DevFW-CICD/ingress-nginx-helm
12
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add CAP_SYS_CHROOT to DS/PSP when needed (#8587)

Browse source 
Signed-off-by: Mac Chaffee <me@macchaffee.com>
This commit is contained in:
Mac Chaffee 2022-05-16 09:30:18 -04:00 committed by GitHub
parent 72b2f98edb
commit 6c3a237d7d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 4 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
charts/ingress-nginx/templates/controller-daemonset.yaml
View file

@ -82,14 +82,7 @@ spec:
{{- end }} {{- end }}
args: args:
{{- include "ingress-nginx.params" . | nindent 12 }} {{- include "ingress-nginx.params" . | nindent 12 }}
securityContext: securityContext: {{ include "controller.containerSecurityContext" . | nindent 12 }}
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
runAsUser: {{ .Values.controller.image.runAsUser }}
allowPrivilegeEscalation: {{ .Values.controller.image.allowPrivilegeEscalation }}
env: env:
- name: POD_NAME - name: POD_NAME
valueFrom: valueFrom:

3
charts/ingress-nginx/templates/controller-psp.yaml
View file

@ -12,6 +12,9 @@ metadata:
spec: spec:
allowedCapabilities: allowedCapabilities:
- NET_BIND_SERVICE - NET_BIND_SERVICE
{{- if .Values.controller.image.chroot }}
- SYS_CHROOT
{{- end }}
{{- if .Values.controller.sysctls }} {{- if .Values.controller.sysctls }}
allowedUnsafeSysctls: allowedUnsafeSysctls:
{{- range $sysctl, $value := .Values.controller.sysctls }} {{- range $sysctl, $value := .Values.controller.sysctls }}