Values: Tighten defaultBackend.image.

2023-10-10 18:11:25 +02:00 · 2023-10-10 18:11:25 +02:00 · 3635927815
commit 3635927815
parent 5afbe6a1f8
4 changed files with 19 additions and 1 deletions
--- a/charts/ingress-nginx/README.md
+++ b/charts/ingress-nginx/README.md
@ -474,6 +474,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | defaultBackend.image.registry | string | `"registry.k8s.io"` |  |
 | defaultBackend.image.runAsNonRoot | bool | `true` |  |
 | defaultBackend.image.runAsUser | int | `65534` |  |
+| defaultBackend.image.seccompProfile.type | string | `"RuntimeDefault"` |  |
 | defaultBackend.image.tag | string | `"1.5"` |  |
 | defaultBackend.labels | object | `{}` | Labels to be added to the default backend resources |
 | defaultBackend.livenessProbe.failureThreshold | int | `3` |  |
--- a/charts/ingress-nginx/templates/_helpers.tpl
+++ b/charts/ingress-nginx/templates/_helpers.tpl
@ -212,10 +212,13 @@ Default backend container security context.
 runAsNonRoot: {{ .Values.defaultBackend.image.runAsNonRoot }}
 runAsUser: {{ .Values.defaultBackend.image.runAsUser }}
 allowPrivilegeEscalation: {{ .Values.defaultBackend.image.allowPrivilegeEscalation }}
+{{- if .Values.defaultBackend.image.seccompProfile }}
+seccompProfile: {{ toYaml .Values.defaultBackend.image.seccompProfile | nindent 2 }}
+{{- end }}
 capabilities:
  drop:
  - ALL
-readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem}}
+readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem }}
 {{- end -}}
 {{- end -}}

--- a/charts/ingress-nginx/templates/default-backend-psp.yaml
+++ b/charts/ingress-nginx/templates/default-backend-psp.yaml
@ -4,6 +4,8 @@ apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
  name: {{ include "ingress-nginx.fullname" . }}-backend
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
  labels:
    {{- include "ingress-nginx.labels" . | nindent 4 }}
    app.kubernetes.io/component: default-backend
@ -11,6 +13,10 @@ metadata:
    {{- toYaml . | nindent 4 }}
    {{- end }}
 spec:
+  privileged: false
+  hostPID: false
+  hostIPC: false
+  hostNetwork: false
  volumes:
    - configMap
    - downwardAPI
@ -22,8 +28,14 @@ spec:
    ranges:
      - min: 1
        max: 65535
+  readOnlyRootFilesystem: true
  runAsUser:
    rule: MustRunAsNonRoot
+  runAsGroup:
+    rule: MustRunAs
+    ranges:
+      - min: 1
+        max: 65535
  supplementalGroups:
    rule: MustRunAs
    ranges:
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@ -844,6 +844,8 @@ defaultBackend:
    # nobody user -> uid 65534
    runAsUser: 65534
    allowPrivilegeEscalation: false
+    seccompProfile:
+      type: RuntimeDefault
    readOnlyRootFilesystem: true
  # -- Use an existing PSP instead of creating one
  existingPsp: ""