Skip to content

Remove k8s API access from NGINX pod #4368

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Dec 1, 2025
Merged

Remove k8s API access from NGINX pod #4368

merged 3 commits into from
Dec 1, 2025

Conversation

@sjberman
Copy link
Collaborator

@sjberman sjberman commented Dec 1, 2025
edited
Loading

Problem: The init container in the NGINX pod needed k8s API access for NGINX Plus licensing purposes. However, this data could be provided by the control plane without the init container needing the API access. For security reasons, the NGINX pod shouldn't have any access to the API.

Solution: Remove API access and provide the necessary data directly to the pod.

Testing: Verified that the API service account token no longer exists in the data plane pod.

Closes #4344

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING doc
  • I have added tests that prove my fix is effective or that my feature works
  • I have checked that all unit tests pass after adding my changes
  • I have updated necessary documentation
  • I have rebased my branch onto main
  • I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

Release notes

If this PR introduces a change that affects users and needs to be mentioned in the release notes,
please add a brief note that summarizes the change.

Removed k8s API access from the NGINX data plane pod.

@sjberman
Remove k8s API access from NGINX pod
15fa529 
Problem: The init container in the NGINX pod needed k8s API access for NGINX Plus licensing purposes. However, this data could be provided by the control plane without the init container needing the API access. For security reasons, the NGINX pod shouldn't have any access to the API.

Solution: Remove API access and provide the necessary data directly to the pod.
@sjberman sjberman requested a review from a team as a code owner December 1, 2025 19:37
@github-actions github-actions bot added the bug Something isn't working label Dec 1, 2025
@codecov
Copy link

codecov bot commented Dec 1, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 73.33333% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 86.11%. Comparing base (cc80ed5) to head (cdad526).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
cmd/gateway/commands.go 0.00% 4 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4368      +/-   ##
==========================================
- Coverage   86.11%   86.11%   -0.01%     
==========================================
  Files         132      132              
  Lines       14344    14343       -1     
  Branches       35       35              
==========================================
- Hits        12352    12351       -1     
+ Misses       1789     1787       -2     
- Partials      203      205       +2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@sjberman sjberman enabled auto-merge (squash) December 1, 2025 23:30
@sjberman sjberman merged commit 2a78ff1 into main Dec 1, 2025
59 of 61 checks passed
@sjberman sjberman deleted the bug/api-access branch December 1, 2025 23:43
@github-project-automation github-project-automation bot moved this from 🆕 New to ✅ Done in NGINX Gateway Fabric Dec 1, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tataruty tataruty tataruty approved these changes

@bjee19 bjee19 bjee19 approved these changes

Assignees

No one assigned

Labels

bug Something isn't working release-notes

Projects

NGINX Gateway Fabric
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Remove k8s API access from NGINX deployment

4 participants

@sjberman @tataruty @bjee19