diff --git a/charts/nginx-ingress/README.md b/charts/nginx-ingress/README.md index ceeb03bc9e..fa3232c2b0 100644 --- a/charts/nginx-ingress/README.md +++ b/charts/nginx-ingress/README.md @@ -379,8 +379,11 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |`controller.volumeMounts` | The volumeMounts of the Ingress Controller pods. | [] | |`controller.initContainers` | InitContainers for the Ingress Controller pods. | [] | |`controller.extraContainers` | Extra (eg. sidecar) containers for the Ingress Controller pods. | [] | +|`controller.podSecurityContext`| The SecurityContext for Ingress Controller pods. | "seccompProfile": {"type": "RuntimeDefault"} | +|`controller.securityContext`| The SecurityContext for Ingress Controller container. | {} | +|`controller.initContainerSecurityContext`| The SecurityContext for Ingress Controller init container when `readOnlyRootFilesystem` is enabled by either setting `controller.securityContext.readOnlyRootFilesystem` or `controller.readOnlyRootFilesystem`to `true`. | {} | |`controller.resources` | The resources of the Ingress Controller pods. | requests: cpu=100m,memory=128Mi | -|`controller.initContainerResources` | The resources of the init container which is used when `controller.readOnlyRootFilesystem` is set to `true` | requests: cpu=100m,memory=128Mi | +|`controller.initContainerResources` | The resources of the init container which is used when `readOnlyRootFilesystem` is enabled by either setting `controller.securityContext.readOnlyRootFilesystem` or `controller.readOnlyRootFilesystem`to `true`. | requests: cpu=100m,memory=128Mi | |`controller.replicaCount` | The number of replicas of the Ingress Controller deployment. | 1 | |`controller.ingressClass.name` | A class of the Ingress Controller. An IngressClass resource with the name equal to the class must be deployed. Otherwise, the Ingress Controller will fail to start. The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. The Ingress Controller processes all the VirtualServer/VirtualServerRoute/TransportServer resources that do not have the "ingressClassName" field for all versions of Kubernetes. | nginx | |`controller.ingressClass.create` | Creates a new IngressClass object with the name `controller.ingressClass.name`. Set to `false` to use an existing ingressClass created using `kubectl` with the same name. If you use `helm upgrade`, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.4.2, do not set the value to false. | true | @@ -465,7 +468,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |`controller.disableIPV6` | Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack. | false | |`controller.defaultHTTPListenerPort` | Sets the port for the HTTP `default_server` listener. | 80 | |`controller.defaultHTTPSListenerPort` | Sets the port for the HTTPS `default_server` listener. | 443 | -|`controller.readOnlyRootFilesystem` | Configure root filesystem as read-only and add volumes for temporary data. | false | +|`controller.readOnlyRootFilesystem` | Configure root filesystem as read-only and add volumes for temporary data. Three major releases after 3.5.x this argument will be moved permanently to the `controller.securityContext` section. | false | |`controller.enableSSLDynamicReload` | Enable lazy loading for SSL Certificates. | true | |`controller.enableTelemetryReporting` | Enable telemetry reporting. | true | |`rbac.create` | Configures RBAC. | true | diff --git a/charts/nginx-ingress/templates/_helpers.tpl b/charts/nginx-ingress/templates/_helpers.tpl index 274566617a..3f13513dc9 100644 --- a/charts/nginx-ingress/templates/_helpers.tpl +++ b/charts/nginx-ingress/templates/_helpers.tpl @@ -134,6 +134,17 @@ Expand image name. {{- printf "%s-%s" (include "nginx-ingress.fullname" .) "prometheus-service" -}} {{- end -}} +{{/* +return if readOnlyRootFilesystem is enabled or not. +*/}} +{{- define "nginx-ingress.readOnlyRootFilesystem" -}} +{{- if or .Values.controller.readOnlyRootFilesystem (and .Values.controller.securityContext .Values.controller.securityContext.readOnlyRootFilesystem) -}} +true +{{- else -}} +false +{{- end -}} +{{- end -}} + {{/* Build the args for the service binary. */}} diff --git a/charts/nginx-ingress/templates/controller-daemonset.yaml b/charts/nginx-ingress/templates/controller-daemonset.yaml index b2459c927c..5ed507b10a 100644 --- a/charts/nginx-ingress/templates/controller-daemonset.yaml +++ b/charts/nginx-ingress/templates/controller-daemonset.yaml @@ -40,8 +40,7 @@ spec: serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }} automountServiceAccountToken: true securityContext: - seccompProfile: - type: RuntimeDefault +{{ toYaml .Values.controller.podSecurityContext | indent 8 }} terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} {{- if .Values.controller.nodeSelector }} nodeSelector: @@ -55,10 +54,10 @@ spec: affinity: {{ toYaml .Values.controller.affinity | indent 8 }} {{- end }} -{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumes }} +{{- if or (eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" ) .Values.controller.volumes }} volumes: {{- end }} -{{- if .Values.controller.readOnlyRootFilesystem }} +{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }} - name: nginx-etc emptyDir: {} - name: nginx-cache @@ -117,6 +116,10 @@ spec: periodSeconds: 1 initialDelaySeconds: {{ .Values.controller.readyStatus.initialDelaySeconds }} {{- end }} +{{- if .Values.controller.securityContext }} + securityContext: +{{ toYaml .Values.controller.securityContext | indent 10 }} +{{- else }} securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }} @@ -127,10 +130,11 @@ spec: - ALL add: - NET_BIND_SERVICE -{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumeMounts }} +{{- end }} +{{- if or (eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" ) .Values.controller.volumeMounts }} volumeMounts: {{- end }} -{{- if .Values.controller.readOnlyRootFilesystem }} +{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }} - mountPath: /etc/nginx name: nginx-etc - mountPath: /var/cache/nginx @@ -168,10 +172,10 @@ spec: {{- if .Values.controller.extraContainers }} {{ toYaml .Values.controller.extraContainers | nindent 6 }} {{- end }} -{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.initContainers }} +{{- if or (eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" ) .Values.controller.initContainers }} initContainers: {{- end }} -{{- if .Values.controller.readOnlyRootFilesystem }} +{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }} - name: init-{{ include "nginx-ingress.name" . }} image: {{ include "nginx-ingress.image" . }} imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" @@ -180,6 +184,10 @@ spec: resources: {{ toYaml .Values.controller.initContainerResources | indent 10 }} {{- end }} +{{- if .Values.controller.initContainerSecurityContext }} + securityContext: +{{ toYaml .Values.controller.initContainerSecurityContext | indent 10 }} +{{- else }} securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true @@ -188,6 +196,7 @@ spec: capabilities: drop: - ALL +{{- end }} volumeMounts: - mountPath: /mnt/etc name: nginx-etc diff --git a/charts/nginx-ingress/templates/controller-deployment.yaml b/charts/nginx-ingress/templates/controller-deployment.yaml index 1f291ff4cd..e2a4b16c0d 100644 --- a/charts/nginx-ingress/templates/controller-deployment.yaml +++ b/charts/nginx-ingress/templates/controller-deployment.yaml @@ -56,10 +56,10 @@ spec: topologySpreadConstraints: {{ toYaml .Values.controller.topologySpreadConstraints | indent 8 }} {{- end }} -{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumes }} +{{- if or (eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true") .Values.controller.volumes }} volumes: {{- end }} -{{- if .Values.controller.readOnlyRootFilesystem }} +{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }} - name: nginx-etc emptyDir: {} - name: nginx-cache @@ -78,8 +78,7 @@ spec: serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }} automountServiceAccountToken: true securityContext: - seccompProfile: - type: RuntimeDefault +{{ toYaml .Values.controller.podSecurityContext | indent 8 }} terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} hostNetwork: {{ .Values.controller.hostNetwork }} dnsPolicy: {{ .Values.controller.dnsPolicy }} @@ -126,6 +125,10 @@ spec: {{- end }} resources: {{ toYaml .Values.controller.resources | indent 10 }} +{{- if .Values.controller.securityContext }} + securityContext: +{{ toYaml .Values.controller.securityContext | indent 10 }} +{{- else }} securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }} @@ -136,10 +139,11 @@ spec: - ALL add: - NET_BIND_SERVICE -{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumeMounts }} +{{- end }} +{{- if or ( eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" ) .Values.controller.volumeMounts }} volumeMounts: {{- end }} -{{- if .Values.controller.readOnlyRootFilesystem }} +{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }} - mountPath: /etc/nginx name: nginx-etc - mountPath: /var/cache/nginx @@ -175,10 +179,10 @@ spec: {{- if .Values.controller.extraContainers }} {{ toYaml .Values.controller.extraContainers | nindent 6 }} {{- end }} -{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.initContainers }} +{{- if or ( eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" ) .Values.controller.initContainers }} initContainers: {{- end }} -{{- if .Values.controller.readOnlyRootFilesystem }} +{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }} - name: init-{{ include "nginx-ingress.name" . }} image: {{ include "nginx-ingress.image" . }} imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" @@ -187,6 +191,10 @@ spec: resources: {{ toYaml .Values.controller.initContainerResources | indent 10 }} {{- end }} +{{- if .Values.controller.initContainerSecurityContext }} + securityContext: +{{ toYaml .Values.controller.initContainerSecurityContext | indent 10 }} +{{- else }} securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true @@ -195,6 +203,7 @@ spec: capabilities: drop: - ALL +{{- end }} volumeMounts: - mountPath: /mnt/etc name: nginx-etc diff --git a/charts/nginx-ingress/values.schema.json b/charts/nginx-ingress/values.schema.json index 5d27c4151b..2a1569c66b 100644 --- a/charts/nginx-ingress/values.schema.json +++ b/charts/nginx-ingress/values.schema.json @@ -508,6 +508,24 @@ "title": "The terminationGracePeriodSeconds Schema", "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/terminationGracePeriodSeconds" }, + "podSecurityContext": { + "type": "object", + "default": {}, + "title": "The podSecurityContext Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSecurityContext" + }, + "securityContext": { + "type": "object", + "default": {}, + "title": "The securityContext Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" + }, + "initContainerSecurityContext": { + "type": "object", + "default": {}, + "title": "The initContainerSecurityContext Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" + }, "resources": { "type": "object", "default": {}, @@ -1455,6 +1473,13 @@ }, "nodeSelector": {}, "terminationGracePeriodSeconds": 30, + "podSecurityContext": { + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "securityContext": {}, + "initContainerSecurityContext": {}, "resources": { "requests": { "cpu": "100m", diff --git a/charts/nginx-ingress/values.yaml b/charts/nginx-ingress/values.yaml index 5e98237194..6c2cabb95d 100644 --- a/charts/nginx-ingress/values.yaml +++ b/charts/nginx-ingress/values.yaml @@ -167,6 +167,26 @@ controller: # cpu: 1 # memory: 1Gi + ## The security context for the Ingress Controller pods. + podSecurityContext: + seccompProfile: + type: RuntimeDefault + + ## The security context for the Ingress Controller containers. + securityContext: {} # Remove curly brackets before adding values + # allowPrivilegeEscalation: true + # readOnlyRootFilesystem: true + # runAsUser: 101 #nginx + # runAsNonRoot: true + # capabilities: + # drop: + # - ALL + # add: + # - NET_BIND_SERVICE + + ## The security context for the Ingress Controller init container which is used when readOnlyRootFilesystem is set to true. + initContainerSecurityContext: {} + ## The resources for the Ingress Controller init container which is used when readOnlyRootFilesystem is set to true. initContainerResources: requests: @@ -460,6 +480,8 @@ controller: defaultHTTPSListenerPort: 443 ## Configure root filesystem as read-only and add volumes for temporary data. + ## Three major releases after 3.5.x this argument will be moved to the `securityContext` section. + ## This value will not be used if `controller.securityContext` is set readOnlyRootFilesystem: false ## Enable dynamic reloading of certificates diff --git a/docs/content/installation/installing-nic/installation-with-helm.md b/docs/content/installation/installing-nic/installation-with-helm.md index edd2b904e2..afa3f6f862 100644 --- a/docs/content/installation/installing-nic/installation-with-helm.md +++ b/docs/content/installation/installing-nic/installation-with-helm.md @@ -342,8 +342,11 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont | **controller.volumeMounts** | The volumeMounts of the Ingress Controller pods. | [] | | **controller.initContainers** | InitContainers for the Ingress Controller pods. | [] | | **controller.extraContainers** | Extra (eg. sidecar) containers for the Ingress Controller pods. | [] | +| **controller.podSecurityContext**| The SecurityContext for Ingress Controller pods. | "seccompProfile": {"type": "RuntimeDefault"} | +| **controller.securityContext** | The SecurityContext for Ingress Controller container. | {} | +| **controller.initContainerSecurityContext** | The SecurityContext for Ingress Controller init container when `readOnlyRootFilesystem` is enabled by either setting `controller.securityContext.readOnlyRootFilesystem` or `controller.readOnlyRootFilesystem`to `true`. | {} | | **controller.resources** | The resources of the Ingress Controller pods. | requests: cpu=100m,memory=128Mi | -| **controller.initContainerResources** | The resources of the init container which is used when `controller.readOnlyRootFilesystem` is set to `true` | requests: cpu=100m,memory=128Mi | +| **controller.initContainerResources** | The resources of the init container which is used when `readOnlyRootFilesystem` is enabled by either setting `controller.securityContext.readOnlyRootFilesystem` or `controller.readOnlyRootFilesystem`to `true`. | requests: cpu=100m,memory=128Mi | | **controller.replicaCount** | The number of replicas of the Ingress Controller deployment. | 1 | | **controller.ingressClass.name** | A class of the Ingress Controller. An IngressClass resource with the name equal to the class must be deployed. Otherwise, the Ingress Controller will fail to start. The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. The Ingress Controller processes all the VirtualServer/VirtualServerRoute/TransportServer resources that do not have the "ingressClassName" field for all versions of Kubernetes. | nginx | | **controller.ingressClass.create** | Creates a new IngressClass object with the name `controller.ingressClass.name`. Set to `false` to use an existing ingressClass created using `kubectl` with the same name. If you use `helm upgrade`, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.4.2, do not set the value to false. | true | @@ -428,7 +431,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont | **controller.disableIPV6** | Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack. | false | | **controller.defaultHTTPListenerPort** | Sets the port for the HTTP `default_server` listener. | 80 | | **controller.defaultHTTPSListenerPort** | Sets the port for the HTTPS `default_server` listener. | 443 | -| **controller.readOnlyRootFilesystem** | Configure root filesystem as read-only and add volumes for temporary data. | false | +| **controller.readOnlyRootFilesystem** | Configure root filesystem as read-only and add volumes for temporary data. Three major releases after 3.5.x this argument will be moved permanently to the `controller.securityContext` section. | false | | **controller.enableSSLDynamicReload** | Enable lazy loading for SSL Certificates. | true | | **rbac.create** | Configures RBAC. | true | | **prometheus.create** | Expose NGINX or NGINX Plus metrics in the Prometheus format. | true |