Add CAP_SYS_CHROOT to DS/PSP when needed (#8587)

Signed-off-by: Mac Chaffee <me@macchaffee.com>
2022-05-16 09:30:18 -04:00 · 2022-05-16 09:30:18 -04:00 · 6c3a237d7d
commit 6c3a237d7d
parent 72b2f98edb
2 changed files with 4 additions and 8 deletions
--- a/charts/ingress-nginx/templates/controller-daemonset.yaml
+++ b/charts/ingress-nginx/templates/controller-daemonset.yaml
@ -82,14 +82,7 @@ spec:
        {{- end }}
          args:
            {{- include "ingress-nginx.params" . | nindent 12 }}
-          securityContext:
-            capabilities:
-                drop:
-                - ALL
-                add:
-                - NET_BIND_SERVICE
-            runAsUser: {{ .Values.controller.image.runAsUser }}
-            allowPrivilegeEscalation: {{ .Values.controller.image.allowPrivilegeEscalation }}
+          securityContext: {{ include "controller.containerSecurityContext" . | nindent 12 }}
          env:
            - name: POD_NAME
              valueFrom:
--- a/charts/ingress-nginx/templates/controller-psp.yaml
+++ b/charts/ingress-nginx/templates/controller-psp.yaml
@ -12,6 +12,9 @@ metadata:
 spec:
  allowedCapabilities:
    - NET_BIND_SERVICE
+  {{- if .Values.controller.image.chroot }}
+    - SYS_CHROOT
+  {{- end }}
 {{- if .Values.controller.sysctls }}
  allowedUnsafeSysctls:
  {{- range $sysctl, $value := .Values.controller.sysctls }}