Add SecurityContext to helm values

nginx · Feb 13, 2024 · 63f287a · 63f287a
1 parent 65d2285
commit 63f287a
Show file tree

Hide file tree

Showing 4 changed files with 68 additions and 5 deletions.
diff --git a/charts/nginx-ingress/templates/controller-daemonset.yaml b/charts/nginx-ingress/templates/controller-daemonset.yaml
@@ -40,8 +40,7 @@ spec:
       serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }}
       automountServiceAccountToken: true
       securityContext:
-        seccompProfile:
-          type: RuntimeDefault
+{{ toYaml .Values.controller.podSecurityContext | indent 8 }}
       terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
 {{- if .Values.controller.nodeSelector }}
       nodeSelector:
@@ -117,6 +116,10 @@ spec:
           periodSeconds: 1
           initialDelaySeconds: {{ .Values.controller.readyStatus.initialDelaySeconds }}
 {{- end }}
+{{- if .Values.controller.containerSecurityContext }}
+        securityContext:
+{{ toYaml .Values.controller.containerSecurityContext | indent 10 }}
+{{- else }}
         securityContext:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }}
@@ -127,6 +130,7 @@ spec:
             - ALL
             add:
             - NET_BIND_SERVICE
+{{- end }}
 {{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumeMounts }}
         volumeMounts:
 {{- end }}
@@ -180,6 +184,10 @@ spec:
         resources:
 {{ toYaml .Values.controller.initContainerResources | indent 10 }}
 {{- end }}
+{{- if .Values.controller.initContainerSecurityContext }}
+        securityContext:
+{{ toYaml .Values.controller.initContainerSecurityContext | indent 10 }}
+{{- else }}
         securityContext:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
@@ -188,6 +196,7 @@ spec:
           capabilities:
             drop:
             - ALL
+{{- end }}
         volumeMounts:
         - mountPath: /mnt/etc
           name: nginx-etc

diff --git a/charts/nginx-ingress/templates/controller-deployment.yaml b/charts/nginx-ingress/templates/controller-deployment.yaml
@@ -78,8 +78,7 @@ spec:
       serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }}
       automountServiceAccountToken: true
       securityContext:
-        seccompProfile:
-          type: RuntimeDefault
+{{ toYaml .Values.controller.podSecurityContext | indent 8 }}
       terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
       hostNetwork: {{ .Values.controller.hostNetwork }}
       dnsPolicy: {{ .Values.controller.dnsPolicy }}
@@ -126,6 +125,10 @@ spec:
 {{- end }}
         resources:
 {{ toYaml .Values.controller.resources | indent 10 }}
+{{- if .Values.controller.containerSecurityContext }}
+        securityContext:
+{{ toYaml .Values.controller.containerSecurityContext | indent 10 }}
+{{- else }}
         securityContext:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }}
@@ -136,6 +139,7 @@ spec:
             - ALL
             add:
             - NET_BIND_SERVICE
+{{- end }}
 {{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumeMounts }}
         volumeMounts:
 {{- end }}
@@ -187,6 +191,10 @@ spec:
         resources:
 {{ toYaml .Values.controller.initContainerResources | indent 10 }}
 {{- end }}
+{{- if .Values.controller.initContainerSecurityContext }}
+        securityContext:
+{{ toYaml .Values.controller.initContainerSecurityContext | indent 10 }}
+{{- else }}
         securityContext:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
@@ -195,6 +203,7 @@ spec:
           capabilities:
             drop:
             - ALL
+{{- end }}
         volumeMounts:
         - mountPath: /mnt/etc
           name: nginx-etc

diff --git a/charts/nginx-ingress/values.schema.json b/charts/nginx-ingress/values.schema.json
@@ -477,6 +477,24 @@
           "title": "The terminationGracePeriodSeconds Schema",
           "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/terminationGracePeriodSeconds"
         },
+        "podSecurityContext": {
+          "type": "object",
+          "default": {},
+          "title": "The podSecurityContext Schema",
+          "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSecurityContext"
+        },
+        "containerSecurityContext": {
+          "type": "object",
+          "default": {},
+          "title": "The containerSecurityContext Schema",
+          "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext"
+        },
+        "initContainerSecurityContext": {
+          "type": "object",
+          "default": {},
+          "title": "The initContainerSecurityContext Schema",
+          "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext"
+        },
         "resources": {
           "type": "object",
           "default": {},
@@ -1424,6 +1442,13 @@
           },
           "nodeSelector": {},
           "terminationGracePeriodSeconds": 30,
+          "podSecurityContext": {
+            "seccompProfile": {
+              "type": "RuntimeDefault"
+            }
+          },
+          "containerSecurityContext": {},
+          "initContainerSecurityContext": {},
           "resources": {
             "requests": {
               "cpu": "100m",

diff --git a/charts/nginx-ingress/values.yaml b/charts/nginx-ingress/values.yaml
@@ -167,6 +167,26 @@ controller:
   #   cpu: 1
   #   memory: 1Gi
 
+  ## The security context for the Ingress Controller pods.
+  podSecurityContext:
+    seccompProfile:
+      type: RuntimeDefault
+
+  ## The security context for the Ingress Controller containers.
+  containerSecurityContext: {} # Remove curly brackets before adding values
+    # allowPrivilegeEscalation: true
+    # readOnlyRootFilesystem: true # make sure this value is same as values.controller.readOnlyRootFilesystem
+    # runAsUser: 101 #nginx
+    # runAsNonRoot: true
+    # capabilities:
+    #   drop:
+    #   - ALL
+    #   add:
+    #   - NET_BIND_SERVICE
+
+  ## The security context for the Ingress Controller init container which is used when readOnlyRootFilesystem is set to true.
+  initContainerSecurityContext: {}
+
   ## The resources for the Ingress Controller init container which is used when readOnlyRootFilesystem is set to true.
   initContainerResources:
     requests:
@@ -460,7 +480,7 @@ controller:
   defaultHTTPSListenerPort: 443
 
   ## Configure root filesystem as read-only and add volumes for temporary data.
-  readOnlyRootFilesystem: false
+  readOnlyRootFilesystem: false # after 3 major releases starting 3.5.x, this argument will be moved to the `containerSecurityContext` section.
 
   ## Enable dynamic reloading of certificates
   enableSSLDynamicReload: true