Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow securityContext and podSecurityContext to be configurable via helm parameters #5084

Merged
merged 8 commits into from
Feb 19, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 5 additions & 2 deletions charts/nginx-ingress/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -379,8 +379,11 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
|`controller.volumeMounts` | The volumeMounts of the Ingress Controller pods. | [] |
|`controller.initContainers` | InitContainers for the Ingress Controller pods. | [] |
|`controller.extraContainers` | Extra (eg. sidecar) containers for the Ingress Controller pods. | [] |
|`controller.podSecurityContext`| The SecurityContext for Ingress Controller pods. | "seccompProfile": {"type": "RuntimeDefault"} |
|`controller.securityContext`| The SecurityContext for Ingress Controller container. | {} |
|`controller.initContainerSecurityContext`| The SecurityContext for Ingress Controller init container when `readOnlyRootFilesystem` is enabled by either setting `controller.securityContext.readOnlyRootFilesystem` or `controller.readOnlyRootFilesystem`to `true`. | {} |
|`controller.resources` | The resources of the Ingress Controller pods. | requests: cpu=100m,memory=128Mi |
|`controller.initContainerResources` | The resources of the init container which is used when `controller.readOnlyRootFilesystem` is set to `true` | requests: cpu=100m,memory=128Mi |
|`controller.initContainerResources` | The resources of the init container which is used when `readOnlyRootFilesystem` is enabled by either setting `controller.securityContext.readOnlyRootFilesystem` or `controller.readOnlyRootFilesystem`to `true`. | requests: cpu=100m,memory=128Mi |
|`controller.replicaCount` | The number of replicas of the Ingress Controller deployment. | 1 |
|`controller.ingressClass.name` | A class of the Ingress Controller. An IngressClass resource with the name equal to the class must be deployed. Otherwise, the Ingress Controller will fail to start. The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. The Ingress Controller processes all the VirtualServer/VirtualServerRoute/TransportServer resources that do not have the "ingressClassName" field for all versions of Kubernetes. | nginx |
|`controller.ingressClass.create` | Creates a new IngressClass object with the name `controller.ingressClass.name`. Set to `false` to use an existing ingressClass created using `kubectl` with the same name. If you use `helm upgrade`, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.4.2, do not set the value to false. | true |
Expand Down Expand Up @@ -465,7 +468,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
|`controller.disableIPV6` | Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack. | false |
|`controller.defaultHTTPListenerPort` | Sets the port for the HTTP `default_server` listener. | 80 |
|`controller.defaultHTTPSListenerPort` | Sets the port for the HTTPS `default_server` listener. | 443 |
|`controller.readOnlyRootFilesystem` | Configure root filesystem as read-only and add volumes for temporary data. | false |
|`controller.readOnlyRootFilesystem` | Configure root filesystem as read-only and add volumes for temporary data. Three major releases after 3.5.x this argument will be moved permanently to the `controller.securityContext` section. | false |
|`controller.enableSSLDynamicReload` | Enable lazy loading for SSL Certificates. | true |
|`controller.enableTelemetryReporting` | Enable telemetry reporting. | true |
|`rbac.create` | Configures RBAC. | true |
Expand Down
11 changes: 11 additions & 0 deletions charts/nginx-ingress/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -134,6 +134,17 @@ Expand image name.
{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "prometheus-service" -}}
{{- end -}}

{{/*
return if readOnlyRootFilesystem is enabled or not.
*/}}
{{- define "nginx-ingress.readOnlyRootFilesystem" -}}
{{- if or .Values.controller.readOnlyRootFilesystem (and .Values.controller.securityContext .Values.controller.securityContext.readOnlyRootFilesystem) -}}
true
{{- else -}}
false
{{- end -}}
{{- end -}}

{{/*
Build the args for the service binary.
*/}}
Expand Down
25 changes: 17 additions & 8 deletions charts/nginx-ingress/templates/controller-daemonset.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -40,8 +40,7 @@ spec:
serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }}
automountServiceAccountToken: true
securityContext:
seccompProfile:
type: RuntimeDefault
{{ toYaml .Values.controller.podSecurityContext | indent 8 }}
terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
{{- if .Values.controller.nodeSelector }}
nodeSelector:
Expand All @@ -55,10 +54,10 @@ spec:
affinity:
{{ toYaml .Values.controller.affinity | indent 8 }}
{{- end }}
{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumes }}
{{- if or (eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" ) .Values.controller.volumes }}
volumes:
{{- end }}
{{- if .Values.controller.readOnlyRootFilesystem }}
{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }}
- name: nginx-etc
emptyDir: {}
- name: nginx-cache
Expand Down Expand Up @@ -117,6 +116,10 @@ spec:
periodSeconds: 1
initialDelaySeconds: {{ .Values.controller.readyStatus.initialDelaySeconds }}
{{- end }}
{{- if .Values.controller.securityContext }}
securityContext:
{{ toYaml .Values.controller.securityContext | indent 10 }}
{{- else }}
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }}
Expand All @@ -127,10 +130,11 @@ spec:
- ALL
add:
- NET_BIND_SERVICE
{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumeMounts }}
{{- end }}
{{- if or (eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" ) .Values.controller.volumeMounts }}
volumeMounts:
{{- end }}
{{- if .Values.controller.readOnlyRootFilesystem }}
{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }}
- mountPath: /etc/nginx
name: nginx-etc
- mountPath: /var/cache/nginx
Expand Down Expand Up @@ -168,10 +172,10 @@ spec:
{{- if .Values.controller.extraContainers }}
{{ toYaml .Values.controller.extraContainers | nindent 6 }}
{{- end }}
{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.initContainers }}
{{- if or (eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" ) .Values.controller.initContainers }}
initContainers:
{{- end }}
{{- if .Values.controller.readOnlyRootFilesystem }}
{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }}
- name: init-{{ include "nginx-ingress.name" . }}
image: {{ include "nginx-ingress.image" . }}
imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}"
Expand All @@ -180,6 +184,10 @@ spec:
resources:
{{ toYaml .Values.controller.initContainerResources | indent 10 }}
{{- end }}
{{- if .Values.controller.initContainerSecurityContext }}
securityContext:
{{ toYaml .Values.controller.initContainerSecurityContext | indent 10 }}
{{- else }}
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
Expand All @@ -188,6 +196,7 @@ spec:
capabilities:
drop:
- ALL
{{- end }}
volumeMounts:
- mountPath: /mnt/etc
name: nginx-etc
Expand Down
25 changes: 17 additions & 8 deletions charts/nginx-ingress/templates/controller-deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -56,10 +56,10 @@ spec:
topologySpreadConstraints:
{{ toYaml .Values.controller.topologySpreadConstraints | indent 8 }}
{{- end }}
{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumes }}
{{- if or (eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true") .Values.controller.volumes }}
volumes:
{{- end }}
{{- if .Values.controller.readOnlyRootFilesystem }}
{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }}
- name: nginx-etc
emptyDir: {}
- name: nginx-cache
Expand All @@ -78,8 +78,7 @@ spec:
serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }}
automountServiceAccountToken: true
securityContext:
seccompProfile:
type: RuntimeDefault
{{ toYaml .Values.controller.podSecurityContext | indent 8 }}
terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
hostNetwork: {{ .Values.controller.hostNetwork }}
dnsPolicy: {{ .Values.controller.dnsPolicy }}
Expand Down Expand Up @@ -126,6 +125,10 @@ spec:
{{- end }}
resources:
{{ toYaml .Values.controller.resources | indent 10 }}
{{- if .Values.controller.securityContext }}
securityContext:
{{ toYaml .Values.controller.securityContext | indent 10 }}
{{- else }}
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }}
Expand All @@ -136,10 +139,11 @@ spec:
- ALL
add:
- NET_BIND_SERVICE
{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumeMounts }}
{{- end }}
{{- if or ( eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" ) .Values.controller.volumeMounts }}
volumeMounts:
{{- end }}
{{- if .Values.controller.readOnlyRootFilesystem }}
{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }}
- mountPath: /etc/nginx
name: nginx-etc
- mountPath: /var/cache/nginx
Expand Down Expand Up @@ -175,10 +179,10 @@ spec:
{{- if .Values.controller.extraContainers }}
{{ toYaml .Values.controller.extraContainers | nindent 6 }}
{{- end }}
{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.initContainers }}
{{- if or ( eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" ) .Values.controller.initContainers }}
initContainers:
{{- end }}
{{- if .Values.controller.readOnlyRootFilesystem }}
{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }}
- name: init-{{ include "nginx-ingress.name" . }}
image: {{ include "nginx-ingress.image" . }}
imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}"
Expand All @@ -187,6 +191,10 @@ spec:
resources:
{{ toYaml .Values.controller.initContainerResources | indent 10 }}
{{- end }}
{{- if .Values.controller.initContainerSecurityContext }}
securityContext:
{{ toYaml .Values.controller.initContainerSecurityContext | indent 10 }}
{{- else }}
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
Expand All @@ -195,6 +203,7 @@ spec:
capabilities:
drop:
- ALL
{{- end }}
volumeMounts:
- mountPath: /mnt/etc
name: nginx-etc
Expand Down
25 changes: 25 additions & 0 deletions charts/nginx-ingress/values.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -508,6 +508,24 @@
"title": "The terminationGracePeriodSeconds Schema",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/terminationGracePeriodSeconds"
},
"podSecurityContext": {
"type": "object",
"default": {},
"title": "The podSecurityContext Schema",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSecurityContext"
},
"securityContext": {
"type": "object",
"default": {},
"title": "The securityContext Schema",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext"
},
"initContainerSecurityContext": {
"type": "object",
"default": {},
"title": "The initContainerSecurityContext Schema",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext"
},
"resources": {
"type": "object",
"default": {},
Expand Down Expand Up @@ -1455,6 +1473,13 @@
},
"nodeSelector": {},
"terminationGracePeriodSeconds": 30,
"podSecurityContext": {
"seccompProfile": {
"type": "RuntimeDefault"
}
},
"securityContext": {},
"initContainerSecurityContext": {},
"resources": {
"requests": {
"cpu": "100m",
Expand Down
22 changes: 22 additions & 0 deletions charts/nginx-ingress/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -167,6 +167,26 @@ controller:
# cpu: 1
# memory: 1Gi

## The security context for the Ingress Controller pods.
podSecurityContext:
seccompProfile:
type: RuntimeDefault

## The security context for the Ingress Controller containers.
securityContext: {} # Remove curly brackets before adding values
oseoin marked this conversation as resolved.
Show resolved Hide resolved
# allowPrivilegeEscalation: true
# readOnlyRootFilesystem: true
# runAsUser: 101 #nginx
# runAsNonRoot: true
# capabilities:
# drop:
# - ALL
# add:
# - NET_BIND_SERVICE

## The security context for the Ingress Controller init container which is used when readOnlyRootFilesystem is set to true.
initContainerSecurityContext: {}

## The resources for the Ingress Controller init container which is used when readOnlyRootFilesystem is set to true.
initContainerResources:
requests:
Expand Down Expand Up @@ -460,6 +480,8 @@ controller:
defaultHTTPSListenerPort: 443

## Configure root filesystem as read-only and add volumes for temporary data.
vepatel marked this conversation as resolved.
Show resolved Hide resolved
## Three major releases after 3.5.x this argument will be moved to the `securityContext` section.
## This value will not be used if `controller.securityContext` is set
readOnlyRootFilesystem: false

## Enable dynamic reloading of certificates
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -342,8 +342,11 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
| **controller.volumeMounts** | The volumeMounts of the Ingress Controller pods. | [] |
| **controller.initContainers** | InitContainers for the Ingress Controller pods. | [] |
| **controller.extraContainers** | Extra (eg. sidecar) containers for the Ingress Controller pods. | [] |
| **controller.podSecurityContext**| The SecurityContext for Ingress Controller pods. | "seccompProfile": {"type": "RuntimeDefault"} |
| **controller.securityContext** | The SecurityContext for Ingress Controller container. | {} |
| **controller.initContainerSecurityContext** | The SecurityContext for Ingress Controller init container when `readOnlyRootFilesystem` is enabled by either setting `controller.securityContext.readOnlyRootFilesystem` or `controller.readOnlyRootFilesystem`to `true`. | {} |
| **controller.resources** | The resources of the Ingress Controller pods. | requests: cpu=100m,memory=128Mi |
| **controller.initContainerResources** | The resources of the init container which is used when `controller.readOnlyRootFilesystem` is set to `true` | requests: cpu=100m,memory=128Mi |
| **controller.initContainerResources** | The resources of the init container which is used when `readOnlyRootFilesystem` is enabled by either setting `controller.securityContext.readOnlyRootFilesystem` or `controller.readOnlyRootFilesystem`to `true`. | requests: cpu=100m,memory=128Mi |
| **controller.replicaCount** | The number of replicas of the Ingress Controller deployment. | 1 |
| **controller.ingressClass.name** | A class of the Ingress Controller. An IngressClass resource with the name equal to the class must be deployed. Otherwise, the Ingress Controller will fail to start. The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. The Ingress Controller processes all the VirtualServer/VirtualServerRoute/TransportServer resources that do not have the "ingressClassName" field for all versions of Kubernetes. | nginx |
| **controller.ingressClass.create** | Creates a new IngressClass object with the name `controller.ingressClass.name`. Set to `false` to use an existing ingressClass created using `kubectl` with the same name. If you use `helm upgrade`, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.4.2, do not set the value to false. | true |
Expand Down Expand Up @@ -428,7 +431,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
| **controller.disableIPV6** | Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack. | false |
| **controller.defaultHTTPListenerPort** | Sets the port for the HTTP `default_server` listener. | 80 |
| **controller.defaultHTTPSListenerPort** | Sets the port for the HTTPS `default_server` listener. | 443 |
| **controller.readOnlyRootFilesystem** | Configure root filesystem as read-only and add volumes for temporary data. | false |
| **controller.readOnlyRootFilesystem** | Configure root filesystem as read-only and add volumes for temporary data. Three major releases after 3.5.x this argument will be moved permanently to the `controller.securityContext` section. | false |
| **controller.enableSSLDynamicReload** | Enable lazy loading for SSL Certificates. | true |
| **rbac.create** | Configures RBAC. | true |
| **prometheus.create** | Expose NGINX or NGINX Plus metrics in the Prometheus format. | true |
Expand Down
Loading