DevFW-CICD/ingress-nginx-helm
12
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add sysctl exemptions to controller PSP

Browse source 
I would like to be able to support this construction in my DaemonSet, I have coontrol over the host and this is the easiest way yo bump the socket properties.
```yaml
securityContext:
  sysctls:
    - name: net.core.somaxconn
      value: "8192"
```
This commit is contained in:
Tobias Wolf 2020-06-12 09:45:55 +02:00
parent c0035d29c3
commit 1d54d8b565
6 changed files with 38 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
charts/ingress-nginx/Chart.yaml
View file

@ -1,6 +1,6 @@
apiVersion: v1
name: ingress-nginx
version: 2.5.0
version: 2.6.0
appVersion: 0.33.0
home: https://github.com/kubernetes/ingress-nginx
description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer

1
charts/ingress-nginx/README.md
View file

@ -90,6 +90,7 @@ Parameter | Description | Default
`controller.podAnnotations` | annotations to be added to pods | `{}`
`controller.podLabels` | labels to add to the pod container metadata | `{}`
`controller.podSecurityContext` | Security context policies to add to the controller pod | `{}`
`controller.sysctls` | Map of optional sysctls to enable in the controller and in the PodSecurityPolicy | `{}`
`controller.replicaCount` | desired number of controller pods | `1`
`controller.minAvailable` | minimum number of available controller pods for PodDisruptionBudget | `1`
`controller.resources` | controller pod resource requests & limits | `{}`

14
charts/ingress-nginx/templates/controller-daemonset.yaml
View file

@ -42,8 +42,18 @@ spec:
{{- if .Values.controller.priorityClassName }}
priorityClassName: {{ .Values.controller.priorityClassName }}
{{- end }}
{{- if .Values.controller.podSecurityContext }}
securityContext: {{ toYaml .Values.controller.podSecurityContext | nindent 8 }}
{{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }}
securityContext:
{{- end }}
{{- if .Values.controller.podSecurityContext }}
{{- toYaml .Values.controller.podSecurityContext | nindent 8 }}
{{- end }}
{{- if .Values.controller.sysctls }}
sysctls:
{{- range $sysctl, $value := .Values.controller.sysctls }}
- name: {{ $sysctl }}
value: {{ $value }}
{{- end }}
{{- end }}
containers:
- name: controller

12
charts/ingress-nginx/templates/controller-deployment.yaml
View file

@ -46,8 +46,18 @@ spec:
{{- if .Values.controller.priorityClassName }}
priorityClassName: {{ .Values.controller.priorityClassName }}
{{- end }}
{{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }}
securityContext:
{{- end }}
{{- if .Values.controller.podSecurityContext }}
securityContext: {{ toYaml .Values.controller.podSecurityContext | nindent 8 }}
{{- toYaml .Values.controller.podSecurityContext | nindent 8 }}
{{- end }}
{{- if .Values.controller.sysctls }}
sysctls:
{{- range $sysctl, $value := .Values.controller.sysctls }}
- name: {{ $sysctl }}
value: {{ $value }}
{{- end }}
{{- end }}
containers:
- name: controller

6
charts/ingress-nginx/templates/controller-psp.yaml
View file

@ -9,6 +9,12 @@ metadata:
spec:
allowedCapabilities:
- NET_BIND_SERVICE
{{- if .Values.controller.sysctls }}
allowedUnsafeSysctls:
{{- range $sysctl, $value := .Values.controller.sysctls }}
- {{ $sysctl }}
{{- end }}
{{- end }}
privileged: false
allowPrivilegeEscalation: true
# Allow core volume types.

9
charts/ingress-nginx/values.yaml
View file

@ -67,11 +67,16 @@ controller:
# key: value
## Security Context policies for controller pods
## See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for
## notes on enabling and using sysctls
##
podSecurityContext: {}
## See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for
## notes on enabling and using sysctls
###
sysctls: {}
# sysctls:
# "net.core.somaxconn": "8192"
## Allows customization of the source of the IP address or FQDN to report
## in the ingress status field. By default, it reads the information provided
## by the service. If disable, the status field reports the IP address of the