How to set server-tokens to false, to disable the the NGINX header in ingress-nginx responses, within a Rancher Kubernetes Engine (RKE) CLI or Rancher v2.x provisioned cluster

Article Number: 000020143

Situation

Task

The ingress-nginx server-tokens option controls display of the NGINX server header, including version information, in the response to ingress requests. By default this header is enabled; however, due to security concerns in exposing version information, a user might want to disable this on the nginx-ingress-controllers of their Kubernetes cluster(s). This article details how to disable the header, via the server-tokens option, in Rancher Kubernetes Engine (RKE) or Rancher v2.x provisioned clusters.

Pre-requisites

A Rancher Kubernetes Engine (RKE) CLI or Rancher v2.x provisioned Kubernetes cluster

Resolution

RKE provisioned clusters

Add the server-tokens: "false" option for nginx into the cluster configuration YAML file as follows:

ingress:
    provider: nginx
    options:
      server-tokens: "false"

Example:

nodes:
  - address: x.x.x.x
    internal_address: x.x.x.x
    user: ubuntu
    role: [controlplane,worker,etcd]
ingress:
    provider: nginx
    options:
      server-tokens: "false"
services:
  etcd:
    snapshot: true
    creation: 6h
    retention: 24h

2. Execute rke up to update the cluster with the new configuration. N.B. Ensure the .rkestate file for the cluster is present in the working directory when invoking rke up per the documentation here:

rke up --config <cluster configuration YAML file>

Rancher v2.x provisioned clusters

Navigate to the Cluster within the Rancher UI and click 'Edit Cluster'.
Click 'Edit as YAML'.
Add the server-tokens: "false" option for nginx into the cluster configuration YAML file as follows:

rancher_kubernetes_engine_config:
[...]
  ingress:
      provider: nginx
      options:
        server-tokens: "false"

4. Click 'Save' to update the cluster with the new configuration.