diff --git a/docs/content/configuration/policy-resource.md b/docs/content/configuration/policy-resource.md index 35e6be87f2..b640d33e4d 100644 --- a/docs/content/configuration/policy-resource.md +++ b/docs/content/configuration/policy-resource.md @@ -155,8 +155,6 @@ If the hashed keys match, the NGINX JavaScript (NJS) subrequest issues a 204 No It is possible to use the [errorPages](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/#errorpage) property on a route, to change the default behaviour of 401 or 403 errors. -An API Key policy can be disabled on a route by adding the [location snippet](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/#using-snippets) `auth_request off;` - At least one header or query param is required. The policy below configures NGINX Ingress Controller to require the API Key `password` in the header "my-header". diff --git a/docs/content/usage-reporting.md b/docs/content/usage-reporting.md index 85a61d4c12..a5fda9c72d 100644 --- a/docs/content/usage-reporting.md +++ b/docs/content/usage-reporting.md @@ -117,6 +117,10 @@ Download and save the deployment file [cluster-connector.yaml](https://raw.githu - `-nms-server-address` should be the address of the Usage Reporting API, which will be the combination of NGINX Management Suite server hostname and the URI `api/platform/v1` - `nms-basic-auth-secret` should be the namespace/name of the secret created in step 3: `nginx-cluster-connector/nms-basic-auth`. +{{< note >}} OpenShift requires a SecurityContextConstraints object for NGINX Cluster Connector. + +It can be created with the command `oc create -f scc.yaml`, using the file found in `shared-examples/` {{< /note >}} + For more information, read the [Command-line arguments](#command-line-arguments) section of this page. --- diff --git a/examples/custom-resources/api-key/README.md b/examples/custom-resources/api-key/README.md index 4a206afd02..c1ca8c0922 100644 --- a/examples/custom-resources/api-key/README.md +++ b/examples/custom-resources/api-key/README.md @@ -6,8 +6,7 @@ a web application, configure load balancing for it via a VirtualServer, and appl ## Prerequisites -1. Follow the [installation](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/) - instructions to deploy the Ingress Controller. In this example we will be using a snippet to turn the policy off on a specific path so ensure that the `enable-snippets` flag is set. +1. Follow the [installation](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/) instructions to deploy the Ingress Controller. 1. Save the public IP address of the Ingress Controller into a shell variable: ```console @@ -105,18 +104,4 @@ URI: /coffee Request ID: 4feedb3265a0430a1f58831d016e846d ``` -If you attempt to access the /tea path, the request will be allowed without an API Key, because the auth_request directive is turned off for that path with a location snippet: - -```console -curl -k --resolve cafe.example.com:$IC_HTTPS_PORT:$IC_IP https://cafe.example.com:$IC_HTTPS_PORT/tea -``` - -```text -Server address: 10.244.0.5:8080 -Server name: tea-596697966f-dmq7t -Date: 13/Jun/2024:13:16:46 +0000 -URI: /tea -Request ID: 26e6d7dd0272eca82f31f33bf90698c9 -``` - Additionally you can set [error pages](https://docs.nginx.com/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/#errorpage) to handle the 401 and 403 responses. diff --git a/examples/custom-resources/api-key/cafe-virtual-server.yaml b/examples/custom-resources/api-key/cafe-virtual-server.yaml index b523112eb6..032cb9bc46 100644 --- a/examples/custom-resources/api-key/cafe-virtual-server.yaml +++ b/examples/custom-resources/api-key/cafe-virtual-server.yaml @@ -12,15 +12,7 @@ spec: - name: coffee service: coffee-svc port: 80 - - name: tea - service: tea-svc - port: 80 routes: - path: /coffee action: pass: coffee - - path: /tea - location-snippets: | - auth_request off; - action: - pass: tea diff --git a/examples/custom-resources/api-key/cafe.yaml b/examples/custom-resources/api-key/cafe.yaml index f049e8bf29..6e0ea4614e 100644 --- a/examples/custom-resources/api-key/cafe.yaml +++ b/examples/custom-resources/api-key/cafe.yaml @@ -30,36 +30,3 @@ spec: name: http selector: app: coffee ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tea -spec: - replicas: 1 - selector: - matchLabels: - app: tea - template: - metadata: - labels: - app: tea - spec: - containers: - - name: tea - image: nginxdemos/nginx-hello:plain-text - ports: - - containerPort: 8080 ---- -apiVersion: v1 -kind: Service -metadata: - name: tea-svc -spec: - ports: - - port: 80 - targetPort: 8080 - protocol: TCP - name: http - selector: - app: tea diff --git a/examples/shared-examples/usage-reporting/cluster-connector.yaml b/examples/shared-examples/usage-reporting/cluster-connector.yaml index f51aba51cf..005d977ae3 100644 --- a/examples/shared-examples/usage-reporting/cluster-connector.yaml +++ b/examples/shared-examples/usage-reporting/cluster-connector.yaml @@ -14,65 +14,76 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: nginx-cluster-connector rules: - - apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - list - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - update - - create +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - update + - create +- apiGroups: + - security.openshift.io + verbs: + - create + - delete + - get + - use + resources: + - securitycontextconstraints + resourceNames: + - nginx-cluster-connector --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: nginx-cluster-connector subjects: - - kind: ServiceAccount - name: nginx-cluster-connector - namespace: nginx-cluster-connector +- kind: ServiceAccount + name: nginx-cluster-connector + namespace: nginx-cluster-connector roleRef: kind: ClusterRole name: nginx-cluster-connector @@ -95,8 +106,11 @@ spec: spec: serviceAccountName: nginx-cluster-connector automountServiceAccountToken: true + securityContext: + seccompProfile: + type: RuntimeDefault containers: - - image: docker-registry.nginx.com/cluster-connector/cluster-connector:0.1.0 + - image: docker-registry.nginx.com/cluster-connector/cluster-connector:0.2.0 imagePullPolicy: IfNotPresent name: nginx-cluster-connector resources: @@ -107,6 +121,7 @@ spec: # cpu: "1" # memory: "1Gi" securityContext: + allowPrivilegeEscalation: false runAsUser: 101 #nginx runAsNonRoot: true capabilities: diff --git a/examples/shared-examples/usage-reporting/scc.yaml b/examples/shared-examples/usage-reporting/scc.yaml new file mode 100644 index 0000000000..6f908c31eb --- /dev/null +++ b/examples/shared-examples/usage-reporting/scc.yaml @@ -0,0 +1,30 @@ +kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + name: nginx-cluster-connector +allowPrivilegedContainer: false +runAsUser: + type: MustRunAs + uid: 101 +seLinuxContext: + type: MustRunAs +fsGroup: + type: MustRunAs +supplementalGroups: + type: MustRunAs +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowHostDirVolumePlugin: false +allowHostIPC: false +readOnlyRootFilesystem: false +seccompProfiles: +- runtime/default +volumes: + - secret +requiredDropCapabilities: + - ALL +users: + - 'system:serviceaccount:*:nginx-cluster-connector' +allowedCapabilities: + - NET_BIND_SERVICE