Ensure NKG has least privileges (#1004)

Problem: NKG wasn't running with the least privileges necessary, which could lead to potential security issues. Solution: Remove unnecessary RBAC, and add security restrictions where necessary.
nginx · Aug 29, 2023 · 3ce86fb · 3ce86fb
1 parent 5e25be3
commit 3ce86fb
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 14 deletions.
diff --git a/conformance/provisioner/static-deployment.yaml b/conformance/provisioner/static-deployment.yaml
@@ -41,11 +41,13 @@ spec:
         imagePullPolicy: Always
         name: nginx-gateway
         securityContext:
+          allowPrivilegeEscalation: false
           capabilities:
             add:
             - KILL
             drop:
             - ALL
+          readOnlyRootFilesystem: true
           runAsUser: 102
           runAsGroup: 1001
         volumeMounts:
@@ -69,6 +71,7 @@ spec:
             - NET_BIND_SERVICE
             drop:
             - ALL
+          readOnlyRootFilesystem: true
           runAsUser: 101
           runAsGroup: 1001
         volumeMounts:
@@ -78,14 +81,23 @@ spec:
           mountPath: /etc/nginx/secrets
         - name: nginx-run
           mountPath: /var/run/nginx
+        - name: nginx-cache
+          mountPath: /var/cache/nginx
+        - name: nginx-lib
+          mountPath: /var/lib/nginx
       serviceAccountName: nginx-gateway
       shareProcessNamespace: true
       securityContext:
         fsGroup: 1001
+        runAsNonRoot: true
       volumes:
       - name: nginx-conf
         emptyDir: {}
       - name: nginx-secrets
         emptyDir: {}
       - name: nginx-run
         emptyDir: {}
+      - name: nginx-cache
+        emptyDir: {}
+      - name: nginx-lib
+        emptyDir: {}
diff --git a/deploy/helm-chart/templates/deployment.yaml b/deploy/helm-chart/templates/deployment.yaml
@@ -36,11 +36,13 @@ spec:
         imagePullPolicy: {{ .Values.nginxGateway.image.pullPolicy }}
         name: nginx-gateway
         securityContext:
+          allowPrivilegeEscalation: false
           capabilities:
             add:
             - KILL
             drop:
             - ALL
+          readOnlyRootFilesystem: true
           runAsUser: 102
           runAsGroup: 1001
         volumeMounts:
@@ -64,6 +66,7 @@ spec:
             - NET_BIND_SERVICE
             drop:
             - ALL
+          readOnlyRootFilesystem: true
           runAsUser: 101
           runAsGroup: 1001
         volumeMounts:
@@ -73,15 +76,24 @@ spec:
           mountPath: /etc/nginx/secrets
         - name: nginx-run
           mountPath: /var/run/nginx
+        - name: nginx-cache
+          mountPath: /var/cache/nginx
+        - name: nginx-lib
+          mountPath: /var/lib/nginx
       serviceAccountName: {{ include "nginx-gateway.serviceAccountName" . }}
       shareProcessNamespace: true
       securityContext:
         fsGroup: 1001
+        runAsNonRoot: true
       volumes:
       - name: nginx-conf
         emptyDir: {}
       - name: nginx-secrets
         emptyDir: {}
       - name: nginx-run
         emptyDir: {}
+      - name: nginx-cache
+        emptyDir: {}
+      - name: nginx-lib
+        emptyDir: {}
 {{- end }}
diff --git a/deploy/helm-chart/templates/rbac.yaml b/deploy/helm-chart/templates/rbac.yaml
@@ -48,13 +48,6 @@ rules:
   verbs:
   - list
   - watch
-- apiGroups:
-  - gateway.nginx.org
-  resources:
-  - gatewayconfigs
-  verbs:
-  - list
-  - watch
 - apiGroups:
   - gateway.networking.k8s.io
   resources:

diff --git a/deploy/manifests/nginx-gateway.yaml b/deploy/manifests/nginx-gateway.yaml
@@ -59,13 +59,6 @@ rules:
   verbs:
   - list
   - watch
-- apiGroups:
-  - gateway.nginx.org
-  resources:
-  - gatewayconfigs
-  verbs:
-  - list
-  - watch
 - apiGroups:
   - gateway.networking.k8s.io
   resources:
@@ -149,11 +142,13 @@ spec:
         imagePullPolicy: Always
         name: nginx-gateway
         securityContext:
+          allowPrivilegeEscalation: false
           capabilities:
             add:
             - KILL
             drop:
             - ALL
+          readOnlyRootFilesystem: true
           runAsUser: 102
           runAsGroup: 1001
         volumeMounts:
@@ -177,6 +172,7 @@ spec:
             - NET_BIND_SERVICE
             drop:
             - ALL
+          readOnlyRootFilesystem: true
           runAsUser: 101
           runAsGroup: 1001
         volumeMounts:
@@ -186,17 +182,26 @@ spec:
           mountPath: /etc/nginx/secrets
         - name: nginx-run
           mountPath: /var/run/nginx
+        - name: nginx-cache
+          mountPath: /var/cache/nginx
+        - name: nginx-lib
+          mountPath: /var/lib/nginx
       serviceAccountName: nginx-gateway
       shareProcessNamespace: true
       securityContext:
         fsGroup: 1001
+        runAsNonRoot: true
       volumes:
       - name: nginx-conf
         emptyDir: {}
       - name: nginx-secrets
         emptyDir: {}
       - name: nginx-run
         emptyDir: {}
+      - name: nginx-cache
+        emptyDir: {}
+      - name: nginx-lib
+        emptyDir: {}
 ---
 # Source: nginx-kubernetes-gateway/templates/gatewayclass.yaml
 apiVersion: gateway.networking.k8s.io/v1beta1