DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ingress-nginx-helm/deploy/hardening-guide/index.html
Gacko 755d468de2 Deploy GitHub Pages
2024-10-04 11:49:42 +00:00

11 lines
No EOL
50 KiB
HTML
Raw Permalink Blame History

<!doctype html><html lang=en class=no-js> <head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1"><link href=https://kubernetes.github.io/ingress-nginx/deploy/hardening-guide/ rel=canonical><link href=../upgrade/ rel=prev><link href=../../user-guide/nginx-configuration/ rel=next><link rel=icon href=../../assets/images/favicon.png><meta name=generator content="mkdocs-1.5.3, mkdocs-material-9.4.5"><title>Hardening guide - Ingress-Nginx Controller</title><link rel=stylesheet href=../../assets/stylesheets/main.6a10b989.min.css><link rel=stylesheet href=../../assets/stylesheets/palette.356b1318.min.css><link rel=preconnect href=https://fonts.gstatic.com crossorigin><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback"><style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style><link rel=stylesheet href=../../extra.css><script>__md_scope=new URL("../..",location),__md_hash=e=>[...e].reduce((e,_)=>(e<<5)-e+_.charCodeAt(0),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script></head> <body dir=ltr data-md-color-scheme=default data-md-color-primary=teal data-md-color-accent=green> <input class=md-toggle data-md-toggle=drawer type=checkbox id=__drawer autocomplete=off> <input class=md-toggle data-md-toggle=search type=checkbox id=__search autocomplete=off> <label class=md-overlay for=__drawer></label> <div data-md-component=skip> <a href=#hardening-guide class=md-skip> Skip to content </a> </div> <div data-md-component=announce> </div> <header class="md-header md-header--shadow md-header--lifted" data-md-component=header> <nav class="md-header__inner md-grid" aria-label=Header> <a href=../.. title="Ingress-Nginx Controller" class="md-header__button md-logo" aria-label="Ingress-Nginx Controller" data-md-component=logo> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54Z"/></svg> </a> <label class="md-header__button md-icon" for=__drawer> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2Z"/></svg> </label> <div class=md-header__title data-md-component=header-title> <div class=md-header__ellipsis> <div class=md-header__topic> <span class=md-ellipsis> Ingress-Nginx Controller </span> </div> <div class=md-header__topic data-md-component=header-topic> <span class=md-ellipsis> Hardening guide </span> </div> </div> </div> <label class="md-header__button md-icon" for=__search> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg> </label> <div class=md-search data-md-component=search role=dialog> <label class=md-search__overlay for=__search></label> <div class=md-search__inner role=search> <form class=md-search__form name=search> <input type=text class=md-search__input name=query aria-label=Search placeholder=Search autocapitalize=off autocorrect=off autocomplete=off spellcheck=false data-md-component=search-query required> <label class="md-search__icon md-icon" for=__search> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg> </label> <nav class=md-search__options aria-label=Search> <button type=reset class="md-search__icon md-icon" title=Clear aria-label=Clear tabindex=-1> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41Z"/></svg> </button> </nav> </form> <div class=md-search__output> <div class=md-search__scrollwrap data-md-scrollfix> <div class=md-search-result data-md-component=search-result> <div class=md-search-result__meta> Initializing search </div> <ol class=md-search-result__list role=presentation></ol> </div> </div> </div> </div> </div> <div class=md-header__source> <a href=https://github.com/kubernetes/ingress-nginx title="Go to repository" class=md-source data-md-component=source> <div class="md-source__icon md-icon"> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 448 512"><!-- Font Awesome Free 6.4.2 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2023 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg> </div> <div class=md-source__repository> kubernetes/ingress-nginx </div> </a> </div> </nav> <nav class=md-tabs aria-label=Tabs data-md-component=tabs> <div class=md-grid> <ul class=md-tabs__list> <li class=md-tabs__item> <a href=../.. class=md-tabs__link> Welcome </a> </li> <li class="md-tabs__item md-tabs__item--active"> <a href=../ class=md-tabs__link> Deployment </a> </li> <li class=md-tabs__item> <a href=../../user-guide/nginx-configuration/ class=md-tabs__link> User Guide </a> </li> <li class=md-tabs__item> <a href=../../examples/ class=md-tabs__link> Examples </a> </li> <li class=md-tabs__item> <a href=../../developer-guide/getting-started/ class=md-tabs__link> Developer Guide </a> </li> <li class=md-tabs__item> <a href=../../faq/ class=md-tabs__link> FAQ </a> </li> </ul> </div> </nav> </header> <div class=md-container data-md-component=container> <main class=md-main data-md-component=main> <div class="md-main__inner md-grid"> <div class="md-sidebar md-sidebar--primary" data-md-component=sidebar data-md-type=navigation> <div class=md-sidebar__scrollwrap> <div class=md-sidebar__inner> <nav class="md-nav md-nav--primary md-nav--lifted" aria-label=Navigation data-md-level=0> <label class=md-nav__title for=__drawer> <a href=../.. title="Ingress-Nginx Controller" class="md-nav__button md-logo" aria-label="Ingress-Nginx Controller" data-md-component=logo> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54Z"/></svg> </a> Ingress-Nginx Controller </label> <div class=md-nav__source> <a href=https://github.com/kubernetes/ingress-nginx title="Go to repository" class=md-source data-md-component=source> <div class="md-source__icon md-icon"> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 448 512"><!-- Font Awesome Free 6.4.2 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2023 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg> </div> <div class=md-source__repository> kubernetes/ingress-nginx </div> </a> </div> <ul class=md-nav__list data-md-scrollfix> <li class="md-nav__item md-nav__item--section md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type=checkbox id=__nav_1> <label class=md-nav__link for=__nav_1 id=__nav_1_label tabindex> <span class=md-ellipsis> Welcome </span> <span class="md-nav__icon md-icon"></span> </label> <nav class=md-nav data-md-level=1 aria-labelledby=__nav_1_label aria-expanded=false> <label class=md-nav__title for=__nav_1> <span class="md-nav__icon md-icon"></span> Welcome </label> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../.. class=md-nav__link> <span class=md-ellipsis> Welcome </span> </a> </li> <li class=md-nav__item> <a href=../../how-it-works/ class=md-nav__link> <span class=md-ellipsis> How it works </span> </a> </li> <li class=md-nav__item> <a href=../../troubleshooting/ class=md-nav__link> <span class=md-ellipsis> Troubleshooting </span> </a> </li> <li class=md-nav__item> <a href=../../kubectl-plugin/ class=md-nav__link> <span class=md-ellipsis> kubectl plugin </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--active md-nav__item--section md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type=checkbox id=__nav_2 checked> <label class=md-nav__link for=__nav_2 id=__nav_2_label tabindex> <span class=md-ellipsis> Deployment </span> <span class="md-nav__icon md-icon"></span> </label> <nav class=md-nav data-md-level=1 aria-labelledby=__nav_2_label aria-expanded=true> <label class=md-nav__title for=__nav_2> <span class="md-nav__icon md-icon"></span> Deployment </label> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../ class=md-nav__link> <span class=md-ellipsis> Installation Guide </span> </a> </li> <li class=md-nav__item> <a href=../baremetal/ class=md-nav__link> <span class=md-ellipsis> Bare-metal considerations </span> </a> </li> <li class=md-nav__item> <a href=../rbac/ class=md-nav__link> <span class=md-ellipsis> Role Based Access Control (RBAC) </span> </a> </li> <li class=md-nav__item> <a href=../upgrade/ class=md-nav__link> <span class=md-ellipsis> Upgrade </span> </a> </li> <li class="md-nav__item md-nav__item--active"> <input class="md-nav__toggle md-toggle" type=checkbox id=__toc> <label class="md-nav__link md-nav__link--active" for=__toc> <span class=md-ellipsis> Hardening guide </span> <span class="md-nav__icon md-icon"></span> </label> <a href=./ class="md-nav__link md-nav__link--active"> <span class=md-ellipsis> Hardening guide </span> </a> <nav class="md-nav md-nav--secondary" aria-label="Table of contents"> <label class=md-nav__title for=__toc> <span class="md-nav__icon md-icon"></span> Table of contents </label> <ul class=md-nav__list data-md-component=toc data-md-scrollfix> <li class=md-nav__item> <a href=#overview class=md-nav__link> Overview </a> </li> <li class=md-nav__item> <a href=#configuration-guide class=md-nav__link> Configuration Guide </a> </li> </ul> </nav> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--section md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type=checkbox id=__nav_3> <label class=md-nav__link for=__nav_3 id=__nav_3_label tabindex> <span class=md-ellipsis> User Guide </span> <span class="md-nav__icon md-icon"></span> </label> <nav class=md-nav data-md-level=1 aria-labelledby=__nav_3_label aria-expanded=false> <label class=md-nav__title for=__nav_3> <span class="md-nav__icon md-icon"></span> User Guide </label> <ul class=md-nav__list data-md-scrollfix> <li class="md-nav__item md-nav__item--section md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type=checkbox id=__nav_3_1> <label class=md-nav__link for=__nav_3_1 id=__nav_3_1_label tabindex> <span class=md-ellipsis> NGINX Configuration </span> <span class="md-nav__icon md-icon"></span> </label> <nav class=md-nav data-md-level=2 aria-labelledby=__nav_3_1_label aria-expanded=false> <label class=md-nav__title for=__nav_3_1> <span class="md-nav__icon md-icon"></span> NGINX Configuration </label> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../../user-guide/nginx-configuration/ class=md-nav__link> <span class=md-ellipsis> Introduction </span> </a> </li> <li class=md-nav__item> <a href=../../user-guide/basic-usage/ class=md-nav__link> <span class=md-ellipsis> Basic usage </span> </a> </li> <li class=md-nav__item> <a href=../../user-guide/nginx-configuration/annotations/ class=md-nav__link> <span class=md-ellipsis> Annotations </span> </a> </li> <li class=md-nav__item> <a href=../../user-guide/nginx-configuration/annotations-risk/ class=md-nav__link> <span class=md-ellipsis> Annotations Risks </span> </a> </li> <li class=md-nav__item> <a href=../../user-guide/nginx-configuration/configmap/ class=md-nav__link> <span class=md-ellipsis> ConfigMap </span> </a> </li> <li class=md-nav__item> <a href=../../user-guide/nginx-configuration/custom-template/ class=md-nav__link> <span class=md-ellipsis> Custom NGINX template </span> </a> </li> <li class=md-nav__item> <a href=../../user-guide/nginx-configuration/log-format/ class=md-nav__link> <span class=md-ellipsis> Log format </span> </a> </li> </ul> </nav> </li> <li class=md-nav__item> <a href=../../user-guide/cli-arguments/ class=md-nav__link> <span class=md-ellipsis> Command line arguments </span> </a> </li> <li class=md-nav__item> <a href=../../user-guide/custom-errors/ class=md-nav__link> <span class=md-ellipsis> Custom errors </span> </a> </li> <li class=md-nav__item> <a href=../../user-guide/default-backend/ class=md-nav__link> <span class=md-ellipsis> Default backend </span> </a> </li> <li class=md-nav__item> <a href=../../user-guide/exposing-tcp-udp-services/ class=md-nav__link> <span class=md-ellipsis> Exposing TCP and UDP services </span> </a> </li> <li class=md-nav__item> <a href=../../user-guide/fcgi-services/ class=md-nav__link> <span class=md-ellipsis> Exposing FCGI services </span> </a> </li> <li class=md-nav__item> <a href=../../user-guide/ingress-path-matching/ class=md-nav__link> <span class=md-ellipsis> Regular expressions in paths </span> </a> </li> <li class=md-nav__item> <a href=../../user-guide/external-articles/ class=md-nav__link> <span class=md-ellipsis> External Articles </span> </a> </li> <li class=md-nav__item> <a href=../../user-guide/miscellaneous/ class=md-nav__link> <span class=md-ellipsis> Miscellaneous </span> </a> </li> <li class=md-nav__item> <a href=../../user-guide/monitoring/ class=md-nav__link> <span class=md-ellipsis> Prometheus and Grafana installation </span> </a> </li> <li class=md-nav__item> <a href=../../user-guide/multiple-ingress/ class=md-nav__link> <span class=md-ellipsis> Multiple Ingress controllers </span> </a> </li> <li class=md-nav__item> <a href=../../user-guide/tls/ class=md-nav__link> <span class=md-ellipsis> TLS/HTTPS </span> </a> </li> <li class="md-nav__item md-nav__item--section md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type=checkbox id=__nav_3_13> <label class=md-nav__link for=__nav_3_13 id=__nav_3_13_label tabindex> <span class=md-ellipsis> Third party addons </span> <span class="md-nav__icon md-icon"></span> </label> <nav class=md-nav data-md-level=2 aria-labelledby=__nav_3_13_label aria-expanded=false> <label class=md-nav__title for=__nav_3_13> <span class="md-nav__icon md-icon"></span> Third party addons </label> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../../user-guide/third-party-addons/modsecurity/ class=md-nav__link> <span class=md-ellipsis> ModSecurity Web Application Firewall </span> </a> </li> <li class=md-nav__item> <a href=../../user-guide/third-party-addons/opentelemetry/ class=md-nav__link> <span class=md-ellipsis> OpenTelemetry </span> </a> </li> </ul> </nav> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--section md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type=checkbox id=__nav_4> <label class=md-nav__link for=__nav_4 id=__nav_4_label tabindex> <span class=md-ellipsis> Examples </span> <span class="md-nav__icon md-icon"></span> </label> <nav class=md-nav data-md-level=1 aria-labelledby=__nav_4_label aria-expanded=false> <label class=md-nav__title for=__nav_4> <span class="md-nav__icon md-icon"></span> Examples </label> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../../examples/ class=md-nav__link> <span class=md-ellipsis> Introduction </span> </a> </li> <li class=md-nav__item> <a href=../../examples/PREREQUISITES/ class=md-nav__link> <span class=md-ellipsis> Prerequisites </span> </a> </li> <li class=md-nav__item> <a href=../../examples/affinity/cookie/ class=md-nav__link> <span class=md-ellipsis> Sticky Sessions </span> </a> </li> <li class="md-nav__item md-nav__item--section md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type=checkbox id=__nav_4_4> <label class=md-nav__link for=__nav_4_4 id=__nav_4_4_label tabindex> <span class=md-ellipsis> Auth </span> <span class="md-nav__icon md-icon"></span> </label> <nav class=md-nav data-md-level=2 aria-labelledby=__nav_4_4_label aria-expanded=false> <label class=md-nav__title for=__nav_4_4> <span class="md-nav__icon md-icon"></span> Auth </label> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../../examples/auth/basic/ class=md-nav__link> <span class=md-ellipsis> Basic Authentication </span> </a> </li> <li class=md-nav__item> <a href=../../examples/auth/client-certs/ class=md-nav__link> <span class=md-ellipsis> Client Certificate Authentication </span> </a> </li> <li class=md-nav__item> <a href=../../examples/auth/external-auth/ class=md-nav__link> <span class=md-ellipsis> External Basic Authentication </span> </a> </li> <li class=md-nav__item> <a href=../../examples/auth/oauth-external-auth/ class=md-nav__link> <span class=md-ellipsis> External OAUTH Authentication </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--section md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type=checkbox id=__nav_4_5> <label class=md-nav__link for=__nav_4_5 id=__nav_4_5_label tabindex> <span class=md-ellipsis> Customization </span> <span class="md-nav__icon md-icon"></span> </label> <nav class=md-nav data-md-level=2 aria-labelledby=__nav_4_5_label aria-expanded=false> <label class=md-nav__title for=__nav_4_5> <span class="md-nav__icon md-icon"></span> Customization </label> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../../examples/customization/configuration-snippets/ class=md-nav__link> <span class=md-ellipsis> Configuration Snippets </span> </a> </li> <li class=md-nav__item> <a href=../../examples/customization/custom-configuration/ class=md-nav__link> <span class=md-ellipsis> Custom Configuration </span> </a> </li> <li class=md-nav__item> <a href=../../examples/customization/custom-errors/ class=md-nav__link> <span class=md-ellipsis> Custom Errors </span> </a> </li> <li class=md-nav__item> <a href=../../examples/customization/custom-headers/ class=md-nav__link> <span class=md-ellipsis> Custom Headers </span> </a> </li> <li class=md-nav__item> <a href=../../examples/customization/external-auth-headers/ class=md-nav__link> <span class=md-ellipsis> External authentication </span> </a> </li> <li class=md-nav__item> <a href=../../examples/customization/ssl-dh-param/ class=md-nav__link> <span class=md-ellipsis> Custom DH parameters for perfect forward secrecy </span> </a> </li> <li class=md-nav__item> <a href=../../examples/customization/sysctl/ class=md-nav__link> <span class=md-ellipsis> Sysctl tuning </span> </a> </li> </ul> </nav> </li> <li class=md-nav__item> <a href=../../examples/docker-registry/ class=md-nav__link> <span class=md-ellipsis> Docker registry </span> </a> </li> <li class=md-nav__item> <a href=../../examples/grpc/ class=md-nav__link> <span class=md-ellipsis> gRPC </span> </a> </li> <li class=md-nav__item> <a href=../../examples/multi-tls/ class=md-nav__link> <span class=md-ellipsis> Multi TLS certificate termination </span> </a> </li> <li class=md-nav__item> <a href=../../examples/rewrite/ class=md-nav__link> <span class=md-ellipsis> Rewrite </span> </a> </li> <li class=md-nav__item> <a href=../../examples/static-ip/ class=md-nav__link> <span class=md-ellipsis> Static IPs </span> </a> </li> <li class=md-nav__item> <a href=../../examples/tls-termination/ class=md-nav__link> <span class=md-ellipsis> TLS termination </span> </a> </li> <li class=md-nav__item> <a href=../../examples/openpolicyagent/ class=md-nav__link> <span class=md-ellipsis> Open Policy Agent rules </span> </a> </li> <li class=md-nav__item> <a href=../../examples/canary/ class=md-nav__link> <span class=md-ellipsis> Canary Deployments </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--section md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type=checkbox id=__nav_5> <label class=md-nav__link for=__nav_5 id=__nav_5_label tabindex> <span class=md-ellipsis> Developer Guide </span> <span class="md-nav__icon md-icon"></span> </label> <nav class=md-nav data-md-level=1 aria-labelledby=__nav_5_label aria-expanded=false> <label class=md-nav__title for=__nav_5> <span class="md-nav__icon md-icon"></span> Developer Guide </label> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../../developer-guide/getting-started/ class=md-nav__link> <span class=md-ellipsis> Getting Started </span> </a> </li> <li class=md-nav__item> <a href=../../developer-guide/code-overview/ class=md-nav__link> <span class=md-ellipsis> Code Overview </span> </a> </li> </ul> </nav> </li> <li class=md-nav__item> <a href=../../faq/ class=md-nav__link> <span class=md-ellipsis> FAQ </span> </a> </li> </ul> </nav> </div> </div> </div> <div class="md-sidebar md-sidebar--secondary" data-md-component=sidebar data-md-type=toc> <div class=md-sidebar__scrollwrap> <div class=md-sidebar__inner> <nav class="md-nav md-nav--secondary" aria-label="Table of contents"> <label class=md-nav__title for=__toc> <span class="md-nav__icon md-icon"></span> Table of contents </label> <ul class=md-nav__list data-md-component=toc data-md-scrollfix> <li class=md-nav__item> <a href=#overview class=md-nav__link> Overview </a> </li> <li class=md-nav__item> <a href=#configuration-guide class=md-nav__link> Configuration Guide </a> </li> </ul> </nav> </div> </div> </div> <div class=md-content data-md-component=content> <article class="md-content__inner md-typeset"> <h1 id=hardening-guide>Hardening Guide<a class=headerlink href=#hardening-guide title="Permanent link"></a></h1> <p>Do not use in multi-tenant Kubernetes production installations. This project assumes that users that can create Ingress objects are administrators of the cluster.</p> <h2 id=overview>Overview<a class=headerlink href=#overview title="Permanent link"></a></h2> <p>There are several ways to do hardening and securing of nginx. In this documentation two guides are used, the guides are overlapping in some points:</p> <ul> <li><a href=https://www.cisecurity.org/benchmark/nginx/ >nginx CIS Benchmark</a></li> <li><a href=https://cipherlist.eu/ >cipherlist.eu</a> (one of many forks of the now dead project cipherli.st)</li> </ul> <p>This guide describes, what of the different configurations described in those guides is already implemented as default in the nginx implementation of kubernetes ingress, what needs to be configured, what is obsolete due to the fact that the nginx is running as container (the CIS benchmark relates to a non-containerized installation) and what is difficult or not possible.</p> <p>Be aware that this is only a guide and you are responsible for your own implementation. Some of the configurations may lead to have specific clients unable to reach your site or similar consequences.</p> <p>This guide refers to chapters in the CIS Benchmark. For full explanation you should refer to the benchmark document itself</p> <h2 id=configuration-guide>Configuration Guide<a class=headerlink href=#configuration-guide title="Permanent link"></a></h2> <table> <thead> <tr> <th style="text-align: left;">Chapter in CIS benchmark</th> <th style="text-align: left;">Status</th> <th style="text-align: left;">Default</th> <th style="text-align: left;">Action to do if not default</th> </tr> </thead> <tbody> <tr> <td style="text-align: left;"><strong>1 Initial Setup</strong></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;"><strong>1.1 Installation</strong></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;">1.1.1 Ensure NGINX is installed (Scored)</td> <td style="text-align: left;">OK</td> <td style="text-align: left;">done through helm charts / following documentation to deploy nginx ingress</td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;">1.1.2 Ensure NGINX is installed from source (Not Scored)</td> <td style="text-align: left;">OK</td> <td style="text-align: left;">done through helm charts / following documentation to deploy nginx ingress</td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;"><strong>1.2 Configure Software Updates</strong></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;">1.2.1 Ensure package manager repositories are properly configured (Not Scored)</td> <td style="text-align: left;">OK</td> <td style="text-align: left;">done via helm, nginx version could be overwritten, however compatibility is not ensured then</td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;">1.2.2 Ensure the latest software package is installed (Not Scored)</td> <td style="text-align: left;">ACTION NEEDED</td> <td style="text-align: left;">done via helm, nginx version could be overwritten, however compatibility is not ensured then</td> <td style="text-align: left;">Plan for periodic updates</td> </tr> <tr> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;"><strong>2 Basic Configuration</strong></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;"><strong>2.1 Minimize NGINX Modules</strong></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;">2.1.1 Ensure only required modules are installed (Not Scored)</td> <td style="text-align: left;">OK</td> <td style="text-align: left;">Already only needed modules are installed, however proposals for further reduction are welcome</td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;">2.1.2 Ensure HTTP WebDAV module is not installed (Scored)</td> <td style="text-align: left;">OK</td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;">2.1.3 Ensure modules with gzip functionality are disabled (Scored)</td> <td style="text-align: left;">OK</td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;">2.1.4 Ensure the autoindex module is disabled (Scored)</td> <td style="text-align: left;">OK</td> <td style="text-align: left;">No autoindex configs so far in ingress defaults</td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;"><strong>2.2 Account Security</strong></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;">2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account (Not Scored)</td> <td style="text-align: left;">OK</td> <td style="text-align: left;">Pod configured as user www-data: <a href=https://github.com/kubernetes/ingress-nginx/blob/0cbe783f43a9313c9c26136e888324b1ee91a72f/charts/ingress-nginx/values.yaml#L10>See this line in helm chart values</a>. Compiled with user www-data: <a href=https://github.com/kubernetes/ingress-nginx/blob/5d67794f4fbf38ec6575476de46201b068eabf87/images/nginx/rootfs/build.sh#L529>See this line in build script</a></td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;">2.2.2 Ensure the NGINX service account is locked (Scored)</td> <td style="text-align: left;">OK</td> <td style="text-align: left;">Docker design ensures this</td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;">2.2.3 Ensure the NGINX service account has an invalid shell (Scored)</td> <td style="text-align: left;">OK</td> <td style="text-align: left;">Shell is nologin: <a href=https://github.com/kubernetes/ingress-nginx/blob/5d67794f4fbf38ec6575476de46201b068eabf87/images/nginx/rootfs/build.sh#L613>see this line in build script</a></td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;"><strong>2.3 Permissions and Ownership</strong></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;">2.3.1 Ensure NGINX directories and files are owned by root (Scored)</td> <td style="text-align: left;">OK</td> <td style="text-align: left;">Obsolete through docker-design and ingress controller needs to update the configs dynamically</td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;">2.3.2 Ensure access to NGINX directories and files is restricted (Scored)</td> <td style="text-align: left;">OK</td> <td style="text-align: left;">See previous answer</td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;">2.3.3 Ensure the NGINX process ID (PID) file is secured (Scored)</td> <td style="text-align: left;">OK</td> <td style="text-align: left;">No PID-File due to docker design</td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;">2.3.4 Ensure the core dump directory is secured (Not Scored)</td> <td style="text-align: left;">OK</td> <td style="text-align: left;">No working_directory configured by default</td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;"><strong>2.4 Network Configuration</strong></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;">2.4.1 Ensure NGINX only listens for network connections on authorized ports (Not Scored)</td> <td style="text-align: left;">OK</td> <td style="text-align: left;">Ensured by automatic nginx.conf configuration</td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;">2.4.2 Ensure requests for unknown host names are rejected (Not Scored)</td> <td style="text-align: left;">OK</td> <td style="text-align: left;">They are not rejected but send to the "default backend" delivering appropriate errors (mostly 404)</td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;">2.4.3 Ensure keepalive_timeout is 10 seconds or less, but not 0 (Scored)</td> <td style="text-align: left;">ACTION NEEDED</td> <td style="text-align: left;">Default is 75s</td> <td style="text-align: left;">configure keep-alive to 10 seconds <a href=https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/configmap.md#keep-alive>according to this documentation</a></td> </tr> <tr> <td style="text-align: left;">2.4.4 Ensure send_timeout is set to 10 seconds or less, but not 0 (Scored)</td> <td style="text-align: left;">RISK TO BE ACCEPTED</td> <td style="text-align: left;">Not configured, however the nginx default is 60s</td> <td style="text-align: left;">Not configurable</td> </tr> <tr> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;"><strong>2.5 Information Disclosure</strong></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;">2.5.1 Ensure server_tokens directive is set to <code>off</code> (Scored)</td> <td style="text-align: left;">OK</td> <td style="text-align: left;">server_tokens is configured to off by default</td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;">2.5.2 Ensure default error and index.html pages do not reference NGINX (Scored)</td> <td style="text-align: left;">ACTION NEEDED</td> <td style="text-align: left;">404 shows no version at all, 503 and 403 show "nginx", which is hardcoded <a href=https://github.com/nginx/nginx/blob/master/src/http/ngx_http_special_response.c#L36>see this line in nginx source code</a></td> <td style="text-align: left;">configure custom error pages at least for 403, 404 and 503 and 500</td> </tr> <tr> <td style="text-align: left;">2.5.3 Ensure hidden file serving is disabled (Not Scored)</td> <td style="text-align: left;">ACTION NEEDED</td> <td style="text-align: left;">config not set</td> <td style="text-align: left;">configure a config.server-snippet Snippet, but beware of .well-known challenges or similar. Refer to the benchmark here please</td> </tr> <tr> <td style="text-align: left;">2.5.4 Ensure the NGINX reverse proxy does not enable information disclosure (Scored)</td> <td style="text-align: left;">ACTION NEEDED</td> <td style="text-align: left;">hide not configured</td> <td style="text-align: left;">configure hide-headers with array of "X-Powered-By" and "Server": <a href=https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/configmap.md#hide-headers>according to this documentation</a></td> </tr> <tr> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;"><strong>3 Logging</strong></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;">3.1 Ensure detailed logging is enabled (Not Scored)</td> <td style="text-align: left;">OK</td> <td style="text-align: left;">nginx ingress has a very detailed log format by default</td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;">3.2 Ensure access logging is enabled (Scored)</td> <td style="text-align: left;">OK</td> <td style="text-align: left;">Access log is enabled by default</td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;">3.3 Ensure error logging is enabled and set to the info logging level (Scored)</td> <td style="text-align: left;">OK</td> <td style="text-align: left;">Error log is configured by default. The log level does not matter, because it is all sent to STDOUT anyway</td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;">3.4 Ensure log files are rotated (Scored)</td> <td style="text-align: left;">OBSOLETE</td> <td style="text-align: left;">Log file handling is not part of the nginx ingress and should be handled separately</td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;">3.5 Ensure error logs are sent to a remote syslog server (Not Scored)</td> <td style="text-align: left;">OBSOLETE</td> <td style="text-align: left;">See previous answer</td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;">3.6 Ensure access logs are sent to a remote syslog server (Not Scored)</td> <td style="text-align: left;">OBSOLETE</td> <td style="text-align: left;">See previous answer</td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;">3.7 Ensure proxies pass source IP information (Scored)</td> <td style="text-align: left;">OK</td> <td style="text-align: left;">Headers are set by default</td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;"><strong>4 Encryption</strong></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;"><strong>4.1 TLS / SSL Configuration</strong></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;">4.1.1 Ensure HTTP is redirected to HTTPS (Scored)</td> <td style="text-align: left;">OK</td> <td style="text-align: left;">Redirect to TLS is default</td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;">4.1.2 Ensure a trusted certificate and trust chain is installed (Not Scored)</td> <td style="text-align: left;">ACTION NEEDED</td> <td style="text-align: left;">For installing certs there are enough manuals in the web. A good way is to use lets encrypt through cert-manager</td> <td style="text-align: left;">Install proper certificates or use lets encrypt with cert-manager</td> </tr> <tr> <td style="text-align: left;">4.1.3 Ensure private key permissions are restricted (Scored)</td> <td style="text-align: left;">ACTION NEEDED</td> <td style="text-align: left;">See previous answer</td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;">4.1.4 Ensure only modern TLS protocols are used (Scored)</td> <td style="text-align: left;">OK/ACTION NEEDED</td> <td style="text-align: left;">Default is TLS 1.2 + 1.3, while this is okay for CIS Benchmark, cipherlist.eu only recommends 1.3. This may cut off old OS's</td> <td style="text-align: left;">Set controller.config.ssl-protocols to "TLSv1.3"</td> </tr> <tr> <td style="text-align: left;">4.1.5 Disable weak ciphers (Scored)</td> <td style="text-align: left;">ACTION NEEDED</td> <td style="text-align: left;">Default ciphers are already good, but cipherlist.eu recommends even stronger ciphers</td> <td style="text-align: left;">Set controller.config.ssl-ciphers to "EECDH+AESGCM:EDH+AESGCM"</td> </tr> <tr> <td style="text-align: left;">4.1.6 Ensure custom Diffie-Hellman parameters are used (Scored)</td> <td style="text-align: left;">ACTION NEEDED</td> <td style="text-align: left;">No custom DH parameters are generated</td> <td style="text-align: left;">Generate dh parameters for each ingress deployment you use - <a href=https://kubernetes.github.io/ingress-nginx/examples/customization/ssl-dh-param/ >see here for a how to</a></td> </tr> <tr> <td style="text-align: left;">4.1.7 Ensure Online Certificate Status Protocol (OCSP) stapling is enabled (Scored)</td> <td style="text-align: left;">ACTION NEEDED</td> <td style="text-align: left;">Not enabled</td> <td style="text-align: left;">set via <a href=https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#enable-ocsp>this configuration parameter</a></td> </tr> <tr> <td style="text-align: left;">4.1.8 Ensure HTTP Strict Transport Security (HSTS) is enabled (Scored)</td> <td style="text-align: left;">OK</td> <td style="text-align: left;">HSTS is enabled by default</td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;">4.1.9 Ensure HTTP Public Key Pinning is enabled (Not Scored)</td> <td style="text-align: left;">ACTION NEEDED / RISK TO BE ACCEPTED</td> <td style="text-align: left;">HKPK not enabled by default</td> <td style="text-align: left;">If lets encrypt is not used, set correct HPKP header. There are several ways to implement this - with the helm charts it works via controller.add-headers. If lets encrypt is used, this is complicated, a solution here is yet unknown</td> </tr> <tr> <td style="text-align: left;">4.1.10 Ensure upstream server traffic is authenticated with a client certificate (Scored)</td> <td style="text-align: left;">DEPENDS ON BACKEND</td> <td style="text-align: left;">Highly dependent on backends, not every backend allows configuring this, can also be mitigated via a service mesh</td> <td style="text-align: left;">If backend allows it, <a href=https://kubernetes.github.io/ingress-nginx/examples/auth/client-certs/ >manual is here</a></td> </tr> <tr> <td style="text-align: left;">4.1.11 Ensure the upstream traffic server certificate is trusted (Not Scored)</td> <td style="text-align: left;">DEPENDS ON BACKEND</td> <td style="text-align: left;">Highly dependent on backends, not every backend allows configuring this, can also be mitigated via a service mesh</td> <td style="text-align: left;">If backend allows it, <a href=https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md#backend-certificate-authentication>see configuration here</a></td> </tr> <tr> <td style="text-align: left;">4.1.12 Ensure your domain is preloaded (Not Scored)</td> <td style="text-align: left;">ACTION NEEDED</td> <td style="text-align: left;">Preload is not active by default</td> <td style="text-align: left;">Set controller.config.hsts-preload to true</td> </tr> <tr> <td style="text-align: left;">4.1.13 Ensure session resumption is disabled to enable perfect forward security (Scored)</td> <td style="text-align: left;">OK</td> <td style="text-align: left;">Session tickets are disabled by default</td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;">4.1.14 Ensure HTTP/2.0 is used (Not Scored)</td> <td style="text-align: left;">OK</td> <td style="text-align: left;">http2 is set by default</td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;"><strong>5 Request Filtering and Restrictions</strong></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;"><strong>5.1 Access Control</strong></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;">5.1.1 Ensure allow and deny filters limit access to specific IP addresses (Not Scored)</td> <td style="text-align: left;">OK/ACTION NEEDED</td> <td style="text-align: left;">Depends on use case, geo ip module is compiled into Ingress-Nginx Controller, there are several ways to use it</td> <td style="text-align: left;">If needed set IP restrictions via annotations or work with config snippets (be careful with lets-encrypt-http-challenge!)</td> </tr> <tr> <td style="text-align: left;">5.1.2 Ensure only whitelisted HTTP methods are allowed (Not Scored)</td> <td style="text-align: left;">OK/ACTION NEEDED</td> <td style="text-align: left;">Depends on use case</td> <td style="text-align: left;">If required it can be set via config snippet</td> </tr> <tr> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;"><strong>5.2 Request Limits</strong></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;">5.2.1 Ensure timeout values for reading the client header and body are set correctly (Scored)</td> <td style="text-align: left;">ACTION NEEDED</td> <td style="text-align: left;">Default timeout is 60s</td> <td style="text-align: left;">Set via <a href=https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/configmap.md#client-header-timeout>this configuration parameter</a> and respective body equivalent</td> </tr> <tr> <td style="text-align: left;">5.2.2 Ensure the maximum request body size is set correctly (Scored)</td> <td style="text-align: left;">ACTION NEEDED</td> <td style="text-align: left;">Default is 1m</td> <td style="text-align: left;">set via <a href=https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/configmap.md#proxy-body-size>this configuration parameter</a></td> </tr> <tr> <td style="text-align: left;">5.2.3 Ensure the maximum buffer size for URIs is defined (Scored)</td> <td style="text-align: left;">ACTION NEEDED</td> <td style="text-align: left;">Default is 4 8k</td> <td style="text-align: left;">Set via <a href=https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/configmap.md#large-client-header-buffers>this configuration parameter</a></td> </tr> <tr> <td style="text-align: left;">5.2.4 Ensure the number of connections per IP address is limited (Not Scored)</td> <td style="text-align: left;">OK/ACTION NEEDED</td> <td style="text-align: left;">No limit set</td> <td style="text-align: left;">Depends on use case, limit can be set via <a href=https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#rate-limiting>these annotations</a></td> </tr> <tr> <td style="text-align: left;">5.2.5 Ensure rate limits by IP address are set (Not Scored)</td> <td style="text-align: left;">OK/ACTION NEEDED</td> <td style="text-align: left;">No limit set</td> <td style="text-align: left;">Depends on use case, limit can be set via <a href=https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#rate-limiting>these annotations</a></td> </tr> <tr> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;"><strong>5.3 Browser Security</strong></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;">5.3.1 Ensure X-Frame-Options header is configured and enabled (Scored)</td> <td style="text-align: left;">ACTION NEEDED</td> <td style="text-align: left;">Header not set by default</td> <td style="text-align: left;">Several ways to implement this - with the helm charts it works via controller.add-headers</td> </tr> <tr> <td style="text-align: left;">5.3.2 Ensure X-Content-Type-Options header is configured and enabled (Scored)</td> <td style="text-align: left;">ACTION NEEDED</td> <td style="text-align: left;">See previous answer</td> <td style="text-align: left;">See previous answer</td> </tr> <tr> <td style="text-align: left;">5.3.3 Ensure the X-XSS-Protection Header is enabled and configured properly (Scored)</td> <td style="text-align: left;">ACTION NEEDED</td> <td style="text-align: left;">See previous answer</td> <td style="text-align: left;">See previous answer</td> </tr> <tr> <td style="text-align: left;">5.3.4 Ensure that Content Security Policy (CSP) is enabled and configured properly (Not Scored)</td> <td style="text-align: left;">ACTION NEEDED</td> <td style="text-align: left;">See previous answer</td> <td style="text-align: left;">See previous answer</td> </tr> <tr> <td style="text-align: left;">5.3.5 Ensure the Referrer Policy is enabled and configured properly (Not Scored)</td> <td style="text-align: left;">ACTION NEEDED</td> <td style="text-align: left;">Depends on application. It should be handled in the applications webserver itself, not in the load balancing ingress</td> <td style="text-align: left;">check backend webserver</td> </tr> <tr> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> <td style="text-align: left;"></td> </tr> <tr> <td style="text-align: left;"><strong>6 Mandatory Access Control</strong></td> <td style="text-align: left;">n/a</td> <td style="text-align: left;">too high level, depends on backends</td> <td style="text-align: left;"></td> </tr> </tbody> </table> <style type=text/css rel=stylesheet>
@media only screen and (min-width: 768px) {
td:nth-child(1){
white-space:normal !important;
}
.md-typeset table:not([class]) td {
padding: .2rem .3rem;
}
}
</style> </article> </div> </div> </main> <footer class=md-footer> <div class="md-footer-meta md-typeset"> <div class="md-footer-meta__inner md-grid"> <div class=md-copyright> Made with <a href=https://squidfunk.github.io/mkdocs-material/ target=_blank rel=noopener> Material for MkDocs </a> </div> </div> </div> </footer> </div> <div class=md-dialog data-md-component=dialog> <div class="md-dialog__inner md-typeset"></div> </div> <script id=__config type=application/json>{"base": "../..", "features": ["navigation.tabs", "navigation.tabs.sticky", "navigation.instant", "navigation.sections"], "search": "../../assets/javascripts/workers/search.f886a092.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}}</script> <script src=../../assets/javascripts/bundle.aecac24b.min.js></script> </body> </html>
Reference in a new issue View git blame Copy permalink