Skip to content

Guide for permission issue when using NIC with NGINX Agent #7846

New issue
New issue
Closed
Closed
Guide for permission issue when using NIC with NGINX Agent#7846
Labels
proposalAn issue that proposes a feature requestwaiting for responseWaiting for author's response
@0jsong

Description

@0jsong
0jsong
opened on May 28, 2025

Hi. I've been trying to use NGINX Agent with NIC to integrate NAP WAF V5 with NIM Security Monitoring. When I tried to run NGINX Agent with -agent=true args, I found out this error.

level=fatal msg="Unable to load properties from config files (/etc/nginx-agent/nginx-agent.conf, /var/lib/nginx-agent/agent-dynamic.conf) - error attempting to open dynamic config (/var/lib/nginx-agent/agent-dynamic.conf): open /var/lib/nginx-agent/agent-dynamic.conf: permission denied"

This appears to happen because NIC pod runs with 101 User(nginx) and doesn't have permission to read /var/lib/nginx-agent dir.
So I changed the pod's security context(not container's) to fsGroup: 101 and mounted emptyDir to /var/lib/nginx-agent.

The following are some of the contents of the deployment.yaml

spec:
  template:
    spec:
      securityContext:
        # Added fsGroup to grant nginx user (101) access to mounted volumes
        fsGroup: 101               
        seccompProfile:
          type: RuntimeDefault
      containers:
      - name: nginx-plus-ingress
        args:
        - -nginx-plus
        - -nginx-configmaps=$(POD_NAMESPACE)/nginx-config
        - -mgmt-configmap=$(POD_NAMESPACE)/nginx-config-mgmt
        # Activate NGINX Agent
        - -agent=true
        - -agent-instance-group=nginx-ingress
        - -report-ingress-status
        - -external-service=nginx-ingress
        - -enable-app-protect
        - -enable-prometheus-metrics
        - -global-configuration=$(POD_NAMESPACE)/nginx-configuration
        - -log-level=error
        # Maintain container security constraints
        securityContext: 
          allowPrivilegeEscalation: false
          capabilities:
            add:
            - NET_BIND_SERVICE
            drop:
            - ALL
          runAsNonRoot: true
          runAsUser: 101
        volumeMounts:
        - mountPath: /opt/app_protect/bd_config
          name: app-protect-bd-config
        - mountPath: /opt/app_protect/config
          name: app-protect-config
        - mountPath: /etc/app_protect/bundles
          name: app-protect-bundles
        - mountPath: /etc/nginx-agent/nginx-agent.conf
          name: agent-config
          subPath: nginx-agent.conf
        # Mount directory for permission
        - mountPath: /var/lib/nginx-agent
          name: agent-lib-dir
      volumes:
      - name: app-protect-bd-config
        emptyDir: {}
      - name: app-protect-config
        emptyDir: {}      
      - name: app-protect-bundles
        persistentVolumeClaim:
          claimName: waf-bundle-pvc
      - name: agent-config
        configMap:
          name: agent-config
      # Mount directory for permission
      - name: agent-lib-dir  
        emptyDir: {}

If there's better solution for this, please let me know. And it would be nice to have some guide for using NIC with NGINX Agent.

Metadata

Metadata

Assignees

No one assigned

    Labels

    proposalAn issue that proposes a feature requestwaiting for responseWaiting for author's response

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions