Securing Kubernetes Ingress Controllers

2 minute
274 words
Tags:
#kubernetes #ingress #nginx #waf

Ingress controllers are your cluster’s front door to the internet. Securing them properly is critical to protecting your applications from external threats.

Ingress Security Fundamentals

TLS Configuration

Always use TLS with strong settings:

YAML
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: secure-ingress
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/ssl-protocols: "TLSv1.3"
spec:
  tls:
  - hosts:
    - app.example.com
    secretName: app-tls
  rules:
  - host: app.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: app
            port:
              number: 80
Click to expand and view more

Rate Limiting

Protect against brute force and DoS:

YAML
metadata:
  annotations:
    nginx.ingress.kubernetes.io/limit-rps: "10"
    nginx.ingress.kubernetes.io/limit-connections: "5"
    nginx.ingress.kubernetes.io/limit-rpm: "100"
Click to expand and view more

Security Headers

YAML
metadata:
  annotations:
    nginx.ingress.kubernetes.io/configuration-snippet: |
      add_header X-Frame-Options "SAMEORIGIN";
      add_header X-Content-Type-Options "nosniff";
      add_header X-XSS-Protection "1; mode=block";
      add_header Content-Security-Policy "default-src 'self'";
      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
Click to expand and view more

Web Application Firewall

ModSecurity with NGINX Ingress

YAML
apiVersion: v1
kind: ConfigMap
metadata:
  name: nginx-configuration
data:
  enable-modsecurity: "true"
  enable-owasp-modsecurity-crs: "true"
  modsecurity-snippet: |
    SecRuleEngine On
    SecAuditLog /dev/stdout
Click to expand and view more

Custom Rules

YAML
modsecurity-snippet: |
  SecRule REQUEST_URI "@contains /admin" \
    "id:1001,phase:1,deny,status:403,msg:'Admin access blocked'"
Click to expand and view more

Authentication

Basic Auth

YAML
metadata:
  annotations:
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
Click to expand and view more

OAuth2 Proxy

YAML
metadata:
  annotations:
    nginx.ingress.kubernetes.io/auth-url: "https://oauth2.example.com/oauth2/auth"
    nginx.ingress.kubernetes.io/auth-signin: "https://oauth2.example.com/oauth2/start"
Click to expand and view more

DDoS Protection

Monitoring

Your ingress is your perimeter—defend it well.

Related Posts

Start searching

Enter keywords to search articles

↑↓
ESC
⌘K Shortcut