Configure IC root filesystem as read-only (#3548)

Allow configuring IC root filesystem as read-only

The Nginx Ingress Controller has various protections against attacks,
such as running the service as non-root to avoid changes to files.
An additional industry best practice is having root filesystems set
as read-only so that the attack surface is further reduced by limiting
changes to binaries and libraries. This commit ensures such a defense
in depth is enabled for the Nginx Ingress Controller.

To accomplish read-only rootfs, we will create emptyDir Volumes for
- `/etc/nginx`
- `/var/cache/nginx`
- `/var/lib/nginx`
- `/var/log/nginx`

We populate `/etc` mount with an Init Container, as there are generic
configuration files here. If the base image is updated via Helm chart,
then Init Container will pull files from the new base image.

The other three empty volumes are populated during runtime, as they
are not expected to have valuable files as part of base image:
- `/var/cache` mount will be used in case caching is enabled.
- `/var/lib` is used for some sockets and temporary files.
- `/var/log` is used for logging in the default configuration.

By default, the emptyDir will be persisted as long as the Pod is not
disposed of. Simple Pod crashes will retain the data.

There is no maximum size limit implemented currently, but may be added
at some point in time as a further protection. For improved performance,
cache could be moved to ram tmpfs as well (currently backed by disk).

Do note, the initial commit does not set read-only root filesystem
as default. Instead, this is an opt-in feature available on the chart.
Users of non-Helm YAML manifests need to manually uncomment the
aforementioned volumes and initContainers.

Co-authored-by: Shaun <[email protected]>

Author: sigv

deployments/daemon-set/nginx-ingress.yaml

@@ -22,9 +22,19 @@ spec:
       securityContext:
         seccompProfile:
           type: RuntimeDefault
+#        fsGroup: 101 #nginx
         sysctls:
           - name: "net.ipv4.ip_unprivileged_port_start"
             value: "0"
+#      volumes:
+#      - name: nginx-etc
+#        emptyDir: {}
+#      - name: nginx-cache
+#        emptyDir: {}
+#      - name: nginx-lib
+#        emptyDir: {}
+#      - name: nginx-log
+#        emptyDir: {}
       containers:
       - image: nginx/nginx-ingress:3.0.2
         imagePullPolicy: IfNotPresent
@@ -54,10 +64,20 @@ spec:
          #  memory: "1Gi"
         securityContext:
           allowPrivilegeEscalation: false
+#          readOnlyRootFilesystem: true
           runAsUser: 101 #nginx
           capabilities:
             drop:
             - ALL
+#        volumeMounts:
+#        - mountPath: /etc/nginx
+#          name: nginx-etc
+#        - mountPath: /var/cache/nginx
+#          name: nginx-cache
+#        - mountPath: /var/lib/nginx
+#          name: nginx-lib
+#        - mountPath: /var/log/nginx
+#          name: nginx-log
         env:
         - name: POD_NAMESPACE
           valueFrom:
@@ -76,3 +96,19 @@ spec:
          #- -external-service=nginx-ingress
          #- -enable-prometheus-metrics
          #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration
+#      initContainers:
+#      - image: nginx/nginx-ingress:3.0.2
+#        imagePullPolicy: IfNotPresent
+#        name: init-nginx-ingress
+#        command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc']
+#        securityContext:
+#          allowPrivilegeEscalation: false
+#          readOnlyRootFilesystem: true
+#          runAsUser: 101 #nginx
+#          runAsNonRoot: true
+#          capabilities:
+#            drop:
+#            - ALL
+#        volumeMounts:
+#        - mountPath: /mnt/etc
+#          name: nginx-etc

deployments/daemon-set/nginx-plus-ingress.yaml

@@ -22,9 +22,19 @@ spec:
       securityContext:
         seccompProfile:
           type: RuntimeDefault
+#        fsGroup: 101 #nginx
         sysctls:
           - name: "net.ipv4.ip_unprivileged_port_start"
             value: "0"
+#      volumes:
+#      - name: nginx-etc
+#        emptyDir: {}
+#      - name: nginx-cache
+#        emptyDir: {}
+#      - name: nginx-lib
+#        emptyDir: {}
+#      - name: nginx-log
+#        emptyDir: {}
       containers:
       - image: nginx-plus-ingress:3.0.2
         imagePullPolicy: IfNotPresent
@@ -54,10 +64,20 @@ spec:
          #  memory: "1Gi"
         securityContext:
           allowPrivilegeEscalation: false
+#          readOnlyRootFilesystem: true
           runAsUser: 101 #nginx
           capabilities:
             drop:
             - ALL
+#        volumeMounts:
+#        - mountPath: /etc/nginx
+#          name: nginx-etc
+#        - mountPath: /var/cache/nginx
+#          name: nginx-cache
+#        - mountPath: /var/lib/nginx
+#          name: nginx-lib
+#        - mountPath: /var/log/nginx
+#          name: nginx-log
         env:
         - name: POD_NAMESPACE
           valueFrom:
@@ -79,3 +99,19 @@ spec:
          #- -external-service=nginx-ingress
          #- -enable-prometheus-metrics
          #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration
+#      initContainers:
+#      - image: nginx/nginx-ingress:3.0.2
+#        imagePullPolicy: IfNotPresent
+#        name: init-nginx-ingress
+#        command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc']
+#        securityContext:
+#          allowPrivilegeEscalation: false
+#          readOnlyRootFilesystem: true
+#          runAsUser: 101 #nginx
+#          runAsNonRoot: true
+#          capabilities:
+#            drop:
+#            - ALL
+#        volumeMounts:
+#        - mountPath: /mnt/etc
+#          name: nginx-etc

deployments/deployment/nginx-ingress.yaml

@@ -23,9 +23,19 @@ spec:
       securityContext:
         seccompProfile:
           type: RuntimeDefault
+#        fsGroup: 101 #nginx
         sysctls:
           - name: "net.ipv4.ip_unprivileged_port_start"
             value: "0"
+#      volumes:
+#      - name: nginx-etc
+#        emptyDir: {}
+#      - name: nginx-cache
+#        emptyDir: {}
+#      - name: nginx-lib
+#        emptyDir: {}
+#      - name: nginx-log
+#        emptyDir: {}
       containers:
       - image: nginx/nginx-ingress:3.0.2
         imagePullPolicy: IfNotPresent
@@ -53,11 +63,21 @@ spec:
          #  memory: "1Gi"
         securityContext:
           allowPrivilegeEscalation: false
+#          readOnlyRootFilesystem: true
           runAsUser: 101 #nginx
           runAsNonRoot: true
           capabilities:
             drop:
             - ALL
+#        volumeMounts:
+#        - mountPath: /etc/nginx
+#          name: nginx-etc
+#        - mountPath: /var/cache/nginx
+#          name: nginx-cache
+#        - mountPath: /var/lib/nginx
+#          name: nginx-lib
+#        - mountPath: /var/log/nginx
+#          name: nginx-log
         env:
         - name: POD_NAMESPACE
           valueFrom:
@@ -78,3 +98,19 @@ spec:
          #- -external-service=nginx-ingress
          #- -enable-prometheus-metrics
          #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration
+#      initContainers:
+#      - image: nginx/nginx-ingress:3.0.2
+#        imagePullPolicy: IfNotPresent
+#        name: init-nginx-ingress
+#        command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc']
+#        securityContext:
+#          allowPrivilegeEscalation: false
+#          readOnlyRootFilesystem: true
+#          runAsUser: 101 #nginx
+#          runAsNonRoot: true
+#          capabilities:
+#            drop:
+#            - ALL
+#        volumeMounts:
+#        - mountPath: /mnt/etc
+#          name: nginx-etc

deployments/deployment/nginx-plus-ingress.yaml

@@ -23,9 +23,19 @@ spec:
       securityContext:
         seccompProfile:
           type: RuntimeDefault
+#        fsGroup: 101 #nginx
         sysctls:
           - name: "net.ipv4.ip_unprivileged_port_start"
             value: "0"
+#      volumes:
+#      - name: nginx-etc
+#        emptyDir: {}
+#      - name: nginx-cache
+#        emptyDir: {}
+#      - name: nginx-lib
+#        emptyDir: {}
+#      - name: nginx-log
+#        emptyDir: {}
       containers:
       - image: nginx-plus-ingress:3.0.2
         imagePullPolicy: IfNotPresent
@@ -55,11 +65,21 @@ spec:
          #  memory: "1Gi"
         securityContext:
           allowPrivilegeEscalation: false
+#          readOnlyRootFilesystem: true
           runAsUser: 101 #nginx
           runAsNonRoot: true
           capabilities:
             drop:
             - ALL
+#        volumeMounts:
+#        - mountPath: /etc/nginx
+#          name: nginx-etc
+#        - mountPath: /var/cache/nginx
+#          name: nginx-cache
+#        - mountPath: /var/lib/nginx
+#          name: nginx-lib
+#        - mountPath: /var/log/nginx
+#          name: nginx-log
         env:
         - name: POD_NAMESPACE
           valueFrom:
@@ -84,3 +104,19 @@ spec:
          #- -enable-prometheus-metrics
          #- -enable-service-insight
          #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration
+#      initContainers:
+#      - image: nginx/nginx-ingress:3.0.2
+#        imagePullPolicy: IfNotPresent
+#        name: init-nginx-ingress
+#        command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc']
+#        securityContext:
+#          allowPrivilegeEscalation: false
+#          readOnlyRootFilesystem: true
+#          runAsUser: 101 #nginx
+#          runAsNonRoot: true
+#          capabilities:
+#            drop:
+#            - ALL
+#        volumeMounts:
+#        - mountPath: /mnt/etc
+#          name: nginx-etc

deployments/helm-chart/README.md

@@ -281,6 +281,7 @@ Parameter | Description | Default
 `controller.podDisruptionBudget.maxUnavailable` | The number of Ingress Controller pods that can be unavailable. This is a mutually exclusive setting with "minAvailable". | 0
 `controller.strategy` | Specifies the strategy used to replace old Pods with new ones. Docs for [Deployment update strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) and [Daemonset update strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) | {}
 `controller.disableIPV6` | Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack. | false
+`controller.readOnlyRootFilesystem` | Configure root filesystem as read-only and add volumes for temporary data. | false
 `rbac.create` | Configures RBAC. | true
 `prometheus.create` | Expose NGINX or NGINX Plus metrics in the Prometheus format. | true
 `prometheus.port` | Configures the port to scrape the metrics. | 9113

deployments/helm-chart/templates/controller-daemonset.yaml

@@ -45,6 +45,9 @@ spec:
       securityContext:
         seccompProfile:
           type: RuntimeDefault
+{{- if .Values.controller.readOnlyRootFilesystem }}
+        fsGroup: 101 #nginx
+{{- end }}
         sysctls:
           - name: "net.ipv4.ip_unprivileged_port_start"
             value: "0"
@@ -61,9 +64,19 @@ spec:
       affinity:
 {{ toYaml .Values.controller.affinity | indent 8 }}
 {{- end }}
-{{- if or .Values.controller.volumes .Values.nginxServiceMesh.enable }}
+{{- if or .Values.controller.readOnlyRootFilesystem .Values.nginxServiceMesh.enable .Values.controller.volumes }}
       volumes:
 {{- end }}
+{{- if .Values.controller.readOnlyRootFilesystem }}
+      - name: nginx-etc
+        emptyDir: {}
+      - name: nginx-cache
+        emptyDir: {}
+      - name: nginx-lib
+        emptyDir: {}
+      - name: nginx-log
+        emptyDir: {}
+{{- end }}
 {{- if .Values.nginxServiceMesh.enable }}
       - hostPath:
           path: /run/spire/sockets
@@ -116,14 +129,25 @@ spec:
 {{- end }}
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }}
           runAsUser: 101 #nginx
           runAsNonRoot: true
           capabilities:
             drop:
             - ALL
-{{- if or .Values.controller.volumeMounts .Values.nginxServiceMesh.enable }}
+{{- if or .Values.controller.readOnlyRootFilesystem .Values.nginxServiceMesh.enable .Values.controller.volumeMounts }}
         volumeMounts:
 {{- end }}
+{{- if .Values.controller.readOnlyRootFilesystem }}
+        - mountPath: /etc/nginx
+          name: nginx-etc
+        - mountPath: /var/cache/nginx
+          name: nginx-cache
+        - mountPath: /var/lib/nginx
+          name: nginx-lib
+        - mountPath: /var/log/nginx
+          name: nginx-log
+{{- end }}
 {{- if .Values.nginxServiceMesh.enable }}
         - mountPath: /run/spire/sockets
           name: spire-agent-socket
@@ -239,8 +263,28 @@ spec:
 {{- if .Values.controller.extraContainers }}
       {{ toYaml .Values.controller.extraContainers | nindent 6 }}
 {{- end }}
+{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.initContainers }}
+      initContainers:
+{{- end }}
+{{- if .Values.controller.readOnlyRootFilesystem }}
+      - name: init-{{ include "nginx-ingress.name" . }}
+        image: {{ include "nginx-ingress.image" . }}
+        imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}"
+        command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc']
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsUser: 101 #nginx
+          runAsNonRoot: true
+          capabilities:
+            drop:
+            - ALL
+        volumeMounts:
+        - mountPath: /mnt/etc
+          name: nginx-etc
+{{- end }}
 {{- if .Values.controller.initContainers }}
-      initContainers: {{ toYaml .Values.controller.initContainers | nindent 8 }}
+{{ toYaml .Values.controller.initContainers | indent 6 }}
 {{- end }}
 {{- if .Values.controller.strategy }}
   updateStrategy: