Merge ba586b1f89 into ed675fd8f9

controllers/nginx/pkg/cmd/controller/nginx.go

@@ -85,20 +85,20 @@ func newNGINXController() ingress.Controller {
 			Default: &server{
 				Hostname:      "localhost",
 				IP:            "127.0.0.1",
-				Port:          442,
+				Port:          8442,
 				ProxyProtocol: true,
 			},
 		},
 	}
 
-	listener, err := net.Listen("tcp", ":443")
+	listener, err := net.Listen("tcp", ":8443")
 	if err != nil {
 		glog.Fatalf("%v", err)
 	}
 
 	proxyList := &proxyproto.Listener{Listener: listener}
 
-	// start goroutine that accepts tcp connections in port 443
+	// start goroutine that accepts tcp connections in port 8443
 	go func() {
 		for {
 			var conn net.Conn
@@ -204,7 +204,7 @@ NGINX master process died (%v): %v
 		cmd = exec.Command(n.binary, "-c", cfgPath)
 		// we wait until the workers are killed
 		for {
-			conn, err := net.DialTimeout("tcp", "127.0.0.1:80", 1*time.Second)
+			conn, err := net.DialTimeout("tcp", "127.0.0.1:8080", 1*time.Second)
 			if err != nil {
 				break
 			}

controllers/nginx/rootfs/Dockerfile

@@ -14,6 +14,7 @@
 
 FROM gcr.io/google_containers/nginx-slim-amd64:0.19
 
+USER root
 RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y \
   diffutils \
   --no-install-recommends \
@@ -26,4 +27,5 @@ ENTRYPOINT ["/sbin/tini", "--"]
 
 COPY . /
 
+USER nginx
 CMD ["/nginx-ingress-controller"]

controllers/nginx/rootfs/etc/nginx/nginx.conf

@@ -1,5 +1,5 @@
 # A very simple nginx configuration file that forces nginx to start.
-pid /run/nginx.pid;
+pid /run/nginx/nginx.pid;
 
 events {}
 http {}

controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl

@@ -6,7 +6,7 @@
 daemon off;
 
 worker_processes {{ $cfg.WorkerProcesses }};
-pid /run/nginx.pid;
+pid /run/nginx/nginx.pid;
 {{ if ne .MaxOpenFiles 0 }}
 worker_rlimit_nofile {{ .MaxOpenFiles }};
 {{ end}}

images/echoheaders/Dockerfile

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM gcr.io/google_containers/nginx-slim:0.18
+FROM gcr.io/google_containers/nginx-slim:0.19
 
 ADD nginx.conf /etc/nginx/nginx.conf
 ADD template.lua /usr/local/share/lua/5.1/

images/echoheaders/Makefile

@@ -1,7 +1,7 @@
 all: push
 
 # TAG 0.0 shouldn't clobber any release builds
-TAG = 1.6
+TAG = 1.7
 PREFIX = gcr.io/google_containers/echoserver
 
 container:

images/nginx-slim/Dockerfile

@@ -26,6 +26,7 @@ RUN /tmp/build.sh
 RUN ln -sf /dev/stdout /var/log/nginx/access.log
 RUN ln -sf /dev/stderr /var/log/nginx/error.log
 
-EXPOSE 80 443
+EXPOSE 8080 8443
 
+USER nginx
 CMD ["nginx", "-g", "daemon off;"]

images/nginx-slim/build.sh

@@ -55,6 +55,9 @@ if [[ ${ARCH} == "ppc64le" ]]; then
   apt-get update && apt-get install --no-install-recommends -y lua5.1 lua5.1-dev
 fi
 
+# add user and group
+adduser --system --group nginx
+
 # install required packages to build
 apt-get update && apt-get install --no-install-recommends -y \
   bash \
@@ -161,7 +164,7 @@ fi
   --http-log-path=/var/log/nginx/access.log \
   --error-log-path=/var/log/nginx/error.log \
   --lock-path=/var/lock/nginx.lock \
-  --pid-path=/run/nginx.pid \
+  --pid-path=/run/nginx/nginx.pid \
   --http-client-body-temp-path=/var/lib/nginx/body \
   --http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
   --http-proxy-temp-path=/var/lib/nginx/proxy \
@@ -240,7 +243,19 @@ apt-get remove -y --purge \
 
 apt-get autoremove -y
 
-mkdir -p /var/lib/nginx/body /usr/share/nginx/html
+# Download of GeoIP databases
+curl -sSL -o /etc/nginx/GeoIP.dat.gz http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz \
+  && curl -sSL -o /etc/nginx/GeoLiteCity.dat.gz http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz \
+  && gunzip /etc/nginx/GeoIP.dat.gz \
+  && gunzip /etc/nginx/GeoLiteCity.dat.gz
+
+# create runtime directories
+mkdir -p /var/lib/nginx/body /usr/share/nginx/html /run/nginx
+
+chown -R nginx:nginx /etc/nginx /var/lib/nginx /run/nginx
+
+# use non privileged port by default
+sed -i 's/listen       80;/listen       8080;/' /etc/nginx/nginx.conf
 
 mv /usr/share/nginx/sbin/nginx /usr/sbin
 
@@ -249,9 +264,3 @@ rm -Rf /usr/share/man /usr/share/doc
 rm -rf /tmp/* /var/tmp/*
 rm -rf /var/lib/apt/lists/*
 rm -rf /var/cache/apt/archives/*
-
-# Download of GeoIP databases
-curl -sSL -o /etc/nginx/GeoIP.dat.gz http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz \
-  && curl -sSL -o /etc/nginx/GeoLiteCity.dat.gz http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz \
-  && gunzip /etc/nginx/GeoIP.dat.gz \
-  && gunzip /etc/nginx/GeoLiteCity.dat.gz

images/nginx-slim/rc.yaml

@@ -31,4 +31,41 @@ spec:
       - name: nginxslim
         image: gcr.io/google_containers/nginx-slim:0.19
         ports:
-        - containerPort: 80
+        - containerPort: 8080
+        securityContext:
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 105
+          privileged: false
+          capabilities:
+            drop:
+            - AUDIT_WRITE
+            - CHOWN
+            - DAC_OVERRIDE
+            - FOWNER
+            - FSETID
+            - KILL
+            - MKNOD
+            - NET_BIND_SERVICE
+            - NET_RAW
+            - SETFCAP
+            - SETGID
+            - SETUID
+            - SETPCAP
+            - SYS_CHROOT
+        volumeMounts:
+        - name: proxy
+          mountPath: /var/lib/nginx/proxy
+        - name: fastcgi
+          mountPath: /var/lib/nginx/fastcgi
+        - name: pidfile
+          mountPath: /run/nginx
+      securityContext:
+        fsGroup: 106
+      volumes:
+        - name: proxy
+          emptyDir: {}
+        - name: fastcgi
+          emptyDir: {}
+        - name: pidfile
+          emptyDir: {}