Best Practices for Nginx Ingress Controller Configuration

This document outlines recommended practices for configuring Nginx Ingress resources within a Kubernetes environment, focusing on security considerations and effective use of annotations.

Security Best Practices#

Implementing robust security measures for your ingress controller is critical for protecting your cluster and applications.

1. Enforce TLS Encryption: All traffic should be encrypted using TLS. Utilize tools like cert-manager for automated certificate management via Let’s Encrypt and configure the tls section within your Ingress specification.

   spec:
     tls:
     - hosts:
       - application.example.com
       secretName: application-tls # Managed by cert-manager

   yaml
2. Implement Network Policies: Restrict network access to the ingress controller pods. Define Kubernetes NetworkPolicy objects to allow traffic only from expected sources, adhering to the principle of least privilege.
3. Restrict Access via IP Whitelisting: If access needs to be limited to specific IP addresses or ranges, use the nginx.ingress.kubernetes.io/whitelist-source-range annotation.

   metadata:
     annotations:
       nginx.ingress.kubernetes.io/whitelist-source-range: "192.168.1.100/32, 10.0.0.0/8"

   yaml
4. Isolate Sensitive Endpoints: Avoid exposing internal or management APIs through publicly accessible ingress resources. Consider using separate ingress controllers, internal load balancers, or alternative access methods.
5. Maintain Regular Updates: Keep the Nginx Ingress controller deployment up-to-date with the latest releases and security patches.

Effective Use of Annotations#

Annotations provide a powerful mechanism for customizing Nginx behavior through Ingress resources.

1. SSL/TLS Redirection: Enforce the use of HTTPS by redirecting HTTP requests.

   metadata:
     annotations:
       nginx.ingress.kubernetes.io/force-ssl-redirect: "true"

   yaml
2. Rate Limiting: Protect backend services from excessive traffic or denial-of-service attempts.

   metadata:
     annotations:
       nginx.ingress.kubernetes.io/limit-rps: "10" # Requests per second
       nginx.ingress.kubernetes.io/limit-burst-multiplier: "5"

   yaml
3. CORS Configuration: Manage Cross-Origin Resource Sharing headers for frontend applications interacting with your APIs.

   metadata:
     annotations:
       nginx.ingress.kubernetes.io/enable-cors: "true"
       nginx.ingress.kubernetes.io/cors-allow-origin: "https://frontend.example.com"
       nginx.ingress.kubernetes.io/cors-allow-methods: "GET, POST, PUT, DELETE, OPTIONS"

   yaml
4. Custom Configuration Snippets: For advanced Nginx configurations, the nginx.ingress.kubernetes.io/configuration-snippet annotation allows injecting raw Nginx configuration directives. Exercise caution when using this feature, as incorrect configurations can lead to issues.

   metadata:
     annotations:
       # Example: Add a custom request header
       nginx.ingress.kubernetes.io/configuration-snippet: |
         proxy_set_header X-Request-ID $request_id;

   yaml
5. Client Body Size Limits: Define the maximum allowed size for client request bodies to prevent resource exhaustion.

   metadata:
     annotations:
       nginx.ingress.kubernetes.io/proxy-body-size: "8m" # e.g., 8 megabytes

   yaml

General Recommendations#

• Isolate Ingress Resources: Prefer creating separate Ingress resources for distinct applications or services rather than consolidating unrelated configurations into a single object.
• Utilize Clear Hostnames: Define specific host rules within your Ingress specifications for clarity and proper routing.

Adhering to these practices will help ensure your Nginx Ingress configurations are secure, maintainable, and performant.