DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Allow setting of container securityContext (#7533)

Browse source 
Currently this blocks deployments on clusters with global PodSecurityPolicies set

Signed-off-by: Adam Graves <adam.graves85@gmail.com>
This commit is contained in:
Adam Graves 2021-11-15 21:54:49 +00:00 committed by GitHub
parent 53ce25888a
commit 1e440cb004
3 changed files with 25 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
charts/ingress-nginx/templates/_helpers.tpl
View file

@ -30,6 +30,24 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{/*
Container SecurityContext.
*/}}
{{- define "controller.containerSecurityContext" -}}
{{- if .Values.controller.containerSecurityContext -}}
{{- toYaml .Values.controller.containerSecurityContext -}}
{{- else -}}
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
runAsUser: {{ .Values.controller.image.runAsUser }}
allowPrivilegeEscalation: {{ .Values.controller.image.allowPrivilegeEscalation }}
{{- end }}
{{- end -}}
{{/* {{/*
Create a default fully qualified controller name. Create a default fully qualified controller name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).

9
charts/ingress-nginx/templates/controller-deployment.yaml
View file

@ -80,14 +80,7 @@ spec:
{{- end }} {{- end }}
args: args:
{{- include "ingress-nginx.params" . | nindent 12 }} {{- include "ingress-nginx.params" . | nindent 12 }}
securityContext: securityContext: {{ include "controller.containerSecurityContext" . | nindent 12 }}
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
runAsUser: {{ .Values.controller.image.runAsUser }}
allowPrivilegeEscalation: {{ .Values.controller.image.allowPrivilegeEscalation }}
env: env:
- name: POD_NAME - name: POD_NAME
valueFrom: valueFrom:

6
charts/ingress-nginx/values.yaml
View file

@ -771,6 +771,12 @@ defaultBackend:
## ##
podSecurityContext: {} podSecurityContext: {}
## Security Context policies for controller main container.
## See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for
## notes on enabling and using sysctls
##
containerSecurityContext: {}
# labels to add to the pod container metadata # labels to add to the pod container metadata
podLabels: {} podLabels: {}
# key: value # key: value