What is NGINX?Igor Sysoev created NGINX as an open-source project in 2004 to address a pervasive issue centered around instability with high numbers of concurrent connections. It eventually became the most ubiquitous high-performance web server technology available and is typically used today for reverse proxying, web services, caching, and load balancing.
What is Kubernetes NGINX?NGINX provides a suite of products designed to run within Kubernetes environments:
NGINX PlusNGINX Plus is a reverse proxy and load balancing tool that performs multiple roles. It is the enterprise-grade, highly supported version of the NGINX open-source platform. Kubernetes related features include:
- Sidecar- A sidecar is a dedicated container that runs alongside the application container in a Kubernetes pod. In most implementations, it offloads functions required by the applications running in a service mesh environment.
- Includes an Ingress controller to aid Kubernetes clusters in managing ingress and egress traffic
- Service and pod-oriented firewall proxy
- API gateway to manage service-to-service communications between containers and pods
NGINX Service MeshNGINX Service Mesh is a robust yet lightweight service mesh featuring enterprise‑ready data plane security, scalability, and cluster‑wide traffic management designed to provide Kubernetes implementations with secure, turn-key, single-configuration solutions for ingress and egress management.
NGINX Ingress ControllerThe NGINX Ingress Controller is a production-grade Ingress controller for Kubernetes that uses NGINX as a reverse proxy and load balancer. It offers robust features and app-centric configuration capabilities like role-based access control (RBAC), simplified configuration utility, and the ability to adapt existing NGINX configurations from existing environments.
How to install the NGINX Ingress ControllerHere is a quick walkthrough of installing the NGINX Ingress Controller using a Kubernetes Minikube Learning Environment following the instructions on the NGINX GitHub page:
- Since we are using the Helm-based install method, first use the command- snap install helm --classic within the CLI.
- Next, deploy the ingress controller with the command:
- Next, we can create a local web server, service, and ingress resource for testing.
- Now, forward a local port to the ingress controller.
- If using the Kubernetes io learning environment for this demo, you should now be able to see your Ingress Controller implementation in the Kubernetes dashboard in the Preview Port 30000 tab.
Creating and Accessing NGINX ServicesNow, perform a quick walkthrough of connecting containers with an NGINX server. Once again, we will use minikube and the Kubernetes learning environment.
- Create a YAML file in the Learning Environment Bash Terminal with the following specifications:
- Create your NGINX pod
- Check that the pods are running correctly.
- Now, create the service with kubectl expose:
- Check your service information:
- Access your Services:
Kubernetes ingress-nginx vulnerability CVE-2021-25742On October 21st, the Kubernetes Security Response Committee published a new known issue with ingress-nginx. CVE-2021-25742 describes an issue where users with create or update permissions on an ingress object can obtain all secrets with the cluster and therefore compromise any services exposed to the internet.
- Best Practices and Remediation
- Update to a version that allows mitigation (>= v0.49.1 or >= v1.0.1)
- Set allow-snippet-annotations to false in your ingress-nginx ConfigMap based on how you deploy ingress-nginx:
- Static Deploy Files
- Deploying via Helm