DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Helpers: Add ingress-nginx.defaultBackend.containerSecurityContext.

Browse source 
Extracts the default backend `securityContext` into a template, as for the controller.
This commit is contained in:
Marco Ebert 2023-10-04 14:36:17 +02:00
parent 47ab4935a9
commit 8d056bfcbb
3 changed files with 20 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
charts/ingress-nginx/templates/_helpers.tpl
View file

@ -194,6 +194,23 @@ Create the name of the backend service account to use - only used when podsecuri
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{/*
Default backend container security context.
*/}}
{{- define "ingress-nginx.defaultBackend.containerSecurityContext" -}}
{{- if .Values.defaultBackend.containerSecurityContext -}}
{{- toYaml .Values.defaultBackend.containerSecurityContext -}}
{{- else -}}
runAsNonRoot: {{ .Values.defaultBackend.image.runAsNonRoot }}
runAsUser: {{ .Values.defaultBackend.image.runAsUser }}
allowPrivilegeEscalation: {{ .Values.defaultBackend.image.allowPrivilegeEscalation }}
capabilities:
drop:
- ALL
readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem}}
{{- end -}}
{{- end -}}
{{/* {{/*
Return the appropriate apiGroup for PodSecurityPolicy. Return the appropriate apiGroup for PodSecurityPolicy.
*/}} */}}

9
charts/ingress-nginx/templates/default-backend-deployment.yaml
View file

@ -65,14 +65,7 @@ spec:
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}
securityContext: securityContext: {{ include "ingress-nginx.defaultBackend.containerSecurityContext" . | nindent 12 }}
capabilities:
drop:
- ALL
runAsUser: {{ .Values.defaultBackend.image.runAsUser }}
runAsNonRoot: {{ .Values.defaultBackend.image.runAsNonRoot }}
allowPrivilegeEscalation: {{ .Values.defaultBackend.image.allowPrivilegeEscalation }}
readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem}}
{{- if .Values.defaultBackend.extraEnvs }} {{- if .Values.defaultBackend.extraEnvs }}
env: {{ toYaml .Values.defaultBackend.extraEnvs | nindent 12 }} env: {{ toYaml .Values.defaultBackend.extraEnvs | nindent 12 }}
{{- end }} {{- end }}

4
charts/ingress-nginx/values.yaml
View file

@ -799,11 +799,11 @@ defaultBackend:
## repository: ## repository:
tag: "1.5" tag: "1.5"
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
runAsNonRoot: true
# nobody user -> uid 65534 # nobody user -> uid 65534
runAsUser: 65534 runAsUser: 65534
runAsNonRoot: true
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
# -- Use an existing PSP instead of creating one # -- Use an existing PSP instead of creating one
existingPsp: "" existingPsp: ""
extraArgs: {} extraArgs: {}