From 760c5809c1112d85b402e76c699c110602a7b887 Mon Sep 17 00:00:00 2001 From: Nick Shadrin Date: Thu, 16 Oct 2025 12:41:47 -0500 Subject: [PATCH 1/3] Fix spelling of 'Uri' to 'URI' in documentation. Corrected the spelling of 'Uri' to 'URI' for consistency. (cherry picked from commit 8cac33f3667792d14158ce5e030ce6d5e29eb69d) --- docs/getting_started.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/getting_started.md b/docs/getting_started.md index 8b7aa7d..60b4252 100644 --- a/docs/getting_started.md +++ b/docs/getting_started.md @@ -464,7 +464,7 @@ An alternative way to use the container image on an EKS cluster is to use a serv - Configuring a [Kubernetes service account to assume an IAM role with EKS Pod Identity](https://docs.aws.amazon.com/eks/latest/userguide/pod-id-association.html) - [Configure your pods, Deployments, etc to use the Service Account](https://docs.aws.amazon.com/eks/latest/userguide/pod-configuration.html) - As soon as the pods/deployments are updated, you will see the couple of Env Variables listed below in the pods. - - `AWS_CONTAINER_CREDENTIALS_FULL_URI` - Contains the Uri of the EKS Pod Identity Agent that will provide the credentials + - `AWS_CONTAINER_CREDENTIALS_FULL_URI` - Contains the URI of the EKS Pod Identity Agent that will provide the credentials - `AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE` - Contains the token which will be used to create temporary credentials using the EKS Pod Identity Agent. The minimal set of resources to deploy is the same than for [Running on EKS with IAM roles for service accounts](#running-on-eks-with-iam-roles-for-service-accounts), except there is no need to annotate the service account: From 4af180733ad832cb9d59cac2ef82c80185071bd9 Mon Sep 17 00:00:00 2001 From: Elijah Zupancic Date: Wed, 26 Nov 2025 14:21:03 -0800 Subject: [PATCH 2/3] chore: add nodejs version to tool versions Signed-off-by: Elijah Zupancic --- .tool-versions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.tool-versions b/.tool-versions index 99f4ccb..a994c30 100644 --- a/.tool-versions +++ b/.tool-versions @@ -1 +1 @@ -nodejs 20.8.0 +nodejs 23.9.0 From ad8684cd137ed33da11d1c135c968824a1e45f99 Mon Sep 17 00:00:00 2001 From: Elijah Zupancic Date: Wed, 26 Nov 2025 14:23:54 -0800 Subject: [PATCH 3/3] docs: fix port mapping documentation for unprivileged containers Resolves #428 Add dedicated section explaining that unprivileged container images listen on port 8080 internally (not port 80), as they run as non-root users and cannot bind to privileged ports. Changes: - Add "Running Unprivileged Container Images" subsection with correct port mapping examples (80:8080 or 8080:8080) - Add note in Kubernetes section about containerPort for unprivileged images - Clarify security benefits of unprivileged containers The standard OSS images continue to use port 80 as they run as root. Only images tagged with 'unprivileged-oss-*' use port 8080. --- docs/getting_started.md | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/docs/getting_started.md b/docs/getting_started.md index 60b4252..16079a7 100644 --- a/docs/getting_started.md +++ b/docs/getting_started.md @@ -207,7 +207,7 @@ sudo env $(cat settings.example) ./standalone_ubuntu_oss_install.sh ### Running the Public Open Source NGINX Container Image -The latest builds of the gateway (that use open source NGINX) are available on +The latest builds of the gateway (that use open source NGINX) are available on the project's Github [package repository](https://github.com/nginxinc/nginx-s3-gateway/pkgs/container/nginx-s3-gateway%2Fnginx-oss-s3-gateway). To run with the public open source image, replace the `settings` file specified @@ -220,7 +220,7 @@ docker run --env-file ./settings --publish 80:80 --name nginx-s3-gateway \ If you would like to run with the latest njs version, run: ``` docker run --env-file ./settings --publish 80:80 --name nginx-s3-gateway \ - ghcr.io/nginxinc/nginx-s3-gateway/nginx-oss-s3-gateway:latest-njs-oss + ghcr.io/nginxinc/nginx-s3-gateway/nginx-oss-s3-gateway:latest-njs-oss ``` Alternatively, if you would like to pin your version to a specific point in @@ -230,6 +230,22 @@ docker run --env-file ./settings --publish 80:80 --name nginx-s3-gateway \ ghcr.io/nginxinc/nginx-s3-gateway/nginx-oss-s3-gateway:latest-njs-oss-20220310 ``` +#### Running Unprivileged Container Images + +Unprivileged container images run NGINX as a non-root user and listen on port **8080** internally (instead of port 80). This provides enhanced security by not requiring privileged ports. + +To run an unprivileged image, use the `unprivileged-oss` tag and map to port **8080**: +``` +docker run --env-file ./settings --publish 80:8080 --name nginx-s3-gateway \ + ghcr.io/nginxinc/nginx-s3-gateway/nginx-oss-s3-gateway:unprivileged-oss-20250718 +``` + +Alternatively, you can map host port 8080 to container port 8080 to avoid requiring elevated privileges on the host: +``` +docker run --env-file ./settings --publish 8080:8080 --name nginx-s3-gateway \ + ghcr.io/nginxinc/nginx-s3-gateway/nginx-oss-s3-gateway:unprivileged-oss-20250718 +``` + ### Building the Public Open Source NGINX Container Image In order to build the NGINX OSS container image, do a `docker build` as follows @@ -457,6 +473,9 @@ spec: path: /health port: http ``` + +**Note:** If using an unprivileged container image (e.g., `unprivileged-oss-YYYYMMDD`), change `containerPort: 80` to `containerPort: 8080` as unprivileged containers listen on port 8080. + ## Running on EKS with EKS Pod Identities An alternative way to use the container image on an EKS cluster is to use a service account which can assume a role using [Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html).