Skip to content

Remove k8s API access from NGINX deployment #4344

New issue
New issue
Open
Open
Remove k8s API access from NGINX deployment#4344
Assignees
sjberman
Labels
area/securityFor security best practicesbugSomething isn't working
Milestone
v2.2.2
@sjberman

Description

@sjberman
sjberman
opened on Nov 26, 2025

Right now our init container in the NGINX deployment accesses the API to gather data for NGINX Plus licensing reasons. However, the data that is gathered can be provided directly to the init container.

We need to remove API access from the NGINX Deployment for security reasons. This means updating the init container to no longer do this, and removing the automountServiceAccountToken from the Deployment spec.

Acceptance

  • update the init container to no longer access the k8s API, and instead gets the necessary data (ClusterID) via a CLI argument
    • node count is variable and doesn't need to be included on startup
  • only set this data and create the deployment context file if we're running NGINX Plus
  • remove automountServiceAccountToken from the NGINX Deployment spec, and ensure that the token is no longer set

Metadata

Metadata

Assignees

Labels

area/securityFor security best practicesbugSomething isn't working

Type

No type

Projects

NGINX Gateway Fabric

Status

🆕 New

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions