Update docs

Author: jjngx

site/content/configuration/security.md

@@ -37,9 +37,9 @@ By default, the ServiceAccount has access to all Secret resources in the cluster
  This feature is compatible with [NGINX App Protect WAFv5](https://docs.nginx.com/nginx-app-protect-waf-v5/). It is not compatible with [NGINX App Protect WAF](https://docs.nginx.com/nginx-app-protect-waf/) or [NGINX App Protect DoS](https://docs.nginx.com/nginx-app-protect-dos/).
 {{< /caution >}}
 
-NGINX Ingress Controller is designed to be resilient against attacks in various ways, such as running the service as non-root to avoid changes to files. We recommend setting filesystems on all three containers: `nginx-ingress-controller`, `waf-enforcer` and `waf-config-mgr` to read-only, so that the attack surface is further reduced by limiting changes to binaries and libraries.
+NGINX Ingress Controller is designed to be resilient against attacks in various ways, such as running the service as non-root to avoid changes to files. We recommend setting filesystems on all containers to read-only, this includes `nginx-ingress-controller`, though also includes `waf-enforcer` and `waf-config-mgr` when NGINX App Protect WAFv5 is in use.  This is so that the attack surface is further reduced by limiting changes to binaries and libraries.
 
-This is not enabled by default, but can be enabled with **Helm** using the [**controller.readOnlyRootFilesystem**]({{< relref "installation/installing-nic/installation-with-helm.md#configuration" >}}) argument, and in security contexts in both: `waf_enforcer` [**controller.appprotect.enforcer.securityContext{}**]({{ < relref "installation/installing-nic/installation-with-helm.md#configuration" >}}) and `waf_config_mgr` [**controller.appprotect.configManager.securityContext{}**]({{ < relref "installation/installing-nic/installation-with-helm.md#configuration" >}}).
+This is not enabled by default, but can be enabled with **Helm** using the [**readOnlyRootFilesystem**]({{< relref "installation/installing-nic/installation-with-helm.md#configuration" >}}) argument in security contexts on all containers: `nginx-ingress-controller`, `waf_enforcer` and `waf_config_mgr`.
 
 For **Manifests**, uncomment the following sections of the deployment and add sections for `waf-enforcer` and `waf-config-mgr` containers:
 

site/content/installation/integrations/app-protect-waf-v5/installation.md

@@ -220,6 +220,26 @@ controller:
 
 ### Configuring `readOnlyRootFilesystem`
 
+Create required volumes:
+
+```yaml
+volumes:
+  - name: nginx-etc
+    emptyDir: {}
+  - name: nginx-cache
+    emptyDir: {}
+  - name: nginx-lib
+    emptyDir: {}
+  - name: nginx-log
+    emptyDir: {}
+  - emptyDir: {}
+    name: app-protect-bd-config
+  - emptyDir: {}
+    name: app-protect-config
+  - emptyDir: {}
+    name: app-protect-bundles
+```
+
 Set `controller.securityContext.readOnlyRootFilesystem` to `true`.
 
 Example Helm values:
@@ -384,8 +404,32 @@ Add `readOnlyRootFilesystem` to the NIC container and set valut to `true` as bel
   name: nginx-plus-ingress
   ...
   securityContext:
+    allowPrivilegeEscalation: false
+      capabilities:
+        add:
+        - NET_BIND_SERVICE
+        drop:
+        - ALL
+      readOnlyRootFilesystem: true
+      runAsNonRoot: true
+      runAsUser: 101
     readOnlyRootFilesystem: true
-    ...
+  ...
+  volumeMounts:
+    - mountPath: /etc/nginx
+      name: nginx-etc
+    - mountPath: /var/cache/nginx
+      name: nginx-cache
+    - mountPath: /var/lib/nginx
+      name: nginx-lib
+    - mountPath: /var/log/nginx
+      name: nginx-log
+    - mountPath: /opt/app_protect/bd_config
+      name: app-protect-bd-config
+    - mountPath: /opt/app_protect/config
+      name: app-protect-config
+    - mountPath: /etc/app_protect/bundles
+      name: app-protect-bundles
 ...
 ```