Helpers: Add ingress-nginx.defaultBackend.containerSecurityContext.

Extracts the default backend `securityContext` into a template, as for the controller.
2023-10-04 14:36:17 +02:00 · 2023-10-04 14:36:17 +02:00 · 8d056bfcbb
commit 8d056bfcbb
parent 47ab4935a9
3 changed files with 20 additions and 10 deletions
--- a/charts/ingress-nginx/templates/_helpers.tpl
+++ b/charts/ingress-nginx/templates/_helpers.tpl
@ -194,6 +194,23 @@ Create the name of the backend service account to use - only used when podsecuri
 {{- end -}}
 {{- end -}}

+{{/*
+Default backend container security context.
+*/}}
+{{- define "ingress-nginx.defaultBackend.containerSecurityContext" -}}
+{{- if .Values.defaultBackend.containerSecurityContext -}}
+{{- toYaml .Values.defaultBackend.containerSecurityContext -}}
+{{- else -}}
+runAsNonRoot: {{ .Values.defaultBackend.image.runAsNonRoot }}
+runAsUser: {{ .Values.defaultBackend.image.runAsUser }}
+allowPrivilegeEscalation: {{ .Values.defaultBackend.image.allowPrivilegeEscalation }}
+capabilities:
+  drop:
+  - ALL
+readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem}}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Return the appropriate apiGroup for PodSecurityPolicy.
 */}}
--- a/charts/ingress-nginx/templates/default-backend-deployment.yaml
+++ b/charts/ingress-nginx/templates/default-backend-deployment.yaml
@ -65,14 +65,7 @@ spec:
            {{- end }}
          {{- end }}
        {{- end }}
-          securityContext:
-            capabilities:
-              drop:
-              - ALL
-            runAsUser: {{ .Values.defaultBackend.image.runAsUser }}
-            runAsNonRoot: {{ .Values.defaultBackend.image.runAsNonRoot }}
-            allowPrivilegeEscalation: {{ .Values.defaultBackend.image.allowPrivilegeEscalation }}
-            readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem}}
+          securityContext: {{ include "ingress-nginx.defaultBackend.containerSecurityContext" . | nindent 12 }}
        {{- if .Values.defaultBackend.extraEnvs }}
          env: {{ toYaml .Values.defaultBackend.extraEnvs | nindent 12 }}
        {{- end }}
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@ -799,11 +799,11 @@ defaultBackend:
    ## repository:
    tag: "1.5"
    pullPolicy: IfNotPresent
+    runAsNonRoot: true
    # nobody user -> uid 65534
    runAsUser: 65534
-    runAsNonRoot: true
-    readOnlyRootFilesystem: true
    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
  # -- Use an existing PSP instead of creating one
  existingPsp: ""
  extraArgs: {}