nginx · vepatel · Mar 21, 2023 · Mar 17, 2023 · Mar 17, 2023 · Mar 20, 2023
@@ -42,7 +42,65 @@ We recommend the following for the most secure configuration:
    we recommend [configuring HTTPS](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-prometheus-tls-secret) for Prometheus.
 
 ### Snippets
-
 Snippets allow you to insert raw NGINX config into different contexts of NGINX configuration and are supported for [Ingress](/nginx-ingress-controller/configuration/ingress-resources/advanced-configuration-with-snippets/), [VirtualServer/VirtualServerRoute](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/#using-snippets), and [TransportServer](/nginx-ingress-controller/configuration/transportserver-resource/#using-snippets) resources. Additionally, the [ConfigMap](/nginx-ingress-controller/configuration/global-configuration/configmap-resource#snippets-and-custom-templates) resource configures snippets globally.
 
 Snippets are disabled by default. To use snippets, set the [`enable-snippets`](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments#cmdoption-enable-snippets) command-line argument. Note that for the ConfigMap resource, snippets are always enabled.
+
+### Configure root filesystem as read-only
+The F5 Nginx Ingress Controller (NIC) has various protections against attacks, such as running the service as non-root to avoid changes to files. An additional industry best practice is having root filesystems set as read-only so that the attack surface is further reduced by limiting changes to binaries and libraries.
+
+As of now we do not set read-only root filesystem as default. Instead, this is an opt-in feature available on the [helm-chart](/nginx-ingress-controller/installation-with-helm/#configuration) via `controller.readOnlyRootFilesystem`. Users of non-Helm YAML manifests need to manually uncomment the argument, volumes and initContainers required for read-only root filesystem correctly. Refer below code-block for guidance:
+
+```
+#        fsGroup: 101 #nginx
+.
+.
+.
+#      volumes:
+#      - name: nginx-etc
+#        emptyDir: {}
+#      - name: nginx-cache
+#        emptyDir: {}
+#      - name: nginx-lib
+#        emptyDir: {}
+#      - name: nginx-log
+#        emptyDir: {}
+.
+.
+.
+#          readOnlyRootFilesystem: true
+.
+.
+.
+#        volumeMounts:
+#        - mountPath: /etc/nginx
+#          name: nginx-etc
+#        - mountPath: /var/cache/nginx
+#          name: nginx-cache
+#        - mountPath: /var/lib/nginx
+#          name: nginx-lib
+#        - mountPath: /var/log/nginx
+#          name: nginx-log
+.
+.
+.
+#      initContainers:
+#      - image: <repository>:<tag>
+#        imagePullPolicy: IfNotPresent
+#        name: init-nginx-ingress
+#        command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc']
+#        securityContext:
+#          allowPrivilegeEscalation: false
+#          readOnlyRootFilesystem: true
+#          runAsUser: 101 #nginx
+#          runAsNonRoot: true
+#          capabilities:
+#            drop:
+#            - ALL
+#        volumeMounts:
+#        - mountPath: /mnt/etc
+#          name: nginx-etc
+```
+For `initContainer:image:`, use exact same image used for regular NIC installation.
+
+Note: This feature is available for both NGINX and NGINX Plus (excluding NGINX AppProtect WAF and AppProtect DoS) users.
diff --git a/docs/content/installation/installation-with-helm.md b/docs/content/installation/installation-with-helm.md
@@ -249,7 +249,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
 |``controller.podDisruptionBudget.minAvailable`` | The number of Ingress Controller pods that should be available. | 0 |
 |``controller.podDisruptionBudget.maxUnavailable`` | The number of Ingress Controller pods that can be unavailable. | 0 |
 |``controller.strategy`` | Specifies the strategy used to replace old Pods with new ones. Docs for [Deployment update strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) and [Daemonset update strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy). | {} |
-| `controller.disableIPV6` | Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack. | false |
+|``controller.disableIPV6`` | Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack. | false |
 |``controller.readOnlyRootFilesystem`` | Configure root filesystem as read-only and add volumes for temporary data. | false |
 |``rbac.create`` | Configures RBAC. | true |
 |``prometheus.create`` | Expose NGINX or NGINX Plus metrics in the Prometheus format. | false |