Values: Tighten defaultBackend.image.

charts/ingress-nginx/README.md

@@ -474,6 +474,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | defaultBackend.image.registry | string | `"registry.k8s.io"` |  |
 | defaultBackend.image.runAsNonRoot | bool | `true` |  |
 | defaultBackend.image.runAsUser | int | `65534` |  |
+| defaultBackend.image.seccompProfile.type | string | `"RuntimeDefault"` |  |
 | defaultBackend.image.tag | string | `"1.5"` |  |
 | defaultBackend.labels | object | `{}` | Labels to be added to the default backend resources |
 | defaultBackend.livenessProbe.failureThreshold | int | `3` |  |

charts/ingress-nginx/templates/_helpers.tpl

@@ -212,10 +212,13 @@ Default backend container security context.
 runAsNonRoot: {{ .Values.defaultBackend.image.runAsNonRoot }}
 runAsUser: {{ .Values.defaultBackend.image.runAsUser }}
 allowPrivilegeEscalation: {{ .Values.defaultBackend.image.allowPrivilegeEscalation }}
+{{- if .Values.defaultBackend.image.seccompProfile }}
+seccompProfile: {{ toYaml .Values.defaultBackend.image.seccompProfile | nindent 2 }}
+{{- end }}
 capabilities:
   drop:
   - ALL
-readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem}}
+readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem }}
 {{- end -}}
 {{- end -}}
 

charts/ingress-nginx/templates/default-backend-psp.yaml

@@ -4,6 +4,8 @@ apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: {{ include "ingress-nginx.fullname" . }}-backend
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: default-backend
@@ -11,6 +13,10 @@ metadata:
     {{- toYaml . | nindent 4 }}
     {{- end }}
 spec:
+  privileged: false
+  hostPID: false
+  hostIPC: false
+  hostNetwork: false
   volumes:
     - configMap
     - downwardAPI
@@ -22,8 +28,14 @@ spec:
     ranges:
       - min: 1
         max: 65535
+  readOnlyRootFilesystem: true
   runAsUser:
     rule: MustRunAsNonRoot
+  runAsGroup:
+    rule: MustRunAs
+    ranges:
+      - min: 1
+        max: 65535
   supplementalGroups:
     rule: MustRunAs
     ranges:

charts/ingress-nginx/values.yaml

@@ -844,6 +844,8 @@ defaultBackend:
     # nobody user -> uid 65534
     runAsUser: 65534
     allowPrivilegeEscalation: false
+    seccompProfile:
+      type: RuntimeDefault
     readOnlyRootFilesystem: true
   # -- Use an existing PSP instead of creating one
   existingPsp: ""