From 8c56e4df9d63fa93bb7eb665403cf67e300a273a Mon Sep 17 00:00:00 2001
From: Alexis Martinier <a.martinier@gmail.com>
Date: Wed, 21 Oct 2020 11:15:15 +0200
Subject: [PATCH] Add securitycontext settings on defaultbackend

Signed-off-by: Alexis Martinier <a.martinier@gmail.com>
---
 .../ingress-nginx/templates/default-backend-deployment.yaml | 6 ++++++
 charts/ingress-nginx/values.yaml                            | 3 +++
 2 files changed, 9 insertions(+)

diff --git a/charts/ingress-nginx/templates/default-backend-deployment.yaml b/charts/ingress-nginx/templates/default-backend-deployment.yaml
index c7fd72897..9599c23ac 100644
--- a/charts/ingress-nginx/templates/default-backend-deployment.yaml
+++ b/charts/ingress-nginx/templates/default-backend-deployment.yaml
@@ -52,7 +52,13 @@ spec:
           {{- end }}
         {{- end }}
           securityContext:
+            capabilities:
+              drop:
+              - ALL
             runAsUser: {{ .Values.defaultBackend.image.runAsUser }}
+            runAsNonRoot: {{ .Values.defaultBackend.image.runAsNonRoot }}
+            allowPrivilegeEscalation: {{ .Values.defaultBackend.image.allowPrivilegeEscalation }}
+            readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem}}
         {{- if .Values.defaultBackend.extraEnvs }}
           env: {{ toYaml .Values.defaultBackend.extraEnvs | nindent 12 }}
         {{- end }}
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index 94fe19ccf..d337b664b 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -552,6 +552,9 @@ defaultBackend:
     pullPolicy: IfNotPresent
     # nobody user -> uid 65534
     runAsUser: 65534
+    runAsNonRoot: true
+    readOnlyRootFilesystem: true
+    allowPrivilegeEscalation: false
 
   extraArgs: {}