From 36359278156e053a777b1e8bbd95b2ec7d3d43d9 Mon Sep 17 00:00:00 2001 From: Marco Ebert Date: Tue, 10 Oct 2023 18:11:25 +0200 Subject: [PATCH] Values: Tighten `defaultBackend.image`. --- charts/ingress-nginx/README.md | 1 + charts/ingress-nginx/templates/_helpers.tpl | 5 ++++- .../ingress-nginx/templates/default-backend-psp.yaml | 12 ++++++++++++ charts/ingress-nginx/values.yaml | 2 ++ 4 files changed, 19 insertions(+), 1 deletion(-) diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 1a47e2f61..4a0cb94a2 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -474,6 +474,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | defaultBackend.image.registry | string | `"registry.k8s.io"` | | | defaultBackend.image.runAsNonRoot | bool | `true` | | | defaultBackend.image.runAsUser | int | `65534` | | +| defaultBackend.image.seccompProfile.type | string | `"RuntimeDefault"` | | | defaultBackend.image.tag | string | `"1.5"` | | | defaultBackend.labels | object | `{}` | Labels to be added to the default backend resources | | defaultBackend.livenessProbe.failureThreshold | int | `3` | | diff --git a/charts/ingress-nginx/templates/_helpers.tpl b/charts/ingress-nginx/templates/_helpers.tpl index 5f3296644..c936dab79 100644 --- a/charts/ingress-nginx/templates/_helpers.tpl +++ b/charts/ingress-nginx/templates/_helpers.tpl @@ -212,10 +212,13 @@ Default backend container security context. runAsNonRoot: {{ .Values.defaultBackend.image.runAsNonRoot }} runAsUser: {{ .Values.defaultBackend.image.runAsUser }} allowPrivilegeEscalation: {{ .Values.defaultBackend.image.allowPrivilegeEscalation }} +{{- if .Values.defaultBackend.image.seccompProfile }} +seccompProfile: {{ toYaml .Values.defaultBackend.image.seccompProfile | nindent 2 }} +{{- end }} capabilities: drop: - ALL -readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem}} +readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem }} {{- end -}} {{- end -}} diff --git a/charts/ingress-nginx/templates/default-backend-psp.yaml b/charts/ingress-nginx/templates/default-backend-psp.yaml index a592f274d..424109109 100644 --- a/charts/ingress-nginx/templates/default-backend-psp.yaml +++ b/charts/ingress-nginx/templates/default-backend-psp.yaml @@ -4,6 +4,8 @@ apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: {{ include "ingress-nginx.fullname" . }}-backend + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*" labels: {{- include "ingress-nginx.labels" . | nindent 4 }} app.kubernetes.io/component: default-backend @@ -11,6 +13,10 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: + privileged: false + hostPID: false + hostIPC: false + hostNetwork: false volumes: - configMap - downwardAPI @@ -22,8 +28,14 @@ spec: ranges: - min: 1 max: 65535 + readOnlyRootFilesystem: true runAsUser: rule: MustRunAsNonRoot + runAsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 supplementalGroups: rule: MustRunAs ranges: diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 17f835e22..cb50b9d07 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -844,6 +844,8 @@ defaultBackend: # nobody user -> uid 65534 runAsUser: 65534 allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault readOnlyRootFilesystem: true # -- Use an existing PSP instead of creating one existingPsp: ""