Kubernetes NGINX

What is NGINX?

Igor Sysoev created NGINX as an open-source project in 2004 to address a pervasive issue centered around instability with high numbers of concurrent connections. It eventually became the most ubiquitous high-performance web server technology available and is typically used today for reverse proxying, web services, caching, and load balancing.

What is Kubernetes NGINX?

NGINX provides a suite of products designed to run within Kubernetes environments:

NGINX Plus

NGINX Plus is a reverse proxy and load balancing tool that performs multiple roles. It is the enterprise-grade, highly supported version of the NGINX open-source platform. Kubernetes related features include:

  • Sidecar- A sidecar is a dedicated container that runs alongside the application container in a Kubernetes pod. In most implementations, it offloads functions required by the applications running in a service mesh environment.
  • Includes an Ingress controller to aid Kubernetes clusters in managing ingress and egress traffic
  • Service and pod-oriented firewall proxy
  • API gateway to manage service-to-service communications between containers and pods

NGINX Service Mesh

NGINX Service Mesh is a robust yet lightweight service mesh featuring enterprise‑ready data plane security, scalability, and cluster‑wide traffic management designed to provide Kubernetes implementations with secure, turn-key, single-configuration solutions for ingress and egress management.

NGINX Ingress Controller

The NGINX Ingress Controller is a production-grade Ingress controller for Kubernetes that uses NGINX as a reverse proxy and load balancer. It offers robust features and app-centric configuration capabilities like role-based access control (RBAC), simplified configuration utility, and the ability to adapt existing NGINX configurations from existing environments.

How to install the NGINX Ingress Controller

Here is a quick walkthrough of installing the NGINX Ingress Controller using a Kubernetes Minikube Learning Environment following the instructions on the NGINX GitHub page:

  1. Since we are using the Helm-based install method, first use the command- snap install helm –classic within the CLI.
helm install
  1. Next, deploy the ingress controller with the command:

helm upgrade –install ingress-nginx ingress-nginx

–repo https://kubernetes.github.io/ingress-nginx

–namespace ingress-nginx –create-namespace

install ingress nginx
  1. Next, we can create a local web server, service, and ingress resource for testing.
kubectl create deployment demo
  1. Now, forward a local port to the ingress controller.
ingress controller
  1. If using the Kubernetes io learning environment for this demo, you should now be able to see your Ingress Controller implementation in the Kubernetes dashboard in the Preview Port 30000 tab.
Ingress Controller implementation

Creating and Accessing NGINX Services

Now, perform a quick walkthrough of connecting containers with an NGINX server. Once again, we will use minikube and the Kubernetes learning environment.

  1. Create a YAML file in the Learning Environment Bash Terminal with the following specifications:
YAML file in the Learning Environment Bash Terminal
  1. Create your NGINX pod
Create NGINX pod
  1. Check that the pods are running correctly.
NGINX pods

Now we have pods running NGINX in a cluster-wide address space. Now we will create Kubernetes services, which provide an abstracted layer for our pods to ensure that future deployments with new IP addresses don’t break our connections.

  • Now, create the service with kubectl expose:
kubectl expose

This creates a service that targets TCP port 80 on any pod with the my-Nginx label.

  • Check your service information:
kubectl service info

Kubernetes provides two primary methods of accessing created services: environmental variables and DNS. This demonstration will use environmental variables since it is available out of the box.

  •  Access your Services:
kubectl nginx services

Kubernetes ingress-nginx vulnerability CVE-2021-25742

On October 21st, the Kubernetes Security Response Committee published a new known issue with ingress-nginx. CVE-2021-25742 describes an issue where users with create or update permissions on an ingress object can obtain all secrets with the cluster and therefore compromise any services exposed to the internet.

  • Best Practices and Remediation
  • Update to a version that allows mitigation (>= v0.49.1 or >= v1.0.1)
  • Set allow-snippet-annotations to false in your ingress-nginx ConfigMap based on how you deploy ingress-nginx:
  • Static Deploy Files

Edit the ConfigMap for ingress-nginx after deployment:

kubectl edit configmap -n ingress-nginx ingress-nginx-controller

Add directive:

data:

allow-snippet-annotations:“false”

  • Deploying via Helm

Set controller.allowSnippetAnnotations to false in theValues.yaml or add the directive to the helm deploy:

helm install [RELEASE_NAME] –set controller.allowSnippetAnnotations=false ingress-nginx/ingress-nginx

Read Next

Principle of Least Privilege

What is the Principle of Least Privilege? The principle of least privilege (PoLP) states that...

Known Exploited Vulnerabilities Catalog (KEV)

In cybersecurity, vulnerabilities are weaknesses (actually bugs) that attackers exploit to compromise systems or data....

Container Image Scanning

What is image scanning? Image scanning is the process of inspecting container images for potential...

Stay up to date