From 8d056bfcbb2779e4072bae056a080aa92ae59850 Mon Sep 17 00:00:00 2001
From: Marco Ebert <marco@giantswarm.io>
Date: Wed, 4 Oct 2023 14:36:17 +0200
Subject: [PATCH] Helpers: Add
 `ingress-nginx.defaultBackend.containerSecurityContext`.

Extracts the default backend `securityContext` into a template, as for the controller.
---
 charts/ingress-nginx/templates/_helpers.tpl     | 17 +++++++++++++++++
 .../templates/default-backend-deployment.yaml   |  9 +--------
 charts/ingress-nginx/values.yaml                |  4 ++--
 3 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/charts/ingress-nginx/templates/_helpers.tpl b/charts/ingress-nginx/templates/_helpers.tpl
index f7ca40748..64d61ed1f 100644
--- a/charts/ingress-nginx/templates/_helpers.tpl
+++ b/charts/ingress-nginx/templates/_helpers.tpl
@@ -194,6 +194,23 @@ Create the name of the backend service account to use - only used when podsecuri
 {{- end -}}
 {{- end -}}
 
+{{/*
+Default backend container security context.
+*/}}
+{{- define "ingress-nginx.defaultBackend.containerSecurityContext" -}}
+{{- if .Values.defaultBackend.containerSecurityContext -}}
+{{- toYaml .Values.defaultBackend.containerSecurityContext -}}
+{{- else -}}
+runAsNonRoot: {{ .Values.defaultBackend.image.runAsNonRoot }}
+runAsUser: {{ .Values.defaultBackend.image.runAsUser }}
+allowPrivilegeEscalation: {{ .Values.defaultBackend.image.allowPrivilegeEscalation }}
+capabilities:
+  drop:
+  - ALL
+readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem}}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Return the appropriate apiGroup for PodSecurityPolicy.
 */}}
diff --git a/charts/ingress-nginx/templates/default-backend-deployment.yaml b/charts/ingress-nginx/templates/default-backend-deployment.yaml
index 44c3732b0..ed88e6bc3 100644
--- a/charts/ingress-nginx/templates/default-backend-deployment.yaml
+++ b/charts/ingress-nginx/templates/default-backend-deployment.yaml
@@ -65,14 +65,7 @@ spec:
             {{- end }}
           {{- end }}
         {{- end }}
-          securityContext:
-            capabilities:
-              drop:
-              - ALL
-            runAsUser: {{ .Values.defaultBackend.image.runAsUser }}
-            runAsNonRoot: {{ .Values.defaultBackend.image.runAsNonRoot }}
-            allowPrivilegeEscalation: {{ .Values.defaultBackend.image.allowPrivilegeEscalation }}
-            readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem}}
+          securityContext: {{ include "ingress-nginx.defaultBackend.containerSecurityContext" . | nindent 12 }}
         {{- if .Values.defaultBackend.extraEnvs }}
           env: {{ toYaml .Values.defaultBackend.extraEnvs | nindent 12 }}
         {{- end }}
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index 2d89052c2..282c15000 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -799,11 +799,11 @@ defaultBackend:
     ## repository:
     tag: "1.5"
     pullPolicy: IfNotPresent
+    runAsNonRoot: true
     # nobody user -> uid 65534
     runAsUser: 65534
-    runAsNonRoot: true
-    readOnlyRootFilesystem: true
     allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
   # -- Use an existing PSP instead of creating one
   existingPsp: ""
   extraArgs: {}