DevFW-CICD/ingress-nginx-helm
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Chart: Tighten securityContexts and Pod Security Policies. (#10491)

Browse source 
* Values: Fix docs of `controller.podSecurityContext` & `controller.sysctls`.

* Values: Add missing `controller.containerSecurityContext`.

Already in use, but has never been added to values.

* Values: Fix docs of `defaultBackend.podSecurityContext` & `defaultBackend.containerSecurityContext`.

* Helpers: Rename `controller.containerSecurityContext` to `ingress-nginx.controller.containerSecurityContext`.

Due to alignment with other templates.

* Helpers: Improve `extraModules`.

- Make `command` a multiline list.
- Fix `toYaml` usage.
- Remove `toYaml` where not necessary.

* Helpers: Move `ingress-nginx.defaultBackend.fullname`.

* Helpers: Add `ingress-nginx.defaultBackend.containerSecurityContext`.

Extracts the default backend `securityContext` into a template, as for the controller.

* Controller: Fix indentation of `controller.podSecurityContext` & `controller.sysctls`.

* Controller: Improve `controller.extraModules` & `controller.opentelemetry`.

- Add `controller.extraModules.distroless` & `controller.extraModules.resources`.
- Add `controller.opentelemetry.name` & `controller.opentelemetry.distroless`.
- Align `extraModules` inclusion for `controller.extraModules` & `controller.opentelemetry`.
- Remove redundant whitespaces.

* Controller/PSP: Align indentation.

* Controller/PSP: Remove quotes.

* Controller/PSP: Improve comments.

* Controller/PSP: Reorder fields.

See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy.

* Admission Webhooks: Fix indentation of `controller.admissionWebhooks.patch.securityContext`.

* Admission Webhooks/PSP: Align indentation.

* Admission Webhooks/PSP: Reorder fields.

* Admission Webhooks/PSP: Align condition.

* Admission Webhooks/ClusterRole: Align PSP rule.

* Default Backend/PSP: Align indentation.

* Default Backend/PSP: Reorder fields.

See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy.

* Values: Tighten `controller.image`.

Due to recent changes, the controller image can be run without privilege escalation:

- https://github.com/kubernetes/ingress-nginx/issues/8499
- https://github.com/kubernetes/ingress-nginx/pull/7449

* Values: Tighten `controller.extraModules.containerSecurityContext`.

* Values: Tighten `controller.opentelemetry.containerSecurityContext`.

* Values: Tighten `controller.admissionWebhooks.*.securityContext`.

Moves the pod `securityContext` to the containers to not interfere with injected containers.

* Values: Tighten `defaultBackend.image`.
This commit is contained in:
Marco Ebert 2023-11-07 18:52:36 +01:00 committed by GitHub
parent 6499a6bd04
commit 8b026f42d5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
12 changed files with 316 additions and 216 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
charts/ingress-nginx/README.md
View file

@ -242,7 +242,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.admissionWebhooks.certificate | string | `"/usr/local/certificates/cert"` | | | controller.admissionWebhooks.certificate | string | `"/usr/local/certificates/cert"` | |
| controller.admissionWebhooks.createSecretJob.name | string | `"create"` | | | controller.admissionWebhooks.createSecretJob.name | string | `"create"` | |
| controller.admissionWebhooks.createSecretJob.resources | object | `{}` | | | controller.admissionWebhooks.createSecretJob.resources | object | `{}` | |
| controller.admissionWebhooks.createSecretJob.securityContext.allowPrivilegeEscalation | bool | `false` | | | controller.admissionWebhooks.createSecretJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for secret creation containers |
| controller.admissionWebhooks.enabled | bool | `true` | | | controller.admissionWebhooks.enabled | bool | `true` | |
| controller.admissionWebhooks.existingPsp | string | `""` | Use an existing PSP instead of creating one | | controller.admissionWebhooks.existingPsp | string | `""` | Use an existing PSP instead of creating one |
| controller.admissionWebhooks.extraEnvs | list | `[]` | Additional environment variables to set | | controller.admissionWebhooks.extraEnvs | list | `[]` | Additional environment variables to set |
@ -262,13 +262,11 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | | | controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | |
| controller.admissionWebhooks.patch.podAnnotations | object | `{}` | | | controller.admissionWebhooks.patch.podAnnotations | object | `{}` | |
| controller.admissionWebhooks.patch.priorityClassName | string | `""` | Provide a priority class name to the webhook patching job # | | controller.admissionWebhooks.patch.priorityClassName | string | `""` | Provide a priority class name to the webhook patching job # |
| controller.admissionWebhooks.patch.securityContext.fsGroup | int | `2000` | | | controller.admissionWebhooks.patch.securityContext | object | `{}` | Security context for secret creation & webhook patch pods |
| controller.admissionWebhooks.patch.securityContext.runAsNonRoot | bool | `true` | |
| controller.admissionWebhooks.patch.securityContext.runAsUser | int | `2000` | |
| controller.admissionWebhooks.patch.tolerations | list | `[]` | | | controller.admissionWebhooks.patch.tolerations | list | `[]` | |
| controller.admissionWebhooks.patchWebhookJob.name | string | `"patch"` | | | controller.admissionWebhooks.patchWebhookJob.name | string | `"patch"` | |
| controller.admissionWebhooks.patchWebhookJob.resources | object | `{}` | | | controller.admissionWebhooks.patchWebhookJob.resources | object | `{}` | |
| controller.admissionWebhooks.patchWebhookJob.securityContext.allowPrivilegeEscalation | bool | `false` | | | controller.admissionWebhooks.patchWebhookJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for webhook patch containers |
| controller.admissionWebhooks.port | int | `8443` | | | controller.admissionWebhooks.port | int | `8443` | |
| controller.admissionWebhooks.service.annotations | object | `{}` | | | controller.admissionWebhooks.service.annotations | object | `{}` | |
| controller.admissionWebhooks.service.externalIPs | list | `[]` | | | controller.admissionWebhooks.service.externalIPs | list | `[]` | |
@ -291,6 +289,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.configMapNamespace | string | `""` | Allows customization of the configmap / nginx-configmap namespace; defaults to $(POD_NAMESPACE) | | controller.configMapNamespace | string | `""` | Allows customization of the configmap / nginx-configmap namespace; defaults to $(POD_NAMESPACE) |
| controller.containerName | string | `"controller"` | Configures the controller container name | | controller.containerName | string | `"controller"` | Configures the controller container name |
| controller.containerPort | object | `{"http":80,"https":443}` | Configures the ports that the nginx-controller listens on | | controller.containerPort | object | `{"http":80,"https":443}` | Configures the ports that the nginx-controller listens on |
| controller.containerSecurityContext | object | `{}` | Security context for controller containers |
| controller.customTemplate.configMapKey | string | `""` | | | controller.customTemplate.configMapKey | string | `""` | |
| controller.customTemplate.configMapName | string | `""` | | | controller.customTemplate.configMapName | string | `""` | |
| controller.dnsConfig | object | `{}` | Optionally customize the pod dnsConfig. | | controller.dnsConfig | object | `{}` | Optionally customize the pod dnsConfig. |
@ -315,14 +314,17 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.hostPort.ports.http | int | `80` | 'hostPort' http port | | controller.hostPort.ports.http | int | `80` | 'hostPort' http port |
| controller.hostPort.ports.https | int | `443` | 'hostPort' https port | | controller.hostPort.ports.https | int | `443` | 'hostPort' https port |
| controller.hostname | object | `{}` | Optionally customize the pod hostname. | | controller.hostname | object | `{}` | Optionally customize the pod hostname. |
| controller.image.allowPrivilegeEscalation | bool | `true` | | | controller.image.allowPrivilegeEscalation | bool | `false` | |
| controller.image.chroot | bool | `false` | | | controller.image.chroot | bool | `false` | |
| controller.image.digest | string | `"sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3"` | | | controller.image.digest | string | `"sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3"` | |
| controller.image.digestChroot | string | `"sha256:5976b1067cfbca8a21d0ba53d71f83543a73316a61ea7f7e436d6cf84ddf9b26"` | | | controller.image.digestChroot | string | `"sha256:5976b1067cfbca8a21d0ba53d71f83543a73316a61ea7f7e436d6cf84ddf9b26"` | |
| controller.image.image | string | `"ingress-nginx/controller"` | | | controller.image.image | string | `"ingress-nginx/controller"` | |
| controller.image.pullPolicy | string | `"IfNotPresent"` | | | controller.image.pullPolicy | string | `"IfNotPresent"` | |
| controller.image.readOnlyRootFilesystem | bool | `false` | |
| controller.image.registry | string | `"registry.k8s.io"` | | | controller.image.registry | string | `"registry.k8s.io"` | |
| controller.image.runAsNonRoot | bool | `true` | |
| controller.image.runAsUser | int | `101` | | | controller.image.runAsUser | int | `101` | |
| controller.image.seccompProfile.type | string | `"RuntimeDefault"` | |
| controller.image.tag | string | `"v1.9.4"` | | | controller.image.tag | string | `"v1.9.4"` | |
| controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation | | controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation |
| controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). | | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). |
@ -379,12 +381,19 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not | | controller.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
| controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # | | controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # |
| controller.opentelemetry.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | | | controller.opentelemetry.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | |
| controller.opentelemetry.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` | |
| controller.opentelemetry.containerSecurityContext.readOnlyRootFilesystem | bool | `true` | |
| controller.opentelemetry.containerSecurityContext.runAsNonRoot | bool | `true` | |
| controller.opentelemetry.containerSecurityContext.runAsUser | int | `65532` | The image's default user, inherited from its base image `cgr.dev/chainguard/static`. |
| controller.opentelemetry.containerSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| controller.opentelemetry.distroless | bool | `true` | |
| controller.opentelemetry.enabled | bool | `false` | | | controller.opentelemetry.enabled | bool | `false` | |
| controller.opentelemetry.image | string | `"registry.k8s.io/ingress-nginx/opentelemetry:v20230721-3e2062ee5@sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472"` | | | controller.opentelemetry.image | string | `"registry.k8s.io/ingress-nginx/opentelemetry:v20230721-3e2062ee5@sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472"` | |
| controller.opentelemetry.name | string | `"opentelemetry"` | |
| controller.opentelemetry.resources | object | `{}` | | | controller.opentelemetry.resources | object | `{}` | |
| controller.podAnnotations | object | `{}` | Annotations to be added to controller pods # | | controller.podAnnotations | object | `{}` | Annotations to be added to controller pods # |
| controller.podLabels | object | `{}` | Labels to add to the pod container metadata | | controller.podLabels | object | `{}` | Labels to add to the pod container metadata |
| controller.podSecurityContext | object | `{}` | Security Context policies for controller pods | | controller.podSecurityContext | object | `{}` | Security context for controller pods |
| controller.priorityClassName | string | `""` | | | controller.priorityClassName | string | `""` | |
| controller.proxySetHeaders | object | `{}` | Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers | | controller.proxySetHeaders | object | `{}` | Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers |
| controller.publishService | object | `{"enabled":true,"pathOverride":""}` | Allows customization of the source of the IP address or FQDN to report in the ingress status field. By default, it reads the information provided by the service. If disable, the status field reports the IP address of the node or nodes where an ingress controller pod is running. | | controller.publishService | object | `{"enabled":true,"pathOverride":""}` | Allows customization of the source of the IP address or FQDN to report in the ingress status field. By default, it reads the information provided by the service. If disable, the status field reports the IP address of the node or nodes where an ingress controller pod is running. |
@ -434,7 +443,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.service.targetPorts.https | string | `"https"` | | | controller.service.targetPorts.https | string | `"https"` | |
| controller.service.type | string | `"LoadBalancer"` | | | controller.service.type | string | `"LoadBalancer"` | |
| controller.shareProcessNamespace | bool | `false` | | | controller.shareProcessNamespace | bool | `false` | |
| controller.sysctls | object | `{}` | See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls | | controller.sysctls | object | `{}` | sysctls for controller pods # Ref: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ |
| controller.tcp.annotations | object | `{}` | Annotations to be added to the tcp config configmap | | controller.tcp.annotations | object | `{}` | Annotations to be added to the tcp config configmap |
| controller.tcp.configMapNamespace | string | `""` | Allows customization of the tcp-services-configmap; defaults to $(POD_NAMESPACE) | | controller.tcp.configMapNamespace | string | `""` | Allows customization of the tcp-services-configmap; defaults to $(POD_NAMESPACE) |
| controller.terminationGracePeriodSeconds | int | `300` | `terminationGracePeriodSeconds` to avoid killing pods before we are ready # wait up to five minutes for the drain of connections # | | controller.terminationGracePeriodSeconds | int | `300` | `terminationGracePeriodSeconds` to avoid killing pods before we are ready # wait up to five minutes for the drain of connections # |
@ -451,7 +460,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| defaultBackend.autoscaling.minReplicas | int | `1` | | | defaultBackend.autoscaling.minReplicas | int | `1` | |
| defaultBackend.autoscaling.targetCPUUtilizationPercentage | int | `50` | | | defaultBackend.autoscaling.targetCPUUtilizationPercentage | int | `50` | |
| defaultBackend.autoscaling.targetMemoryUtilizationPercentage | int | `50` | | | defaultBackend.autoscaling.targetMemoryUtilizationPercentage | int | `50` | |
| defaultBackend.containerSecurityContext | object | `{}` | Security Context policies for controller main container. See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls # | | defaultBackend.containerSecurityContext | object | `{}` | Security context for default backend containers |
| defaultBackend.enabled | bool | `false` | | | defaultBackend.enabled | bool | `false` | |
| defaultBackend.existingPsp | string | `""` | Use an existing PSP instead of creating one | | defaultBackend.existingPsp | string | `""` | Use an existing PSP instead of creating one |
| defaultBackend.extraArgs | object | `{}` | | | defaultBackend.extraArgs | object | `{}` | |
@ -465,6 +474,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| defaultBackend.image.registry | string | `"registry.k8s.io"` | | | defaultBackend.image.registry | string | `"registry.k8s.io"` | |
| defaultBackend.image.runAsNonRoot | bool | `true` | | | defaultBackend.image.runAsNonRoot | bool | `true` | |
| defaultBackend.image.runAsUser | int | `65534` | | | defaultBackend.image.runAsUser | int | `65534` | |
| defaultBackend.image.seccompProfile.type | string | `"RuntimeDefault"` | |
| defaultBackend.image.tag | string | `"1.5"` | | | defaultBackend.image.tag | string | `"1.5"` | |
| defaultBackend.labels | object | `{}` | Labels to be added to the default backend resources | | defaultBackend.labels | object | `{}` | Labels to be added to the default backend resources |
| defaultBackend.livenessProbe.failureThreshold | int | `3` | | | defaultBackend.livenessProbe.failureThreshold | int | `3` | |
@ -479,7 +489,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| defaultBackend.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for default backend pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # | | defaultBackend.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for default backend pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # |
| defaultBackend.podAnnotations | object | `{}` | Annotations to be added to default backend pods # | | defaultBackend.podAnnotations | object | `{}` | Annotations to be added to default backend pods # |
| defaultBackend.podLabels | object | `{}` | Labels to add to the pod container metadata | | defaultBackend.podLabels | object | `{}` | Labels to add to the pod container metadata |
| defaultBackend.podSecurityContext | object | `{}` | Security Context policies for controller pods See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls # | | defaultBackend.podSecurityContext | object | `{}` | Security context for default backend pods |
| defaultBackend.port | int | `8080` | | | defaultBackend.port | int | `8080` | |
| defaultBackend.priorityClassName | string | `""` | | | defaultBackend.priorityClassName | string | `""` | |
| defaultBackend.readinessProbe.failureThreshold | int | `6` | | | defaultBackend.readinessProbe.failureThreshold | int | `6` | |

71
charts/ingress-nginx/templates/_helpers.tpl
View file

@ -39,23 +39,31 @@ Allows overriding it for multi-namespace deployments in combined charts.
{{- end -}} {{- end -}}
{{/* {{/*
Container SecurityContext. Controller container security context.
*/}} */}}
{{- define "controller.containerSecurityContext" -}} {{- define "ingress-nginx.controller.containerSecurityContext" -}}
{{- if .Values.controller.containerSecurityContext -}} {{- if .Values.controller.containerSecurityContext -}}
{{- toYaml .Values.controller.containerSecurityContext -}} {{- toYaml .Values.controller.containerSecurityContext -}}
{{- else -}} {{- else -}}
runAsNonRoot: {{ .Values.controller.image.runAsNonRoot }}
runAsUser: {{ .Values.controller.image.runAsUser }}
allowPrivilegeEscalation: {{ or .Values.controller.image.allowPrivilegeEscalation .Values.controller.image.chroot }}
{{- if .Values.controller.image.seccompProfile }}
seccompProfile: {{ toYaml .Values.controller.image.seccompProfile | nindent 2 }}
{{- end }}
capabilities: capabilities:
drop: drop:
- ALL - ALL
add: add:
- NET_BIND_SERVICE - NET_BIND_SERVICE
{{- if .Values.controller.image.chroot }} {{- if .Values.controller.image.chroot }}
{{- if .Values.controller.image.seccompProfile }}
- SYS_ADMIN
{{- end }}
- SYS_CHROOT - SYS_CHROOT
{{- end }} {{- end }}
runAsUser: {{ .Values.controller.image.runAsUser }} readOnlyRootFilesystem: {{ .Values.controller.image.readOnlyRootFilesystem }}
allowPrivilegeEscalation: {{ .Values.controller.image.allowPrivilegeEscalation }} {{- end -}}
{{- end }}
{{- end -}} {{- end -}}
{{/* {{/*
@ -116,14 +124,6 @@ Users can provide an override for an explicit service they want bound via `.Valu
{{- print $servicePath | trimSuffix "-" -}} {{- print $servicePath | trimSuffix "-" -}}
{{- end -}} {{- end -}}
{{/*
Create a default fully qualified default backend name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "ingress-nginx.defaultBackend.fullname" -}}
{{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/* {{/*
Common labels Common labels
*/}} */}}
@ -183,6 +183,14 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
{{- printf "%s-%s" (include "ingress-nginx.admissionWebhooks.fullname" .) .Values.controller.admissionWebhooks.patchWebhookJob.name | trunc 63 | trimSuffix "-" -}} {{- printf "%s-%s" (include "ingress-nginx.admissionWebhooks.fullname" .) .Values.controller.admissionWebhooks.patchWebhookJob.name | trunc 63 | trimSuffix "-" -}}
{{- end -}} {{- end -}}
{{/*
Create a default fully qualified default backend name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "ingress-nginx.defaultBackend.fullname" -}}
{{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/* {{/*
Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled
*/}} */}}
@ -194,6 +202,26 @@ Create the name of the backend service account to use - only used when podsecuri
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{/*
Default backend container security context.
*/}}
{{- define "ingress-nginx.defaultBackend.containerSecurityContext" -}}
{{- if .Values.defaultBackend.containerSecurityContext -}}
{{- toYaml .Values.defaultBackend.containerSecurityContext -}}
{{- else -}}
runAsNonRoot: {{ .Values.defaultBackend.image.runAsNonRoot }}
runAsUser: {{ .Values.defaultBackend.image.runAsUser }}
allowPrivilegeEscalation: {{ .Values.defaultBackend.image.allowPrivilegeEscalation }}
{{- if .Values.defaultBackend.image.seccompProfile }}
seccompProfile: {{ toYaml .Values.defaultBackend.image.seccompProfile | nindent 2 }}
{{- end }}
capabilities:
drop:
- ALL
readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem }}
{{- end -}}
{{- end -}}
{{/* {{/*
Return the appropriate apiGroup for PodSecurityPolicy. Return the appropriate apiGroup for PodSecurityPolicy.
*/}} */}}
@ -230,18 +258,21 @@ Extra modules.
{{- define "extraModules" -}} {{- define "extraModules" -}}
- name: {{ .name }} - name: {{ .name }}
image: {{ .image }} image: {{ .image }}
{{- if .distroless | default false }} command:
command: ['/init_module'] {{- if .distroless }}
- /init_module
{{- else }} {{- else }}
command: ['sh', '-c', '/usr/local/bin/init_module.sh'] - sh
- -c
- /usr/local/bin/init_module.sh
{{- end }} {{- end }}
{{- if .containerSecurityContext }} {{- if .containerSecurityContext }}
securityContext: {{ .containerSecurityContext | toYaml | nindent 4 }} securityContext: {{ toYaml .containerSecurityContext | nindent 4 }}
{{- end }} {{- end }}
{{- if .resources }} {{- if .resources }}
resources: {{ .resources | toYaml | nindent 4 }} resources: {{ toYaml .resources | nindent 4 }}
{{- end }} {{- end }}
volumeMounts: volumeMounts:
- name: {{ toYaml "modules"}} - name: modules
mountPath: {{ toYaml "/modules_mount"}} mountPath: /modules_mount
{{- end -}} {{- end -}}

11
charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
View file

@ -21,14 +21,13 @@ rules:
- get - get
- update - update
{{- if .Values.podSecurityPolicy.enabled }} {{- if .Values.podSecurityPolicy.enabled }}
- apiGroups: ['extensions'] - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}]
resources: ['podsecuritypolicies'] resources: ['podsecuritypolicies']
verbs: ['use'] verbs: ['use']
resourceNames:
{{- with .Values.controller.admissionWebhooks.existingPsp }} {{- with .Values.controller.admissionWebhooks.existingPsp }}
- {{ . }} resourceNames: [{{ . }}]
{{- else }} {{- else }}
- {{ include "ingress-nginx.admissionWebhooks.fullname" . }} resourceNames: [{{ include "ingress-nginx.admissionWebhooks.fullname" . }}]
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}

7
charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
View file

@ -73,8 +73,7 @@ spec:
{{- if .Values.controller.admissionWebhooks.patch.tolerations }} {{- if .Values.controller.admissionWebhooks.patch.tolerations }}
tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }} tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }}
{{- end }} {{- end }}
{{- if .Values.controller.admissionWebhooks.patch.securityContext }} {{- if .Values.controller.admissionWebhooks.patch.securityContext }}
securityContext: securityContext: {{ toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }}
{{- toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }} {{- end }}
{{- end }}
{{- end }} {{- end }}

7
charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
View file

@ -75,8 +75,7 @@ spec:
{{- if .Values.controller.admissionWebhooks.patch.tolerations }} {{- if .Values.controller.admissionWebhooks.patch.tolerations }}
tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }} tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }}
{{- end }} {{- end }}
{{- if .Values.controller.admissionWebhooks.patch.securityContext }} {{- if .Values.controller.admissionWebhooks.patch.securityContext }}
securityContext: securityContext: {{ toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }}
{{- toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }} {{- end }}
{{- end }}
{{- end }} {{- end }}

47
charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml
View file

@ -1,5 +1,5 @@
{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} {{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.podSecurityPolicy.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}} {{- if and .Values.podSecurityPolicy.enabled .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}}
apiVersion: policy/v1beta1 apiVersion: policy/v1beta1
kind: PodSecurityPolicy kind: PodSecurityPolicy
metadata: metadata:
@ -7,6 +7,7 @@ metadata:
annotations: annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
labels: labels:
{{- include "ingress-nginx.labels" . | nindent 4 }} {{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: admission-webhook app.kubernetes.io/component: admission-webhook
@ -14,28 +15,38 @@ metadata:
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
spec: spec:
allowPrivilegeEscalation: false privileged: false
hostPID: false
hostIPC: false
hostNetwork: false
volumes:
- configMap
- downwardAPI
- emptyDir
- secret
- projected
fsGroup: fsGroup:
ranges:
- max: 65535
min: 1
rule: MustRunAs rule: MustRunAs
requiredDropCapabilities: ranges:
- ALL - min: 1
max: 65535
readOnlyRootFilesystem: true
runAsUser: runAsUser:
rule: MustRunAsNonRoot rule: MustRunAsNonRoot
runAsGroup:
rule: MustRunAs
ranges:
- min: 1
max: 65535
supplementalGroups:
rule: MustRunAs
ranges:
- min: 1
max: 65535
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
seLinux: seLinux:
rule: RunAsAny rule: RunAsAny
supplementalGroups:
ranges:
- max: 65535
min: 1
rule: MustRunAs
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
{{- end }} {{- end }}
{{- end }} {{- end }}

44
charts/ingress-nginx/templates/controller-daemonset.yaml
View file

@ -60,16 +60,16 @@ spec:
{{- end }} {{- end }}
{{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }} {{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }}
securityContext: securityContext:
{{- end }} {{- if .Values.controller.podSecurityContext }}
{{- if .Values.controller.podSecurityContext }}
{{- toYaml .Values.controller.podSecurityContext | nindent 8 }} {{- toYaml .Values.controller.podSecurityContext | nindent 8 }}
{{- end }} {{- end }}
{{- if .Values.controller.sysctls }} {{- if .Values.controller.sysctls }}
sysctls: sysctls:
{{- range $sysctl, $value := .Values.controller.sysctls }} {{- range $sysctl, $value := .Values.controller.sysctls }}
- name: {{ $sysctl | quote }} - name: {{ $sysctl | quote }}
value: {{ $value | quote }} value: {{ $value | quote }}
{{- end }} {{- end }}
{{- end }}
{{- end }} {{- end }}
{{- if .Values.controller.shareProcessNamespace }} {{- if .Values.controller.shareProcessNamespace }}
shareProcessNamespace: {{ .Values.controller.shareProcessNamespace }} shareProcessNamespace: {{ .Values.controller.shareProcessNamespace }}
@ -83,9 +83,8 @@ spec:
{{- if .Values.controller.lifecycle }} {{- if .Values.controller.lifecycle }}
lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }} lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }}
{{- end }} {{- end }}
args: args: {{ include "ingress-nginx.params" . | nindent 12 }}
{{- include "ingress-nginx.params" . | nindent 12 }} securityContext: {{ include "ingress-nginx.controller.containerSecurityContext" . | nindent 12 }}
securityContext: {{ include "controller.containerSecurityContext" . | nindent 12 }}
env: env:
- name: POD_NAME - name: POD_NAME
valueFrom: valueFrom:
@ -150,11 +149,11 @@ spec:
volumeMounts: volumeMounts:
{{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
- name: modules - name: modules
{{ if .Values.controller.image.chroot }} {{- if .Values.controller.image.chroot }}
mountPath: /chroot/modules_mount mountPath: /chroot/modules_mount
{{ else }} {{- else }}
mountPath: /modules_mount mountPath: /modules_mount
{{ end }} {{- end }}
{{- end }} {{- end }}
{{- if .Values.controller.customTemplate.configMapName }} {{- if .Values.controller.customTemplate.configMapName }}
- mountPath: /etc/nginx/template - mountPath: /etc/nginx/template
@ -174,24 +173,25 @@ spec:
resources: {{ toYaml .Values.controller.resources | nindent 12 }} resources: {{ toYaml .Values.controller.resources | nindent 12 }}
{{- end }} {{- end }}
{{- if .Values.controller.extraContainers }} {{- if .Values.controller.extraContainers }}
{{ toYaml .Values.controller.extraContainers | nindent 8 }} {{- toYaml .Values.controller.extraContainers | nindent 8 }}
{{- end }} {{- end }}
{{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
initContainers: initContainers:
{{- if .Values.controller.extraInitContainers }} {{- if .Values.controller.extraInitContainers }}
{{ toYaml .Values.controller.extraInitContainers | nindent 8 }} {{- toYaml .Values.controller.extraInitContainers | nindent 8 }}
{{- end }} {{- end }}
{{- if .Values.controller.extraModules }} {{- if .Values.controller.extraModules }}
{{- range .Values.controller.extraModules }} {{- range .Values.controller.extraModules }}
{{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext) | nindent 8 }} {{- include "extraModules" (dict "name" .name "image" .image "distroless" .distroless "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
{{- end }}
{{- end }}
{{- if .Values.controller.opentelemetry.enabled }}
{{- with .Values.controller.opentelemetry }}
{{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{- include "extraModules" (dict "name" .name "image" .image "distroless" .distroless "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if .Values.controller.opentelemetry.enabled}}
{{- $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{ $otelResources := $.Values.controller.opentelemetry.resources | default dict }}
{{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext "distroless" true "resources" $otelResources) | nindent 8}}
{{- end}}
{{- end }} {{- end }}
{{- if .Values.controller.hostNetwork }} {{- if .Values.controller.hostNetwork }}
hostNetwork: {{ .Values.controller.hostNetwork }} hostNetwork: {{ .Values.controller.hostNetwork }}

44
charts/ingress-nginx/templates/controller-deployment.yaml
View file

@ -63,16 +63,16 @@ spec:
{{- end }} {{- end }}
{{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }} {{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }}
securityContext: securityContext:
{{- end }} {{- if .Values.controller.podSecurityContext }}
{{- if .Values.controller.podSecurityContext }}
{{- toYaml .Values.controller.podSecurityContext | nindent 8 }} {{- toYaml .Values.controller.podSecurityContext | nindent 8 }}
{{- end }} {{- end }}
{{- if .Values.controller.sysctls }} {{- if .Values.controller.sysctls }}
sysctls: sysctls:
{{- range $sysctl, $value := .Values.controller.sysctls }} {{- range $sysctl, $value := .Values.controller.sysctls }}
- name: {{ $sysctl | quote }} - name: {{ $sysctl | quote }}
value: {{ $value | quote }} value: {{ $value | quote }}
{{- end }} {{- end }}
{{- end }}
{{- end }} {{- end }}
{{- if .Values.controller.shareProcessNamespace }} {{- if .Values.controller.shareProcessNamespace }}
shareProcessNamespace: {{ .Values.controller.shareProcessNamespace }} shareProcessNamespace: {{ .Values.controller.shareProcessNamespace }}
@ -86,9 +86,8 @@ spec:
{{- if .Values.controller.lifecycle }} {{- if .Values.controller.lifecycle }}
lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }} lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }}
{{- end }} {{- end }}
args: args: {{ include "ingress-nginx.params" . | nindent 12 }}
{{- include "ingress-nginx.params" . | nindent 12 }} securityContext: {{ include "ingress-nginx.controller.containerSecurityContext" . | nindent 12 }}
securityContext: {{ include "controller.containerSecurityContext" . | nindent 12 }}
env: env:
- name: POD_NAME - name: POD_NAME
valueFrom: valueFrom:
@ -153,11 +152,11 @@ spec:
volumeMounts: volumeMounts:
{{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
- name: modules - name: modules
{{ if .Values.controller.image.chroot }} {{- if .Values.controller.image.chroot }}
mountPath: /chroot/modules_mount mountPath: /chroot/modules_mount
{{ else }} {{- else }}
mountPath: /modules_mount mountPath: /modules_mount
{{ end }} {{- end }}
{{- end }} {{- end }}
{{- if .Values.controller.customTemplate.configMapName }} {{- if .Values.controller.customTemplate.configMapName }}
- mountPath: /etc/nginx/template - mountPath: /etc/nginx/template
@ -177,24 +176,25 @@ spec:
resources: {{ toYaml .Values.controller.resources | nindent 12 }} resources: {{ toYaml .Values.controller.resources | nindent 12 }}
{{- end }} {{- end }}
{{- if .Values.controller.extraContainers }} {{- if .Values.controller.extraContainers }}
{{ toYaml .Values.controller.extraContainers | nindent 8 }} {{- toYaml .Values.controller.extraContainers | nindent 8 }}
{{- end }} {{- end }}
{{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
initContainers: initContainers:
{{- if .Values.controller.extraInitContainers }} {{- if .Values.controller.extraInitContainers }}
{{ toYaml .Values.controller.extraInitContainers | nindent 8 }} {{- toYaml .Values.controller.extraInitContainers | nindent 8 }}
{{- end }} {{- end }}
{{- if .Values.controller.extraModules }} {{- if .Values.controller.extraModules }}
{{- range .Values.controller.extraModules }} {{- range .Values.controller.extraModules }}
{{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext) | nindent 8 }} {{- include "extraModules" (dict "name" .name "image" .image "distroless" .distroless "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
{{- end }}
{{- end }}
{{- if .Values.controller.opentelemetry.enabled }}
{{- with .Values.controller.opentelemetry }}
{{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{- include "extraModules" (dict "name" .name "image" .image "distroless" .distroless "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if .Values.controller.opentelemetry.enabled}}
{{- $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{ $otelResources := $.Values.controller.opentelemetry.resources | default dict }}
{{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext "distroless" true "resources" $otelResources) | nindent 8}}
{{- end}}
{{- end }} {{- end }}
{{- if .Values.controller.hostNetwork }} {{- if .Values.controller.hostNetwork }}
hostNetwork: {{ .Values.controller.hostNetwork }} hostNetwork: {{ .Values.controller.hostNetwork }}

142
charts/ingress-nginx/templates/controller-psp.yaml
View file

@ -4,6 +4,8 @@ apiVersion: policy/v1beta1
kind: PodSecurityPolicy kind: PodSecurityPolicy
metadata: metadata:
name: {{ include "ingress-nginx.fullname" . }} name: {{ include "ingress-nginx.fullname" . }}
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
labels: labels:
{{- include "ingress-nginx.labels" . | nindent 4 }} {{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: controller app.kubernetes.io/component: controller
@ -11,84 +13,88 @@ metadata:
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
spec: spec:
allowedCapabilities:
- NET_BIND_SERVICE
{{- if .Values.controller.image.chroot }}
- SYS_CHROOT
{{- end }}
{{- if .Values.controller.sysctls }}
allowedUnsafeSysctls:
{{- range $sysctl, $value := .Values.controller.sysctls }}
- {{ $sysctl }}
{{- end }}
{{- end }}
privileged: false privileged: false
allowPrivilegeEscalation: true hostPID: false
# Allow core volume types. hostIPC: false
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
{{- if .Values.controller.hostNetwork }}
hostNetwork: {{ .Values.controller.hostNetwork }} hostNetwork: {{ .Values.controller.hostNetwork }}
{{- end }}
{{- if or .Values.controller.hostNetwork .Values.controller.hostPort.enabled }} {{- if or .Values.controller.hostNetwork .Values.controller.hostPort.enabled }}
hostPorts: hostPorts:
{{- if .Values.controller.hostNetwork }} {{- if .Values.controller.hostNetwork }}
{{- range $key, $value := .Values.controller.containerPort }} {{- range $key, $value := .Values.controller.containerPort }}
# {{ $key }} # controller.containerPort.{{ $key }}
- min: {{ $value }} - min: {{ $value }}
max: {{ $value }} max: {{ $value }}
{{- end }}
{{- else if .Values.controller.hostPort.enabled }}
{{- range $key, $value := .Values.controller.hostPort.ports }}
# controller.hostPort.ports.{{ $key }}
- min: {{ $value }}
max: {{ $value }}
{{- end }}
{{- end }}
{{- if .Values.controller.metrics.enabled }}
# controller.metrics.port
- min: {{ .Values.controller.metrics.port }}
max: {{ .Values.controller.metrics.port }}
{{- end }}
{{- if .Values.controller.admissionWebhooks.enabled }}
# controller.admissionWebhooks.port
- min: {{ .Values.controller.admissionWebhooks.port }}
max: {{ .Values.controller.admissionWebhooks.port }}
{{- end }}
{{- range $key, $value := .Values.tcp }}
# tcp.{{ $key }}
- min: {{ $key }}
max: {{ $key }}
{{- end }}
{{- range $key, $value := .Values.udp }}
# udp.{{ $key }}
- min: {{ $key }}
max: {{ $key }}
{{- end }}
{{- end }} {{- end }}
{{- else if .Values.controller.hostPort.enabled }} volumes:
{{- range $key, $value := .Values.controller.hostPort.ports }} - configMap
# {{ $key }} - downwardAPI
- min: {{ $value }} - emptyDir
max: {{ $value }} - secret
{{- end }} - projected
{{- end }}
{{- if .Values.controller.metrics.enabled }}
# metrics
- min: {{ .Values.controller.metrics.port }}
max: {{ .Values.controller.metrics.port }}
{{- end }}
{{- if .Values.controller.admissionWebhooks.enabled }}
# admission webhooks
- min: {{ .Values.controller.admissionWebhooks.port }}
max: {{ .Values.controller.admissionWebhooks.port }}
{{- end }}
{{- range $key, $value := .Values.tcp }}
# {{ $key }}-tcp
- min: {{ $key }}
max: {{ $key }}
{{- end }}
{{- range $key, $value := .Values.udp }}
# {{ $key }}-udp
- min: {{ $key }}
max: {{ $key }}
{{- end }}
{{- end }}
hostIPC: false
hostPID: false
runAsUser:
# Require the container to run without root privileges.
rule: 'MustRunAsNonRoot'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup: fsGroup:
rule: 'MustRunAs' rule: MustRunAs
ranges: ranges:
# Forbid adding the root group.
- min: 1 - min: 1
max: 65535 max: 65535
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
runAsUser:
rule: MustRunAsNonRoot
runAsGroup:
rule: MustRunAs
ranges:
- min: 1
max: 65535
supplementalGroups:
rule: MustRunAs
ranges:
- min: 1
max: 65535
allowPrivilegeEscalation: {{ or .Values.controller.image.allowPrivilegeEscalation .Values.controller.image.chroot }}
requiredDropCapabilities:
- ALL
allowedCapabilities:
- NET_BIND_SERVICE
{{- if .Values.controller.image.chroot }}
{{- if .Values.controller.image.seccompProfile }}
- SYS_ADMIN
{{- end }}
- SYS_CHROOT
{{- end }}
seLinux: seLinux:
rule: 'RunAsAny' rule: RunAsAny
{{- if .Values.controller.sysctls }}
allowedUnsafeSysctls:
{{- range $sysctl, $value := .Values.controller.sysctls }}
- {{ $sysctl }}
{{- end }}
{{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}

9
charts/ingress-nginx/templates/default-backend-deployment.yaml
View file

@ -65,14 +65,7 @@ spec:
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}
securityContext: securityContext: {{ include "ingress-nginx.defaultBackend.containerSecurityContext" . | nindent 12 }}
capabilities:
drop:
- ALL
runAsUser: {{ .Values.defaultBackend.image.runAsUser }}
runAsNonRoot: {{ .Values.defaultBackend.image.runAsNonRoot }}
allowPrivilegeEscalation: {{ .Values.defaultBackend.image.allowPrivilegeEscalation }}
readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem}}
{{- if .Values.defaultBackend.extraEnvs }} {{- if .Values.defaultBackend.extraEnvs }}
env: {{ toYaml .Values.defaultBackend.extraEnvs | nindent 12 }} env: {{ toYaml .Values.defaultBackend.extraEnvs | nindent 12 }}
{{- end }} {{- end }}

46
charts/ingress-nginx/templates/default-backend-psp.yaml
View file

@ -4,6 +4,8 @@ apiVersion: policy/v1beta1
kind: PodSecurityPolicy kind: PodSecurityPolicy
metadata: metadata:
name: {{ include "ingress-nginx.fullname" . }}-backend name: {{ include "ingress-nginx.fullname" . }}-backend
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
labels: labels:
{{- include "ingress-nginx.labels" . | nindent 4 }} {{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: default-backend app.kubernetes.io/component: default-backend
@ -11,28 +13,38 @@ metadata:
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
spec: spec:
allowPrivilegeEscalation: false privileged: false
hostPID: false
hostIPC: false
hostNetwork: false
volumes:
- configMap
- downwardAPI
- emptyDir
- secret
- projected
fsGroup: fsGroup:
ranges:
- max: 65535
min: 1
rule: MustRunAs rule: MustRunAs
requiredDropCapabilities: ranges:
- ALL - min: 1
max: 65535
readOnlyRootFilesystem: true
runAsUser: runAsUser:
rule: MustRunAsNonRoot rule: MustRunAsNonRoot
runAsGroup:
rule: MustRunAs
ranges:
- min: 1
max: 65535
supplementalGroups:
rule: MustRunAs
ranges:
- min: 1
max: 65535
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
seLinux: seLinux:
rule: RunAsAny rule: RunAsAny
supplementalGroups:
ranges:
- max: 65535
min: 1
rule: MustRunAs
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
{{- end }} {{- end }}
{{- end }} {{- end }}

74
charts/ingress-nginx/values.yaml
View file

@ -31,9 +31,13 @@ controller:
digest: sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3 digest: sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3
digestChroot: sha256:5976b1067cfbca8a21d0ba53d71f83543a73316a61ea7f7e436d6cf84ddf9b26 digestChroot: sha256:5976b1067cfbca8a21d0ba53d71f83543a73316a61ea7f7e436d6cf84ddf9b26
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
runAsNonRoot: true
# www-data -> uid 101 # www-data -> uid 101
runAsUser: 101 runAsUser: 101
allowPrivilegeEscalation: true allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
readOnlyRootFilesystem: false
# -- Use an existing PSP instead of creating one # -- Use an existing PSP instead of creating one
existingPsp: "" existingPsp: ""
# -- Configures the controller container name # -- Configures the controller container name
@ -127,12 +131,15 @@ controller:
podLabels: {} podLabels: {}
# key: value # key: value
# -- Security Context policies for controller pods # -- Security context for controller pods
podSecurityContext: {} podSecurityContext: {}
# -- See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls # -- sysctls for controller pods
## Ref: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
sysctls: {} sysctls: {}
# sysctls: # sysctls:
# "net.core.somaxconn": "8192" # "net.core.somaxconn": "8192"
# -- Security context for controller containers
containerSecurityContext: {}
# -- Allows customization of the source of the IP address or FQDN to report # -- Allows customization of the source of the IP address or FQDN to report
# in the ingress status field. By default, it reads the information provided # in the ingress status field. By default, it reads the information provided
@ -581,8 +588,18 @@ controller:
extraModules: [] extraModules: []
# - name: mytestmodule # - name: mytestmodule
# image: registry.k8s.io/ingress-nginx/mytestmodule # image: registry.k8s.io/ingress-nginx/mytestmodule
# distroless: false
# containerSecurityContext: # containerSecurityContext:
# runAsNonRoot: true
# runAsUser: <user-id>
# allowPrivilegeEscalation: false # allowPrivilegeEscalation: false
# seccompProfile:
# type: RuntimeDefault
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# resources: {}
# #
# The image must contain a `/usr/local/bin/init_module.sh` executable, which # The image must contain a `/usr/local/bin/init_module.sh` executable, which
# will be executed as initContainers, to move its config files within the # will be executed as initContainers, to move its config files within the
@ -590,9 +607,20 @@ controller:
opentelemetry: opentelemetry:
enabled: false enabled: false
name: opentelemetry
image: registry.k8s.io/ingress-nginx/opentelemetry:v20230721-3e2062ee5@sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472 image: registry.k8s.io/ingress-nginx/opentelemetry:v20230721-3e2062ee5@sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472
distroless: true
containerSecurityContext: containerSecurityContext:
runAsNonRoot: true
# -- The image's default user, inherited from its base image `cgr.dev/chainguard/static`.
runAsUser: 65532
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
resources: {} resources: {}
admissionWebhooks: admissionWebhooks:
name: admission name: admission
@ -633,8 +661,17 @@ controller:
type: ClusterIP type: ClusterIP
createSecretJob: createSecretJob:
name: create name: create
# -- Security context for secret creation containers
securityContext: securityContext:
runAsNonRoot: true
runAsUser: 65532
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
resources: {} resources: {}
# limits: # limits:
# cpu: 10m # cpu: 10m
@ -644,8 +681,17 @@ controller:
# memory: 20Mi # memory: 20Mi
patchWebhookJob: patchWebhookJob:
name: patch name: patch
# -- Security context for webhook patch containers
securityContext: securityContext:
runAsNonRoot: true
runAsUser: 65532
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
resources: {} resources: {}
patch: patch:
enabled: true enabled: true
@ -667,10 +713,8 @@ controller:
tolerations: [] tolerations: []
# -- Labels to be added to patch job resources # -- Labels to be added to patch job resources
labels: {} labels: {}
securityContext: # -- Security context for secret creation & webhook patch pods
runAsNonRoot: true securityContext: {}
runAsUser: 2000
fsGroup: 2000
# Use certmanager to generate webhook certs # Use certmanager to generate webhook certs
certManager: certManager:
enabled: false enabled: false
@ -796,11 +840,13 @@ defaultBackend:
## repository: ## repository:
tag: "1.5" tag: "1.5"
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
runAsNonRoot: true
# nobody user -> uid 65534 # nobody user -> uid 65534
runAsUser: 65534 runAsUser: 65534
runAsNonRoot: true
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
readOnlyRootFilesystem: true
# -- Use an existing PSP instead of creating one # -- Use an existing PSP instead of creating one
existingPsp: "" existingPsp: ""
extraArgs: {} extraArgs: {}
@ -846,15 +892,9 @@ defaultBackend:
# effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
affinity: {} affinity: {}
# -- Security Context policies for controller pods # -- Security context for default backend pods
# See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for
# notes on enabling and using sysctls
##
podSecurityContext: {} podSecurityContext: {}
# -- Security Context policies for controller main container. # -- Security context for default backend containers
# See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for
# notes on enabling and using sysctls
##
containerSecurityContext: {} containerSecurityContext: {}
# -- Labels to add to the pod container metadata # -- Labels to add to the pod container metadata
podLabels: {} podLabels: {}