Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow securityContext and podSecurityContext to be configurable via helm parameters #5084

Merged
merged 8 commits into from
Feb 19, 2024
Merged

Allow securityContext and podSecurityContext to be configurable via helm parameters #5084

merged 8 commits into from
Feb 19, 2024

Conversation

vepatel
Copy link
Contributor

@vepatel vepatel commented Feb 13, 2024
edited by shaun-nx
Loading

Proposed changes

Allow securityContext and podSecurityContext to be configurable via helm parameters, so users have the flexibility to configure k8s properties like allowPrivilegeEscalation, capabilities etc.

Defaults are same as last release but user can modify as shown below:

values.yaml

  ## The security context for the Ingress Controller pods.
  podSecurityContext:
    seccompProfile:
      type: RuntimeDefault

  ## The security context for the Ingress Controller containers.
  securityContext:  # Remove curly brackets before adding values
    allowPrivilegeEscalation: true
    readOnlyRootFilesystem: true # make sure this value is same as values.controller.readOnlyRootFilesystem
    runAsUser: 101 #nginx
    runAsNonRoot: true
    capabilities:
      drop:
      - ALL
      add:
      - NET_BIND_SERVICE

  ## The security context for the Ingress Controller init container which is used when readOnlyRootFilesystem is set to true.
  initContainerSecurityContext:
    allowPrivilegeEscalation: false
    readOnlyRootFilesystem: true
    runAsUser: 101 #nginx
    runAsNonRoot: true
    capabilities:
      drop:
      - ALL
      add:
      - NET_BIND_SERVICE
 ~/nginx/kubernetes-ingress/charts/nginx-ingress on feat/security-context-helm ● λ k get po
NAME                                                     READY   STATUS    RESTARTS   AGE
test-release-nginx-ingress-controller-5f8cc49487-wd2m5   1/1     Running   0          2m41s

generated pod spec:

    image: nginx/nginx-ingress:edge
    imagePullPolicy: Always
    name: nginx-ingress
    ports:
    - containerPort: 80
      name: http
      protocol: TCP
    - containerPort: 443
      name: https
      protocol: TCP
    - containerPort: 9113
      name: prometheus
      protocol: TCP
    - containerPort: 8081
      name: readiness-port
      protocol: TCP
    readinessProbe:
      failureThreshold: 3
      httpGet:
        path: /nginx-ready
        port: readiness-port
        scheme: HTTP
      periodSeconds: 1
      successThreshold: 1
      timeoutSeconds: 1
    resources:
      requests:
        cpu: 100m
        memory: 128Mi
    securityContext:
      allowPrivilegeEscalation: true
      capabilities:
        add:
        - NET_BIND_SERVICE
        drop:
        - ALL
      readOnlyRootFilesystem: true
      runAsNonRoot: true
      runAsUser: 101
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /etc/nginx
      name: nginx-etc
    - mountPath: /var/cache/nginx
      name: nginx-cache
    - mountPath: /var/lib/nginx
      name: nginx-lib
    - mountPath: /var/log/nginx
      name: nginx-log
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kube-api-access-ghh8x
      readOnly: true
  dnsPolicy: ClusterFirst
  enableServiceLinks: true
  initContainers:
  - command:
    - cp
    - -vdR
    - /etc/nginx/.
    - /mnt/etc
    image: nginx/nginx-ingress:edge
    imagePullPolicy: Always
    name: init-nginx-ingress
    resources:
      requests:
        cpu: 100m
        memory: 128Mi
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        add:
        - NET_BIND_SERVICE
        drop:
        - ALL
      readOnlyRootFilesystem: true
      runAsNonRoot: true
      runAsUser: 101
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /mnt/etc
      name: nginx-etc
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kube-api-access-ghh8x
      readOnly: true
  nodeName: <redacted>
  preemptionPolicy: PreemptLowerPriority
  priority: 0
  restartPolicy: Always
  schedulerName: default-scheduler
  securityContext:
    seccompProfile:
      type: RuntimeDefault

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING doc
  • I have added tests that prove my fix is effective or that my feature works
  • I have checked that all unit tests pass after adding my changes
  • I have updated necessary documentation
  • I have rebased my branch onto main
  • I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

@vepatel vepatel requested a review from a team as a code owner February 13, 2024 16:22
@github-actions github-actions bot added enhancement Pull requests for new features/feature enhancements helm_chart Pull requests that update the Helm Chart labels Feb 13, 2024
@vepatel vepatel linked an issue Feb 13, 2024 that may be closed by this pull request
Allow securityContext and podSecurityContext to be configurable via helm parameters #4942
Closed
@vepatel vepatel requested a review from a team as a code owner February 13, 2024 16:34
@github-actions github-actions bot added the documentation Pull requests/issues for documentation label Feb 13, 2024
@vepatel vepatel requested a review from ADubhlaoich February 13, 2024 16:34
oseoin
oseoin reviewed Feb 13, 2024
View reviewed changes
charts/nginx-ingress/values.yaml Outdated Show resolved Hide resolved
charts/nginx-ingress/values.yaml Show resolved Hide resolved
charts/nginx-ingress/values.yaml Outdated Show resolved Hide resolved
docs/content/installation/installing-nic/installation-with-helm.md Outdated Show resolved Hide resolved
@vepatel vepatel merged commit f876663 into main Feb 19, 2024
80 checks passed
@vepatel vepatel deleted the feat/security-context-helm branch February 19, 2024 16:31
@shaun-nx shaun-nx mentioned this pull request May 14, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Jcahilltorre Jcahilltorre Jcahilltorre approved these changes

@oseoin oseoin oseoin approved these changes

@haywoodsh haywoodsh Awaiting requested review from haywoodsh

@jjngx jjngx Awaiting requested review from jjngx

@shaun-nx shaun-nx Awaiting requested review from shaun-nx

@pdabelf5 pdabelf5 Awaiting requested review from pdabelf5

@ADubhlaoich ADubhlaoich Awaiting requested review from ADubhlaoich

Assignees
No one assigned
Labels
documentation Pull requests/issues for documentation enhancement Pull requests for new features/feature enhancements helm_chart Pull requests that update the Helm Chart
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Allow securityContext and podSecurityContext to be configurable via helm parameters
3 participants
@vepatel @oseoin @Jcahilltorre