From 4aa03570b91f3b093e1716cba780356b9c891a66 Mon Sep 17 00:00:00 2001 From: Manuel Alejandro de Brito Fontes Date: Sat, 23 Jun 2018 08:41:57 -0400 Subject: [PATCH] Update manifest to run as user (#2691) --- Changelog.md | 17 +++++++++++++++++ deploy/mandatory.yaml | 8 ++++++++ deploy/with-rbac.yaml | 8 ++++++++ 3 files changed, 33 insertions(+) diff --git a/Changelog.md b/Changelog.md index d03a70b23..5f5be9f3a 100644 --- a/Changelog.md +++ b/Changelog.md @@ -4,6 +4,23 @@ **Image:** `quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.16.0` +*Breaking changes:* + +Running as user requires an update in the deployment manifest. + +```yaml + securityContext: + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + # www-data -> 33 + runAsUser: 33 +``` + +Note: the deploy [guide](https://kubernetes.github.io/ingress-nginx/deploy/#mandatory-command) contains this change + *New Features:* - Run as user dropping root privileges diff --git a/deploy/mandatory.yaml b/deploy/mandatory.yaml index 0d47fc33a..9546d0251 100644 --- a/deploy/mandatory.yaml +++ b/deploy/mandatory.yaml @@ -251,6 +251,14 @@ spec: - --udp-services-configmap=$(POD_NAMESPACE)/udp-services - --publish-service=$(POD_NAMESPACE)/ingress-nginx - --annotations-prefix=nginx.ingress.kubernetes.io + securityContext: + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + # www-data -> 33 + runAsUser: 33 env: - name: POD_NAME valueFrom: diff --git a/deploy/with-rbac.yaml b/deploy/with-rbac.yaml index fdc1354d1..e9d27fa2b 100644 --- a/deploy/with-rbac.yaml +++ b/deploy/with-rbac.yaml @@ -30,6 +30,14 @@ spec: - --udp-services-configmap=$(POD_NAMESPACE)/udp-services - --publish-service=$(POD_NAMESPACE)/ingress-nginx - --annotations-prefix=nginx.ingress.kubernetes.io + securityContext: + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + # www-data -> 33 + runAsUser: 33 env: - name: POD_NAME valueFrom: