Configure IC root filesystem as read-only

deployments/daemon-set/nginx-ingress.yaml

@@ -22,9 +22,19 @@ spec:
       securityContext:
         seccompProfile:
           type: RuntimeDefault
+#        fsGroup: 101 #nginx
         sysctls:
           - name: "net.ipv4.ip_unprivileged_port_start"
             value: "0"
+#      volumes:
+#      - name: nginx-etc
+#        emptyDir: {}
+#      - name: nginx-cache
+#        emptyDir: {}
+#      - name: nginx-lib
+#        emptyDir: {}
+#      - name: nginx-log
+#        emptyDir: {}
       containers:
       - image: nginx/nginx-ingress:3.0.2
         imagePullPolicy: IfNotPresent
@@ -54,10 +64,20 @@ spec:
          #  memory: "1Gi"
         securityContext:
           allowPrivilegeEscalation: false
+#          readOnlyRootFilesystem: true
           runAsUser: 101 #nginx
           capabilities:
             drop:
             - ALL
+#        volumeMounts:
+#        - mountPath: /etc/nginx
+#          name: nginx-etc
+#        - mountPath: /var/cache/nginx
+#          name: nginx-cache
+#        - mountPath: /var/lib/nginx
+#          name: nginx-lib
+#        - mountPath: /var/log/nginx
+#          name: nginx-log
         env:
         - name: POD_NAMESPACE
           valueFrom:
@@ -76,3 +96,19 @@ spec:
          #- -external-service=nginx-ingress
          #- -enable-prometheus-metrics
          #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration
+#      initContainers:
+#      - image: nginx/nginx-ingress:3.0.2
+#        imagePullPolicy: IfNotPresent
+#        name: init-nginx-ingress
+#        command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc']
+#        securityContext:
+#          allowPrivilegeEscalation: false
+#          readOnlyRootFilesystem: true
+#          runAsUser: 101 #nginx
+#          runAsNonRoot: true
+#          capabilities:
+#            drop:
+#            - ALL
+#        volumeMounts:
+#        - mountPath: /mnt/etc
+#          name: nginx-etc

deployments/daemon-set/nginx-plus-ingress.yaml

@@ -22,9 +22,19 @@ spec:
       securityContext:
         seccompProfile:
           type: RuntimeDefault
+#        fsGroup: 101 #nginx
         sysctls:
           - name: "net.ipv4.ip_unprivileged_port_start"
             value: "0"
+#      volumes:
+#      - name: nginx-etc
+#        emptyDir: {}
+#      - name: nginx-cache
+#        emptyDir: {}
+#      - name: nginx-lib
+#        emptyDir: {}
+#      - name: nginx-log
+#        emptyDir: {}
       containers:
       - image: nginx-plus-ingress:3.0.2
         imagePullPolicy: IfNotPresent
@@ -54,10 +64,20 @@ spec:
          #  memory: "1Gi"
         securityContext:
           allowPrivilegeEscalation: false
+#          readOnlyRootFilesystem: true
           runAsUser: 101 #nginx
           capabilities:
             drop:
             - ALL
+#        volumeMounts:
+#        - mountPath: /etc/nginx
+#          name: nginx-etc
+#        - mountPath: /var/cache/nginx
+#          name: nginx-cache
+#        - mountPath: /var/lib/nginx
+#          name: nginx-lib
+#        - mountPath: /var/log/nginx
+#          name: nginx-log
         env:
         - name: POD_NAMESPACE
           valueFrom:
@@ -79,3 +99,19 @@ spec:
          #- -external-service=nginx-ingress
          #- -enable-prometheus-metrics
          #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration
+#      initContainers:
+#      - image: nginx/nginx-ingress:3.0.2
+#        imagePullPolicy: IfNotPresent
+#        name: init-nginx-ingress
+#        command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc']
+#        securityContext:
+#          allowPrivilegeEscalation: false
+#          readOnlyRootFilesystem: true
+#          runAsUser: 101 #nginx
+#          runAsNonRoot: true
+#          capabilities:
+#            drop:
+#            - ALL
+#        volumeMounts:
+#        - mountPath: /mnt/etc
+#          name: nginx-etc

deployments/deployment/nginx-ingress.yaml

@@ -23,9 +23,19 @@ spec:
       securityContext:
         seccompProfile:
           type: RuntimeDefault
+#        fsGroup: 101 #nginx
         sysctls:
           - name: "net.ipv4.ip_unprivileged_port_start"
             value: "0"
+#      volumes:
+#      - name: nginx-etc
+#        emptyDir: {}
+#      - name: nginx-cache
+#        emptyDir: {}
+#      - name: nginx-lib
+#        emptyDir: {}
+#      - name: nginx-log
+#        emptyDir: {}
       containers:
       - image: nginx/nginx-ingress:3.0.2
         imagePullPolicy: IfNotPresent
@@ -53,11 +63,21 @@ spec:
          #  memory: "1Gi"
         securityContext:
           allowPrivilegeEscalation: false
+#          readOnlyRootFilesystem: true
           runAsUser: 101 #nginx
           runAsNonRoot: true
           capabilities:
             drop:
             - ALL
+#        volumeMounts:
+#        - mountPath: /etc/nginx
+#          name: nginx-etc
+#        - mountPath: /var/cache/nginx
+#          name: nginx-cache
+#        - mountPath: /var/lib/nginx
+#          name: nginx-lib
+#        - mountPath: /var/log/nginx
+#          name: nginx-log
         env:
         - name: POD_NAMESPACE
           valueFrom:
@@ -78,3 +98,19 @@ spec:
          #- -external-service=nginx-ingress
          #- -enable-prometheus-metrics
          #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration
+#      initContainers:
+#      - image: nginx/nginx-ingress:3.0.2
+#        imagePullPolicy: IfNotPresent
+#        name: init-nginx-ingress
+#        command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc']
+#        securityContext:
+#          allowPrivilegeEscalation: false
+#          readOnlyRootFilesystem: true
+#          runAsUser: 101 #nginx
+#          runAsNonRoot: true
+#          capabilities:
+#            drop:
+#            - ALL
+#        volumeMounts:
+#        - mountPath: /mnt/etc
+#          name: nginx-etc

deployments/deployment/nginx-plus-ingress.yaml

@@ -23,9 +23,19 @@ spec:
       securityContext:
         seccompProfile:
           type: RuntimeDefault
+#        fsGroup: 101 #nginx
         sysctls:
           - name: "net.ipv4.ip_unprivileged_port_start"
             value: "0"
+#      volumes:
+#      - name: nginx-etc
+#        emptyDir: {}
+#      - name: nginx-cache
+#        emptyDir: {}
+#      - name: nginx-lib
+#        emptyDir: {}
+#      - name: nginx-log
+#        emptyDir: {}
       containers:
       - image: nginx-plus-ingress:3.0.2
         imagePullPolicy: IfNotPresent
@@ -55,11 +65,21 @@ spec:
          #  memory: "1Gi"
         securityContext:
           allowPrivilegeEscalation: false
+#          readOnlyRootFilesystem: true
           runAsUser: 101 #nginx
           runAsNonRoot: true
           capabilities:
             drop:
             - ALL
+#        volumeMounts:
+#        - mountPath: /etc/nginx
+#          name: nginx-etc
+#        - mountPath: /var/cache/nginx
+#          name: nginx-cache
+#        - mountPath: /var/lib/nginx
+#          name: nginx-lib
+#        - mountPath: /var/log/nginx
+#          name: nginx-log
         env:
         - name: POD_NAMESPACE
           valueFrom:
@@ -84,3 +104,19 @@ spec:
          #- -enable-prometheus-metrics
          #- -enable-service-insight
          #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration
+#      initContainers:
+#      - image: nginx/nginx-ingress:3.0.2
+#        imagePullPolicy: IfNotPresent
+#        name: init-nginx-ingress
+#        command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc']
+#        securityContext:
+#          allowPrivilegeEscalation: false
+#          readOnlyRootFilesystem: true
+#          runAsUser: 101 #nginx
+#          runAsNonRoot: true
+#          capabilities:
+#            drop:
+#            - ALL
+#        volumeMounts:
+#        - mountPath: /mnt/etc
+#          name: nginx-etc

deployments/helm-chart/README.md

@@ -281,6 +281,7 @@ Parameter | Description | Default
 `controller.podDisruptionBudget.maxUnavailable` | The number of Ingress Controller pods that can be unavailable. This is a mutually exclusive setting with "minAvailable". | 0
 `controller.strategy` | Specifies the strategy used to replace old Pods with new ones. Docs for [Deployment update strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) and [Daemonset update strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) | {}
 `controller.disableIPV6` | Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack. | false
+`controller.readOnlyRootFilesystem` | Configure root filesystem as read-only and add volumes for temporary data. | false
 `rbac.create` | Configures RBAC. | true
 `prometheus.create` | Expose NGINX or NGINX Plus metrics in the Prometheus format. | true
 `prometheus.port` | Configures the port to scrape the metrics. | 9113

deployments/helm-chart/templates/controller-daemonset.yaml

@@ -45,6 +45,9 @@ spec:
       securityContext:
         seccompProfile:
           type: RuntimeDefault
+{{- if .Values.controller.readOnlyRootFilesystem }}
+        fsGroup: 101 #nginx
+{{- end }}
         sysctls:
           - name: "net.ipv4.ip_unprivileged_port_start"
             value: "0"
@@ -61,9 +64,19 @@ spec:
       affinity:
 {{ toYaml .Values.controller.affinity | indent 8 }}
 {{- end }}
-{{- if or .Values.controller.volumes .Values.nginxServiceMesh.enable }}
+{{- if or .Values.controller.readOnlyRootFilesystem .Values.nginxServiceMesh.enable .Values.controller.volumes }}
       volumes:
 {{- end }}
+{{- if .Values.controller.readOnlyRootFilesystem }}
+      - name: nginx-etc
+        emptyDir: {}
+      - name: nginx-cache
+        emptyDir: {}
+      - name: nginx-lib
+        emptyDir: {}
+      - name: nginx-log
+        emptyDir: {}
+{{- end }}
 {{- if .Values.nginxServiceMesh.enable }}
       - hostPath:
           path: /run/spire/sockets
@@ -116,14 +129,25 @@ spec:
 {{- end }}
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }}
           runAsUser: 101 #nginx
           runAsNonRoot: true
           capabilities:
             drop:
             - ALL
-{{- if or .Values.controller.volumeMounts .Values.nginxServiceMesh.enable }}
+{{- if or .Values.controller.readOnlyRootFilesystem .Values.nginxServiceMesh.enable .Values.controller.volumeMounts }}
         volumeMounts:
 {{- end }}
+{{- if .Values.controller.readOnlyRootFilesystem }}
+        - mountPath: /etc/nginx
+          name: nginx-etc
+        - mountPath: /var/cache/nginx
+          name: nginx-cache
+        - mountPath: /var/lib/nginx
+          name: nginx-lib
+        - mountPath: /var/log/nginx
+          name: nginx-log
+{{- end }}
 {{- if .Values.nginxServiceMesh.enable }}
         - mountPath: /run/spire/sockets
           name: spire-agent-socket
@@ -239,8 +263,28 @@ spec:
 {{- if .Values.controller.extraContainers }}
       {{ toYaml .Values.controller.extraContainers | nindent 6 }}
 {{- end }}
+{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.initContainers }}
+      initContainers:
+{{- end }}
+{{- if .Values.controller.readOnlyRootFilesystem }}
+      - name: init-{{ include "nginx-ingress.name" . }}
+        image: {{ include "nginx-ingress.image" . }}
+        imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}"
+        command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc']
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsUser: 101 #nginx
+          runAsNonRoot: true
+          capabilities:
+            drop:
+            - ALL
+        volumeMounts:
+        - mountPath: /mnt/etc
+          name: nginx-etc
+{{- end }}
 {{- if .Values.controller.initContainers }}
-      initContainers: {{ toYaml .Values.controller.initContainers | nindent 8 }}
+{{ toYaml .Values.controller.initContainers | indent 6 }}
 {{- end }}
 {{- if .Values.controller.strategy }}
   updateStrategy: