From 6299c39842c31ff1e17d72503003ca36e2976a9a Mon Sep 17 00:00:00 2001
From: Adam Graves <adam.graves85@gmail.com>
Date: Mon, 15 Nov 2021 21:54:49 +0000
Subject: [PATCH] Allow setting of container securityContext (#7533)

Currently this blocks deployments on clusters with global PodSecurityPolicies set

Signed-off-by: Adam Graves <adam.graves85@gmail.com>
---
 charts/ingress-nginx/templates/_helpers.tpl    | 18 ++++++++++++++++++
 .../templates/controller-deployment.yaml       |  9 +--------
 charts/ingress-nginx/values.yaml               |  6 ++++++
 3 files changed, 25 insertions(+), 8 deletions(-)

diff --git a/charts/ingress-nginx/templates/_helpers.tpl b/charts/ingress-nginx/templates/_helpers.tpl
index 8b1fd0951..726224f18 100644
--- a/charts/ingress-nginx/templates/_helpers.tpl
+++ b/charts/ingress-nginx/templates/_helpers.tpl
@@ -30,6 +30,24 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- end -}}
 {{- end -}}
 
+
+{{/*
+Container SecurityContext.
+*/}}
+{{- define "controller.containerSecurityContext" -}}
+{{- if .Values.controller.containerSecurityContext -}}
+{{- toYaml .Values.controller.containerSecurityContext -}}
+{{- else -}}
+capabilities:
+  drop:
+  - ALL
+  add:
+  - NET_BIND_SERVICE
+runAsUser: {{ .Values.controller.image.runAsUser }}
+allowPrivilegeEscalation: {{ .Values.controller.image.allowPrivilegeEscalation }}
+{{- end }}
+{{- end -}}
+
 {{/*
 Create a default fully qualified controller name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml
index cdf96600c..93fada79e 100644
--- a/charts/ingress-nginx/templates/controller-deployment.yaml
+++ b/charts/ingress-nginx/templates/controller-deployment.yaml
@@ -80,14 +80,7 @@ spec:
         {{- end }}
           args:
             {{- include "ingress-nginx.params" . | nindent 12 }}
-          securityContext:
-            capabilities:
-                drop:
-                - ALL
-                add:
-                - NET_BIND_SERVICE
-            runAsUser: {{ .Values.controller.image.runAsUser }}
-            allowPrivilegeEscalation: {{ .Values.controller.image.allowPrivilegeEscalation }}
+          securityContext: {{ include "controller.containerSecurityContext" . | nindent 12 }}
           env:
             - name: POD_NAME
               valueFrom:
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index 3f9771b31..048f89854 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -771,6 +771,12 @@ defaultBackend:
   ##
   podSecurityContext: {}
 
+  ## Security Context policies for controller main container.
+  ## See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for
+  ## notes on enabling and using sysctls
+  ##
+  containerSecurityContext: {}
+
   # labels to add to the pod container metadata
   podLabels: {}
   #  key: value