From 726d7e6239807c4cde0b6c51fe24de256b43c18e Mon Sep 17 00:00:00 2001 From: pellmont Date: Thu, 10 Nov 2022 11:38:54 +0100 Subject: [PATCH] add containerSecurityContext to extraModules init containers (kubernetes#9016) (#9242) --- charts/ingress-nginx/README.md | 2 +- ...-extra-modules-default-container-sec-context.yaml | 12 ++++++++++++ ...extra-modules-specific-container-sec-context.yaml | 12 ++++++++++++ .../templates/controller-daemonset.yaml | 6 ++++++ .../templates/controller-deployment.yaml | 3 +++ charts/ingress-nginx/values.yaml | 4 +++- 6 files changed, 37 insertions(+), 2 deletions(-) create mode 100644 charts/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml create mode 100644 charts/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index bf4dcc8cd..f34615399 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -300,7 +300,7 @@ Kubernetes: `>=1.20.0-0` | controller.extraContainers | list | `[]` | Additional containers to be added to the controller pod. See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. | | controller.extraEnvs | list | `[]` | Additional environment variables to set | | controller.extraInitContainers | list | `[]` | Containers, which are run before the app containers are started. | -| controller.extraModules | list | `[]` | | +| controller.extraModules | list | `[]` | Modules, which are mounted into the core nginx image. See values.yaml for a sample to add opentelemetry module | | controller.extraVolumeMounts | list | `[]` | Additional volumeMounts to the controller main container. | | controller.extraVolumes | list | `[]` | Additional volumes to the controller pod. | | controller.healthCheckHost | string | `""` | Address to bind the health check endpoint. It is better to set this option to the internal node address if the ingress nginx controller is running in the `hostNetwork: true` mode. | diff --git a/charts/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml b/charts/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml new file mode 100644 index 000000000..2310c344e --- /dev/null +++ b/charts/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml @@ -0,0 +1,12 @@ +controller: + image: + repository: ingress-controller/controller + tag: 1.0.0-dev + digest: null + service: + type: ClusterIP + containerSecurityContext: + allowPrivilegeEscalation: false + extraModules: + - name: opentelemetry + image: busybox diff --git a/charts/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml b/charts/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml new file mode 100644 index 000000000..bd2f011cc --- /dev/null +++ b/charts/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml @@ -0,0 +1,12 @@ +controller: + image: + repository: ingress-controller/controller + tag: 1.0.0-dev + digest: null + service: + type: ClusterIP + extraModules: + - name: opentelemetry + image: busybox + containerSecurityContext: + allowPrivilegeEscalation: false diff --git a/charts/ingress-nginx/templates/controller-daemonset.yaml b/charts/ingress-nginx/templates/controller-daemonset.yaml index 4163e255c..802730331 100644 --- a/charts/ingress-nginx/templates/controller-daemonset.yaml +++ b/charts/ingress-nginx/templates/controller-daemonset.yaml @@ -181,6 +181,12 @@ spec: - name: {{ .Name }} image: {{ .Image }} command: ['sh', '-c', '/usr/local/bin/init_module.sh'] + {{- if (or $.Values.controller.containerSecurityContext .containerSecurityContext) }} + securityContext: {{ .containerSecurityContext | default $.Values.controller.containerSecurityContext | toYaml | nindent 14 }} + {{- end }} + volumeMounts: + - name: modules + mountPath: /modules_mount {{- end }} {{- end }} {{- end }} diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml index dfe4cae92..9dac747ea 100644 --- a/charts/ingress-nginx/templates/controller-deployment.yaml +++ b/charts/ingress-nginx/templates/controller-deployment.yaml @@ -187,6 +187,9 @@ spec: - name: {{ .name }} image: {{ .image }} command: ['sh', '-c', '/usr/local/bin/init_module.sh'] + {{- if (or $.Values.controller.containerSecurityContext .containerSecurityContext) }} + securityContext: {{ .containerSecurityContext | default $.Values.controller.containerSecurityContext | toYaml | nindent 14 }} + {{- end }} volumeMounts: - name: modules mountPath: /modules_mount diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 6304f2637..dc9980d14 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -577,10 +577,12 @@ controller: # image: busybox # command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;'] + # -- Modules, which are mounted into the core nginx image. See values.yaml for a sample to add opentelemetry module extraModules: [] - ## Modules, which are mounted into the core nginx image # - name: opentelemetry # image: registry.k8s.io/ingress-nginx/opentelemetry:v20220906-g981ce38a7@sha256:aa079daa7efd93aa830e26483a49a6343354518360929494bad1d0ad3303142e + # containerSecurityContext: + # allowPrivilegeEscalation: false # # The image must contain a `/usr/local/bin/init_module.sh` executable, which # will be executed as initContainers, to move its config files within the