From 63f287aa639fa63a58e963c874593ecf4e59cd5c Mon Sep 17 00:00:00 2001 From: Venktesh Date: Tue, 13 Feb 2024 16:12:52 +0000 Subject: [PATCH] Add SecurityContext to helm values --- .../templates/controller-daemonset.yaml | 13 ++++++++-- .../templates/controller-deployment.yaml | 13 ++++++++-- charts/nginx-ingress/values.schema.json | 25 +++++++++++++++++++ charts/nginx-ingress/values.yaml | 22 +++++++++++++++- 4 files changed, 68 insertions(+), 5 deletions(-) diff --git a/charts/nginx-ingress/templates/controller-daemonset.yaml b/charts/nginx-ingress/templates/controller-daemonset.yaml index b2459c927c..58c2a3be52 100644 --- a/charts/nginx-ingress/templates/controller-daemonset.yaml +++ b/charts/nginx-ingress/templates/controller-daemonset.yaml @@ -40,8 +40,7 @@ spec: serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }} automountServiceAccountToken: true securityContext: - seccompProfile: - type: RuntimeDefault +{{ toYaml .Values.controller.podSecurityContext | indent 8 }} terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} {{- if .Values.controller.nodeSelector }} nodeSelector: @@ -117,6 +116,10 @@ spec: periodSeconds: 1 initialDelaySeconds: {{ .Values.controller.readyStatus.initialDelaySeconds }} {{- end }} +{{- if .Values.controller.containerSecurityContext }} + securityContext: +{{ toYaml .Values.controller.containerSecurityContext | indent 10 }} +{{- else }} securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }} @@ -127,6 +130,7 @@ spec: - ALL add: - NET_BIND_SERVICE +{{- end }} {{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumeMounts }} volumeMounts: {{- end }} @@ -180,6 +184,10 @@ spec: resources: {{ toYaml .Values.controller.initContainerResources | indent 10 }} {{- end }} +{{- if .Values.controller.initContainerSecurityContext }} + securityContext: +{{ toYaml .Values.controller.initContainerSecurityContext | indent 10 }} +{{- else }} securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true @@ -188,6 +196,7 @@ spec: capabilities: drop: - ALL +{{- end }} volumeMounts: - mountPath: /mnt/etc name: nginx-etc diff --git a/charts/nginx-ingress/templates/controller-deployment.yaml b/charts/nginx-ingress/templates/controller-deployment.yaml index 1f291ff4cd..6d04d3aa5b 100644 --- a/charts/nginx-ingress/templates/controller-deployment.yaml +++ b/charts/nginx-ingress/templates/controller-deployment.yaml @@ -78,8 +78,7 @@ spec: serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }} automountServiceAccountToken: true securityContext: - seccompProfile: - type: RuntimeDefault +{{ toYaml .Values.controller.podSecurityContext | indent 8 }} terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} hostNetwork: {{ .Values.controller.hostNetwork }} dnsPolicy: {{ .Values.controller.dnsPolicy }} @@ -126,6 +125,10 @@ spec: {{- end }} resources: {{ toYaml .Values.controller.resources | indent 10 }} +{{- if .Values.controller.containerSecurityContext }} + securityContext: +{{ toYaml .Values.controller.containerSecurityContext | indent 10 }} +{{- else }} securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }} @@ -136,6 +139,7 @@ spec: - ALL add: - NET_BIND_SERVICE +{{- end }} {{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumeMounts }} volumeMounts: {{- end }} @@ -187,6 +191,10 @@ spec: resources: {{ toYaml .Values.controller.initContainerResources | indent 10 }} {{- end }} +{{- if .Values.controller.initContainerSecurityContext }} + securityContext: +{{ toYaml .Values.controller.initContainerSecurityContext | indent 10 }} +{{- else }} securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true @@ -195,6 +203,7 @@ spec: capabilities: drop: - ALL +{{- end }} volumeMounts: - mountPath: /mnt/etc name: nginx-etc diff --git a/charts/nginx-ingress/values.schema.json b/charts/nginx-ingress/values.schema.json index 15ceaeeec1..4065379e52 100644 --- a/charts/nginx-ingress/values.schema.json +++ b/charts/nginx-ingress/values.schema.json @@ -477,6 +477,24 @@ "title": "The terminationGracePeriodSeconds Schema", "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/terminationGracePeriodSeconds" }, + "podSecurityContext": { + "type": "object", + "default": {}, + "title": "The podSecurityContext Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSecurityContext" + }, + "containerSecurityContext": { + "type": "object", + "default": {}, + "title": "The containerSecurityContext Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" + }, + "initContainerSecurityContext": { + "type": "object", + "default": {}, + "title": "The initContainerSecurityContext Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" + }, "resources": { "type": "object", "default": {}, @@ -1424,6 +1442,13 @@ }, "nodeSelector": {}, "terminationGracePeriodSeconds": 30, + "podSecurityContext": { + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "containerSecurityContext": {}, + "initContainerSecurityContext": {}, "resources": { "requests": { "cpu": "100m", diff --git a/charts/nginx-ingress/values.yaml b/charts/nginx-ingress/values.yaml index 5e98237194..a24a5972c5 100644 --- a/charts/nginx-ingress/values.yaml +++ b/charts/nginx-ingress/values.yaml @@ -167,6 +167,26 @@ controller: # cpu: 1 # memory: 1Gi + ## The security context for the Ingress Controller pods. + podSecurityContext: + seccompProfile: + type: RuntimeDefault + + ## The security context for the Ingress Controller containers. + containerSecurityContext: {} # Remove curly brackets before adding values + # allowPrivilegeEscalation: true + # readOnlyRootFilesystem: true # make sure this value is same as values.controller.readOnlyRootFilesystem + # runAsUser: 101 #nginx + # runAsNonRoot: true + # capabilities: + # drop: + # - ALL + # add: + # - NET_BIND_SERVICE + + ## The security context for the Ingress Controller init container which is used when readOnlyRootFilesystem is set to true. + initContainerSecurityContext: {} + ## The resources for the Ingress Controller init container which is used when readOnlyRootFilesystem is set to true. initContainerResources: requests: @@ -460,7 +480,7 @@ controller: defaultHTTPSListenerPort: 443 ## Configure root filesystem as read-only and add volumes for temporary data. - readOnlyRootFilesystem: false + readOnlyRootFilesystem: false # after 3 major releases starting 3.5.x, this argument will be moved to the `containerSecurityContext` section. ## Enable dynamic reloading of certificates enableSSLDynamicReload: true