This installs ingress-nginx which is the Kubernetes hosted ingress controller using nginx, not to be confused with nginx-ingress, which is the ingress controller using nginx that is hosted by nginx itself.
We pass in values to helm chart to:
- use 2 ingress replicas, for increasing availability during high traffic times
- ensure we get the real IP in the logs, and not the cluster network IPs using:
controller.config.enable-reali-ip=truecontroller.config.use-forwarded-headers=truecontroller.service.externalTrafficPolicy='Local'
- use
TZenv var to use your own time zone via thecontroller.extraEnvsparameter - allow snippet annotations in individual ingress reosurces using
controller.allowSnippetAnnotations=true - enable metrics via a serviceMonitor via
controller.metrics.serviceMonitor.enabled=true - enabled ModSecurity as a WAF (Web Application Firewall). Check out this blog post for some pointers. From that post:
And you can further tweak the configuration at the Ingress level, even fully disable it, using the nginx.ingress.kubernetes.io/modsecurity-snippet annotation. For example, to disable the WAF in a specific Ingress:
nginx.ingress.kubernetes.io/modsecurity-snippet: |
SecRuleEngine OffSince ModSecurity might not keep going (because F5/Nginx no longer support it), it's important to keep note of Coraza SecLang engine.
We also utilize a few dashboards via Grafana to get some high level overview of what's going on. You can view these dashboards in the prometheus/dashbaords directory, but here's a sample: