File tree Expand file tree Collapse file tree 1 file changed +4
-3
lines changed Expand file tree Collapse file tree 1 file changed +4
-3
lines changed Original file line number Diff line number Diff line change @@ -18,9 +18,10 @@ NGINX Gateway Fabric uses a **split-plane architecture** where control and data
1818
1919This split requires different security contexts because:
2020
21- - ** Control plane** needs Kubernetes API access to manage resources but never handles user traffic
21+ - ** Control plane** needs Kubernetes API access to manage data plane deployments but never handles user traffic
2222- ** Data plane** processes user traffic but never accesses Kubernetes APIs directly
23- - Both planes communicate securely via TLS, eliminating the need for shared filesystem access or elevated privileges
23+ - ** Secure communication** : Control plane sends NGINX configuration to data plane via gRPC over mTLS (port 8443)
24+ - ** Isolated deployment** : Each plane runs in separate pods with independent security contexts
2425
2526## Control Plane
2627
@@ -160,4 +161,4 @@ The split-plane architecture enables a defense-in-depth security model:
160161- ** Read-only root** : Prevents runtime modifications to container filesystems
161162- ** Ephemeral storage** : Writable data uses temporary volumes, not persistent storage
162163- ** Least privilege RBAC** : Control plane gets only required Kubernetes permissions; data plane needs no RBAC
163- - ** Secure inter-plane communication** : TLS -encrypted gRPC between control and data planes
164+ - ** Secure inter-plane communication** : mTLS -encrypted gRPC (TLS 1.3+) between control and data planes
You can’t perform that action at this time.
0 commit comments