Kubernetes NGINX
What is NGINX?
Igor Sysoev created NGINX as an open-source project in 2004 to address a pervasive issue centered around instability with high numbers of concurrent connections. It eventually became the most ubiquitous high-performance web server technology available and is typically used today for reverse proxying, web services, caching, and load balancing.
What is Kubernetes NGINX?
NGINX provides a suite of products designed to run within Kubernetes environments:
NGINX Plus
NGINX Plus is a reverse proxy and load balancing tool that performs multiple roles. It is the enterprise-grade, highly supported version of the NGINX open-source platform. Kubernetes related features include:
- Sidecar- A sidecar is a dedicated container that runs alongside the application container in a Kubernetes pod. In most implementations, it offloads functions required by the applications running in a service mesh environment.
- Includes an Ingress controller to aid Kubernetes clusters in managing ingress and egress traffic
- Service and pod-oriented firewall proxy
- API gateway to manage service-to-service communications between containers and pods
NGINX Service Mesh
NGINX Service Mesh is a robust yet lightweight service mesh featuring enterprise‑ready data plane security, scalability, and cluster‑wide traffic management designed to provide Kubernetes implementations with secure, turn-key, single-configuration solutions for ingress and egress management.
NGINX Ingress Controller
The NGINX Ingress Controller is a production-grade Ingress controller for Kubernetes that uses NGINX as a reverse proxy and load balancer. It offers robust features and app-centric configuration capabilities like role-based access control (RBAC), simplified configuration utility, and the ability to adapt existing NGINX configurations from existing environments.
How to install the NGINX Ingress Controller
Here is a quick walkthrough of installing the NGINX Ingress Controller using a Kubernetes Minikube Learning Environment following the instructions on the NGINX GitHub page:
- Since we are using the Helm-based install method, first use the command- snap install helm –classic within the CLI.
- Next, deploy the ingress controller with the command:
helm upgrade –install ingress-nginx ingress-nginx
–repo https://kubernetes.github.io/ingress-nginx
–namespace ingress-nginx –create-namespace
- Next, we can create a local web server, service, and ingress resource for testing.
- Now, forward a local port to the ingress controller.
- If using the Kubernetes io learning environment for this demo, you should now be able to see your Ingress Controller implementation in the Kubernetes dashboard in the Preview Port 30000 tab.
Creating and Accessing NGINX Services
Now, perform a quick walkthrough of connecting containers with an NGINX server. Once again, we will use minikube and the Kubernetes learning environment.
- Create a YAML file in the Learning Environment Bash Terminal with the following specifications:
- Create your NGINX pod
- Check that the pods are running correctly.
Now we have pods running NGINX in a cluster-wide address space. Now we will create Kubernetes services, which provide an abstracted layer for our pods to ensure that future deployments with new IP addresses don’t break our connections.
- Now, create the service with kubectl expose:
This creates a service that targets TCP port 80 on any pod with the my-Nginx label.
- Check your service information:
Kubernetes provides two primary methods of accessing created services: environmental variables and DNS. This demonstration will use environmental variables since it is available out of the box.
- Access your Services:
Kubernetes ingress-nginx vulnerability CVE-2021-25742
On October 21st, the Kubernetes Security Response Committee published a new known issue with ingress-nginx. CVE-2021-25742 describes an issue where users with create or update permissions on an ingress object can obtain all secrets with the cluster and therefore compromise any services exposed to the internet.
- Best Practices and Remediation
- Update to a version that allows mitigation (>= v0.49.1 or >= v1.0.1)
- Set allow-snippet-annotations to false in your ingress-nginx ConfigMap based on how you deploy ingress-nginx:
- Static Deploy Files
Edit the ConfigMap for ingress-nginx after deployment:
kubectl edit configmap -n ingress-nginx ingress-nginx-controller
Add directive:
data:
allow-snippet-annotations:“false”
- Deploying via Helm
Set controller.allowSnippetAnnotations to false in theValues.yaml or add the directive to the helm deploy:
helm install [RELEASE_NAME] –set controller.allowSnippetAnnotations=false ingress-nginx/ingress-nginx