{"id":25531253,"url":"https://github.com/guessi/ingress-nginx-controller-security-best-practices","last_synced_at":"2026-01-18T02:30:13.899Z","repository":{"id":45847029,"uuid":"189731703","full_name":"guessi/ingress-nginx-controller-security-best-practices","owner":"guessi","description":"Ingress-NGINX Controller for Kubernetes with Security Best Practices","archived":false,"fork":false,"pushed_at":"2023-08-11T09:40:32.000Z","size":31,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-04-17T19:20:39.772Z","etag":null,"topics":["best-practices","nginx","nginx-ingress","nginx-ingress-controller","security"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/guessi.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-06-01T12:44:37.000Z","updated_at":"2023-03-25T15:17:16.000Z","dependencies_parsed_at":"2023-01-22T20:15:07.445Z","dependency_job_id":null,"html_url":"https://github.com/guessi/ingress-nginx-controller-security-best-practices","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/guessi%2Fingress-nginx-controller-security-best-practices","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/guessi%2Fingress-nginx-controller-security-best-practices/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/guessi%2Fingress-nginx-controller-security-best-practices/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/guessi%2Fingress-nginx-controller-security-best-practices/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/guessi","download_url":"https://codeload.github.com/guessi/ingress-nginx-controller-security-best-practices/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":239758824,"owners_count":19692034,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["best-practices","nginx","nginx-ingress","nginx-ingress-controller","security"],"created_at":"2025-02-20T00:47:55.179Z","updated_at":"2026-01-18T02:30:13.840Z","avatar_url":"https://github.com/guessi.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Ingress-NGINX Controller for Kubernetes with Security Best Practices\n\nSample deployment of [Ingress-Nginx Controller](https://kubernetes.github.io/ingress-nginx/) for Kubernetes with security best practices.\n\n## Disclaimer\n\n\u003e :warning: This is demo purpose scripts, review changes before apply, **DO NOT** apply to production directly :warning:\n\n## Why I Create this Repository?\n\nTons of sample scripts for Ingress-Nginx Controller, but few of them were security by default.\n\n## Let's Get Started\n\n### Verify you are running with a compatible version of the tools\n\n    $ kubectl version --output json\n    {\n        \"clientVersion\": {\n            \"major\": \"1\",\n            \"minor\": \"27\", # \u003c----------- client version is compatible with server version.\n            ...\n        },\n        \"kustomizeVersion\": \"v5.0.1\",\n        \"serverVersion\": {\n            \"major\": \"1\",\n            \"minor\": \"27+\", # \u003c----------- server version is compatible with client version.\n            ...\n        }\n    }\n\n    $ helm version --short\n    v3.12.3+g3a31588\n\n### Ensure helm-repo is up to date\n\n    $ helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx\n    \"ingress-nginx\" has been added to your repositories\n\n    $ helm repo update ingress-nginx\n    Hang tight while we grab the latest from your chart repositories...\n    ...Successfully got an update from the \"ingress-nginx\" chart repository\n    Update Complete. ⎈Happy Helming!⎈\n\n### Install Nginx Ingress Controller\n\n    $ helm upgrade --install ingress-nginx ingress-nginx/ingress-nginx --namespace ingress-nginx --create-namespace --values values.yaml --wait\n    Release \"ingress-nginx\" does not exist. Installing it now.\n    NAME: ingress-nginx\n    LAST DEPLOYED: Fri Aug 11 17:30:00 2023\n    NAMESPACE: ingress-nginx\n    STATUS: deployed\n    REVISION: 1\n    TEST SUITE: None\n    NOTES:\n    The ingress-nginx controller has been installed.\n    ...\n\n### Verify Installation\n\n\n    $ helm list --filter ingress-nginx --namespace ingress-nginx\n    NAME         \tNAMESPACE    \tREVISION\tUPDATED                             \tSTATUS  \tCHART              \tAPP VERSION\n    ingress-nginx\tingress-nginx\t1       \t2023-08-11 17:30:00.000000 +0800 CST\tdeployed\tingress-nginx-4.7.1\t1.8.1\n\n    $ kubectl get services ingress-nginx-controller --namespace ingress-nginx\n    NAME                       TYPE           CLUSTER-IP      EXTERNAL-IP                         PORT(S)                      AGE\n    ingress-nginx-controller   LoadBalancer   10.100.57.100   XXXXX.elb.us-east-1.amazonaws.com   80:31928/TCP,443:30836/TCP   2m17s\n\n### Detect Installed Version\n\n    $ POD_NAME=$(kubectl get pods -n ingress-nginx -l app.kubernetes.io/name=ingress-nginx -o jsonpath='{.items[0].metadata.name}')\n\n    $ echo ${POD_NAME}\n    ingress-nginx-controller-7cdcd54cc6-4sw5w\n\n    $ kubectl -n ingress-nginx exec -it ${POD_NAME} -- /nginx-ingress-controller --version\n    -------------------------------------------------------------------------------\n    NGINX Ingress controller\n      Release:       v1.8.1\n      Build:         dc88dce9ea5e700f3301d16f971fa17c6cfe757d\n      Repository:    https://github.com/kubernetes/ingress-nginx\n      nginx version: nginx/1.21.6\n    -------------------------------------------------------------------------------\n\n### Deploy\n\nDeploy sample scripts via `kubectl apply`\n\n    $ kubectl apply -f ./examples\n    deployment.apps/demo-basic-auth created\n    deployment.apps/demo-backend created\n    service/demo-basic-auth created\n    service/demo-backend created\n    ingress.networking.k8s.io/demo-ingress created\n\nCheck deployment status\n\n    $ kubectl get ingress,service,deployment\n    NAME                                     CLASS   HOSTS   ADDRESS                             PORTS   AGE\n    ingress.networking.k8s.io/demo-ingress   nginx   *       XXXXX.elb.us-east-1.amazonaws.com   80      24s\n\n    NAME                      TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)    AGE\n    service/demo-backend      ClusterIP   10.100.190.107   \u003cnone\u003e        8088/TCP   26s\n    service/demo-basic-auth   ClusterIP   10.100.203.205   \u003cnone\u003e        80/TCP     25s\n    service/kubernetes        ClusterIP   10.100.0.1       \u003cnone\u003e        443/TCP    2d13h\n\n    NAME                              READY   UP-TO-DATE   AVAILABLE   AGE\n    deployment.apps/demo-backend      1/1     1            1           26s\n    deployment.apps/demo-basic-auth   1/1     1            1           25s\n\n### Verification\n\nExpose backend service entries directly with port-forward\n\n    $ kubectl port-forward service/demo-backend 18088:8088\n    Forwarding from 127.0.0.1:18088 -\u003e 5678\n    Forwarding from [::1]:18088 -\u003e 5678\n\nCheck backend service returns via proxy\n\n    $ curl -i -u 'user:mysecretpassword' \"http://localhost:18088/v1\"\n    HTTP/1.1 200 OK\n    X-App-Name: http-echo # \u003c--------------------- Service information exposed.\n    X-App-Version: 0.2.3 # \u003c--------------------- Running version information exposed.\n    Date: Fri, 11 Aug 2023 09:30:00 GMT\n    Content-Length: 14\n    Content-Type: text/plain; charset=utf-8\n\n    \"hello world\"\n\nWait until ingress endpoint become ready (ADDRESS fieled should show ELB address)\n\n    $ kubectl get ingress\n    NAME           CLASS   HOSTS   ADDRESS                             PORTS   AGE\n    demo-ingress   nginx   *       XXXXX.elb.us-east-1.amazonaws.com   80      55s\n\nLet's check the responses again with ELB endpoint, HTTPS protocol\n\n    $ curl -i -u 'user:mysecretpassword' \"https://${LOAD_BALANCER}/v1\" -k\n    HTTP/2 200 # \u003c--------------------- Serve with HTTP/2.\n    date: Fri, 11 Aug 2023 09:30:00 GMT\n    content-type: text/plain; charset=utf-8\n    content-length: 14\n    strict-transport-security: max-age=15724800; includeSubDomains # \u003c--------------------- No sensitive information expose.\n\n    \"hello world\"\n\nLet's check the responses again with ELB endpoint, HTTP protocol\n\n    $ curl -i -u 'user:mysecretpassword' \"http://${LOAD_BALANCER}/v1\"\n    HTTP/1.1 308 Permanent Redirect # \u003c--------------------- Securely redirect to HTTPS.\n    Date: Fri, 11 Aug 2023 09:30:00 GMT\n    Content-Type: text/html\n    Content-Length: 164\n    Connection: keep-alive\n    Location: https://${LOAD_BALANCER}/v1 # \u003c--------------------- Securely redirect to HTTPS.\n\nTry to modify `ingress.yaml`, and see what's the difference\n\nIn this example, response header for the http requests:\n\n- Nginx version is not exposed\n- Server information is hidden\n- Protected by [ModSecurity](https://modsecurity.org/)\n- Protected by Basic DoS Protection\n\n## Cleanup\n\nCleanup sample scripts via `kubectl delete`\n\n    $ kubectl delete -f ./examples\n\nCleanup Nginx Ingress Controller\n\n    $ helm uninstall ingress-nginx --namespace ingress-nginx\n\n# Reference\n\n- [Nginx-Ingress Controller](https://kubernetes.github.io/ingress-nginx/)\n- [Nginx Full Configurations Example](https://www.nginx.com/resources/wiki/start/topics/examples/full/)\n- [ModSecurity Web Application Firewall](https://kubernetes.github.io/ingress-nginx/user-guide/third-party-addons/modsecurity/)\n- [Role-Based Access Control (RBAC)](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)\n\n# License\n\n[GPLv2](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fguessi%2Fingress-nginx-controller-security-best-practices","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fguessi%2Fingress-nginx-controller-security-best-practices","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fguessi%2Fingress-nginx-controller-security-best-practices/lists"}