diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 0acf3da91..64abf33cc 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -242,7 +242,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.admissionWebhooks.certificate | string | `"/usr/local/certificates/cert"` | | | controller.admissionWebhooks.createSecretJob.name | string | `"create"` | | | controller.admissionWebhooks.createSecretJob.resources | object | `{}` | | -| controller.admissionWebhooks.createSecretJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for secret creation containers | +| controller.admissionWebhooks.createSecretJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for secret creation containers | | controller.admissionWebhooks.enabled | bool | `true` | | | controller.admissionWebhooks.existingPsp | string | `""` | Use an existing PSP instead of creating one | | controller.admissionWebhooks.extraEnvs | list | `[]` | Additional environment variables to set | @@ -273,7 +273,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.admissionWebhooks.patch.tolerations | list | `[]` | | | controller.admissionWebhooks.patchWebhookJob.name | string | `"patch"` | | | controller.admissionWebhooks.patchWebhookJob.resources | object | `{}` | | -| controller.admissionWebhooks.patchWebhookJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for webhook patch containers | +| controller.admissionWebhooks.patchWebhookJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for webhook patch containers | | controller.admissionWebhooks.port | int | `8443` | | | controller.admissionWebhooks.service.annotations | object | `{}` | | | controller.admissionWebhooks.service.externalIPs | list | `[]` | | @@ -331,8 +331,9 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.image.pullPolicy | string | `"IfNotPresent"` | | | controller.image.readOnlyRootFilesystem | bool | `false` | | | controller.image.registry | string | `"registry.k8s.io"` | | +| controller.image.runAsGroup | int | `82` | This value must not be changed using the official image. uid=101(www-data) gid=82(www-data) groups=82(www-data) | | controller.image.runAsNonRoot | bool | `true` | | -| controller.image.runAsUser | int | `101` | | +| controller.image.runAsUser | int | `101` | This value must not be changed using the official image. uid=101(www-data) gid=82(www-data) groups=82(www-data) | | controller.image.seccompProfile.type | string | `"RuntimeDefault"` | | | controller.image.tag | string | `"v1.11.1"` | | | controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation | @@ -396,6 +397,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.opentelemetry.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | | | controller.opentelemetry.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` | | | controller.opentelemetry.containerSecurityContext.readOnlyRootFilesystem | bool | `true` | | +| controller.opentelemetry.containerSecurityContext.runAsGroup | int | `65532` | | | controller.opentelemetry.containerSecurityContext.runAsNonRoot | bool | `true` | | | controller.opentelemetry.containerSecurityContext.runAsUser | int | `65532` | The image's default user, inherited from its base image `cgr.dev/chainguard/static`. | | controller.opentelemetry.containerSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | | @@ -505,6 +507,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | defaultBackend.image.pullPolicy | string | `"IfNotPresent"` | | | defaultBackend.image.readOnlyRootFilesystem | bool | `true` | | | defaultBackend.image.registry | string | `"registry.k8s.io"` | | +| defaultBackend.image.runAsGroup | int | `65534` | | | defaultBackend.image.runAsNonRoot | bool | `true` | | | defaultBackend.image.runAsUser | int | `65534` | | | defaultBackend.image.seccompProfile.type | string | `"RuntimeDefault"` | | diff --git a/charts/ingress-nginx/templates/_helpers.tpl b/charts/ingress-nginx/templates/_helpers.tpl index 0c6a3e207..271227cf0 100644 --- a/charts/ingress-nginx/templates/_helpers.tpl +++ b/charts/ingress-nginx/templates/_helpers.tpl @@ -47,6 +47,7 @@ Controller container security context. {{- else -}} runAsNonRoot: {{ .Values.controller.image.runAsNonRoot }} runAsUser: {{ .Values.controller.image.runAsUser }} +runAsGroup: {{ .Values.controller.image.runAsGroup }} allowPrivilegeEscalation: {{ or .Values.controller.image.allowPrivilegeEscalation .Values.controller.image.chroot }} {{- if .Values.controller.image.seccompProfile }} seccompProfile: {{ toYaml .Values.controller.image.seccompProfile | nindent 2 }} @@ -222,6 +223,7 @@ Default backend container security context. {{- else -}} runAsNonRoot: {{ .Values.defaultBackend.image.runAsNonRoot }} runAsUser: {{ .Values.defaultBackend.image.runAsUser }} +runAsGroup: {{ .Values.defaultBackend.image.runAsGroup }} allowPrivilegeEscalation: {{ .Values.defaultBackend.image.allowPrivilegeEscalation }} {{- if .Values.defaultBackend.image.seccompProfile }} seccompProfile: {{ toYaml .Values.defaultBackend.image.seccompProfile | nindent 2 }} diff --git a/charts/ingress-nginx/tests/controller-daemonset_test.yaml b/charts/ingress-nginx/tests/controller-daemonset_test.yaml index 6ee794af9..982c9c974 100644 --- a/charts/ingress-nginx/tests/controller-daemonset_test.yaml +++ b/charts/ingress-nginx/tests/controller-daemonset_test.yaml @@ -138,3 +138,12 @@ tests: values: - controller topologyKey: kubernetes.io/hostname + + - it: should create a DaemonSet with `runAsGroup` if `controller.image.runAsGroup` is set + set: + controller.kind: DaemonSet + controller.image.runAsGroup: 1000 + asserts: + - equal: + path: spec.template.spec.containers[0].securityContext.runAsGroup + value: 1000 diff --git a/charts/ingress-nginx/tests/controller-deployment_test.yaml b/charts/ingress-nginx/tests/controller-deployment_test.yaml index 82b97a0f7..a2c5a15ea 100644 --- a/charts/ingress-nginx/tests/controller-deployment_test.yaml +++ b/charts/ingress-nginx/tests/controller-deployment_test.yaml @@ -160,3 +160,11 @@ tests: values: - controller topologyKey: kubernetes.io/hostname + + - it: should create a Deployment with `runAsGroup` if `controller.image.runAsGroup` is set + set: + controller.image.runAsGroup: 1000 + asserts: + - equal: + path: spec.template.spec.containers[0].securityContext.runAsGroup + value: 1000 diff --git a/charts/ingress-nginx/tests/default-backend-deployment_test.yaml b/charts/ingress-nginx/tests/default-backend-deployment_test.yaml index e237fe7e3..4321075e9 100644 --- a/charts/ingress-nginx/tests/default-backend-deployment_test.yaml +++ b/charts/ingress-nginx/tests/default-backend-deployment_test.yaml @@ -135,3 +135,12 @@ tests: values: - default-backend topologyKey: kubernetes.io/hostname + + - it: should create a Deployment with `runAsGroup` if `defaultBackend.image.runAsGroup` is set + set: + defaultBackend.enabled: true + defaultBackend.image.runAsGroup: 1000 + asserts: + - equal: + path: spec.template.spec.containers[0].securityContext.runAsGroup + value: 1000 diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 92735d2a1..9d309627d 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -31,8 +31,12 @@ controller: digestChroot: sha256:7cabe4bd7558bfdf5b707976d7be56fd15ffece735d7c90fc238b6eda290fd8d pullPolicy: IfNotPresent runAsNonRoot: true - # www-data -> uid 101 + # -- This value must not be changed using the official image. + # uid=101(www-data) gid=82(www-data) groups=82(www-data) runAsUser: 101 + # -- This value must not be changed using the official image. + # uid=101(www-data) gid=82(www-data) groups=82(www-data) + runAsGroup: 82 allowPrivilegeEscalation: false seccompProfile: type: RuntimeDefault @@ -688,6 +692,7 @@ controller: # containerSecurityContext: # runAsNonRoot: true # runAsUser: + # runAsGroup: # allowPrivilegeEscalation: false # seccompProfile: # type: RuntimeDefault @@ -717,6 +722,7 @@ controller: runAsNonRoot: true # -- The image's default user, inherited from its base image `cgr.dev/chainguard/static`. runAsUser: 65532 + runAsGroup: 65532 allowPrivilegeEscalation: false seccompProfile: type: RuntimeDefault @@ -768,6 +774,7 @@ controller: securityContext: runAsNonRoot: true runAsUser: 65532 + runAsGroup: 65532 allowPrivilegeEscalation: false seccompProfile: type: RuntimeDefault @@ -788,6 +795,7 @@ controller: securityContext: runAsNonRoot: true runAsUser: 65532 + runAsGroup: 65532 allowPrivilegeEscalation: false seccompProfile: type: RuntimeDefault @@ -963,6 +971,7 @@ defaultBackend: runAsNonRoot: true # nobody user -> uid 65534 runAsUser: 65534 + runAsGroup: 65534 allowPrivilegeEscalation: false seccompProfile: type: RuntimeDefault