache/nginx + - name: nginx-lib + mountPath: /var/lib/nginx serviceAccountName: {{ include "nginx-gateway.serviceAccountName" . }} shareProcessNamespace: true securityContext: @@ -87,4 +92,8 @@ spec: emptyDir: {} - name: nginx-run emptyDir: {} + - name: nginx-cache + emptyDir: {} + - name: nginx-lib + emptyDir: {} {{- end }} diff --git a/deploy/manifests/nginx-gateway.yaml b/deploy/manifests/nginx-gateway.yaml index a160c94bbd..3bd5059ecd 100644 --- a/deploy/manifests/nginx-gateway.yaml +++ b/deploy/manifests/nginx-gateway.yaml @@ -172,6 +172,7 @@ spec: - NET_BIND_SERVICE drop: - ALL + readOnlyRootFilesystem: true runAsUser: 101 runAsGroup: 1001 volumeMounts: @@ -181,6 +182,10 @@ spec: mountPath: /etc/nginx/secrets - name: nginx-run mountPath: /var/run/nginx + - name: nginx-cache + mountPath: /var/cache/nginx + - name: nginx-lib + mountPath: /var/lib/nginx serviceAccountName: nginx-gateway shareProcessNamespace: true securityContext: @@ -193,6 +198,10 @@ spec: emptyDir: {} - name: nginx-run emptyDir: {} + - name: nginx-cache + emptyDir: {} + - name: nginx-lib + emptyDir: {} --- # Source: nginx-kubernetes-gateway/templates/gatewayclass.yaml apiVersion: gateway.networking.k8s.io/v1beta1