From 0c8abfea0d25e07461a6f565f29d94a7a2088b1c Mon Sep 17 00:00:00 2001 From: Artem Tartakynov Date: Wed, 25 Nov 2020 11:08:57 -0500 Subject: [PATCH 1/3] update the basic auth example --- docs/examples/auth/basic/README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/examples/auth/basic/README.md b/docs/examples/auth/basic/README.md index edf5ebd95..6391a9238 100644 --- a/docs/examples/auth/basic/README.md +++ b/docs/examples/auth/basic/README.md @@ -112,7 +112,6 @@ server_version=nginx: 1.9.11 - lua: 10001 HEADERS RECEIVED: accept=*/* -authorization=Basic Zm9vOmJhcg== connection=close host=foo.bar.com user-agent=curl/7.43.0 From 1fe88a37af47223f0f381beaacaf1fad014fe74e Mon Sep 17 00:00:00 2001 From: Artem Tartakynov Date: Wed, 25 Nov 2020 21:51:15 -0500 Subject: [PATCH 2/3] add 2 more headers to the basic auth example x-request-id and x-scheme --- docs/examples/auth/basic/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/examples/auth/basic/README.md b/docs/examples/auth/basic/README.md index 6391a9238..194bacb3b 100644 --- a/docs/examples/auth/basic/README.md +++ b/docs/examples/auth/basic/README.md @@ -115,11 +115,13 @@ accept=*/* connection=close host=foo.bar.com user-agent=curl/7.43.0 +x-request-id=e426c7829ef9f3b18d40730857c3eddb x-forwarded-for=10.2.29.1 x-forwarded-host=foo.bar.com x-forwarded-port=80 x-forwarded-proto=http x-real-ip=10.2.29.1 +x-scheme=http BODY: * Connection #0 to host 10.2.29.4 left intact -no body in request- From 63e35ac32baab6ca3fc2c5e965b074c1749475f8 Mon Sep 17 00:00:00 2001 From: Eric Bailey Date: Tue, 23 Feb 2021 18:31:56 -0600 Subject: [PATCH 3/3] Support existing PSPs in Helm chart --- charts/ingress-nginx/CHANGELOG.md | 2 ++ charts/ingress-nginx/Chart.yaml | 2 +- .../admission-webhooks/job-patch/clusterrole.yaml | 4 ++++ .../templates/admission-webhooks/job-patch/psp.yaml | 2 +- charts/ingress-nginx/templates/controller-psp.yaml | 2 +- charts/ingress-nginx/templates/controller-role.yaml | 4 ++++ charts/ingress-nginx/templates/default-backend-psp.yaml | 2 +- charts/ingress-nginx/templates/default-backend-role.yaml | 4 ++++ charts/ingress-nginx/values.yaml | 9 +++++++++ 9 files changed, 27 insertions(+), 4 deletions(-) diff --git a/charts/ingress-nginx/CHANGELOG.md b/charts/ingress-nginx/CHANGELOG.md index 09aed21a7..060263550 100644 --- a/charts/ingress-nginx/CHANGELOG.md +++ b/charts/ingress-nginx/CHANGELOG.md @@ -4,6 +4,8 @@ This file documents all notable changes to [ingress-nginx](https://github.com/ku ### Unreleased +- [ ] [#6900](https://github.com/kubernetes/ingress-nginx/pull/6900) Support existing PSPs + ### 3.27.0 - Update ingress-nginx v0.45.0 diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml index 3eb0db28c..7f69fdbcc 100644 --- a/charts/ingress-nginx/Chart.yaml +++ b/charts/ingress-nginx/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: ingress-nginx # When the version is modified, make sure the artifacthub.io/changes list is updated # Also update CHANGELOG.md -version: 3.27.0 +version: 3.28.0 appVersion: 0.45.0 home: https://github.com/kubernetes/ingress-nginx description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml index 7eb57388d..fd762f935 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml @@ -22,6 +22,10 @@ rules: resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: + {{- with .Values.controller.admissionWebhooks.existingPsp }} + - {{ . }} + {{- else }} - {{ include "ingress-nginx.fullname" . }}-admission + {{- end }} {{- end }} {{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml index e8c8da94b..d2c7de685 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.podSecurityPolicy.enabled -}} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.podSecurityPolicy.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/charts/ingress-nginx/templates/controller-psp.yaml b/charts/ingress-nginx/templates/controller-psp.yaml index 3b98b4666..bdb856310 100644 --- a/charts/ingress-nginx/templates/controller-psp.yaml +++ b/charts/ingress-nginx/templates/controller-psp.yaml @@ -1,4 +1,4 @@ -{{- if .Values.podSecurityPolicy.enabled -}} +{{- if and .Values.podSecurityPolicy.enabled (empty .Values.controller.existingPsp) -}} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/charts/ingress-nginx/templates/controller-role.yaml b/charts/ingress-nginx/templates/controller-role.yaml index e10091829..52f830315 100644 --- a/charts/ingress-nginx/templates/controller-role.yaml +++ b/charts/ingress-nginx/templates/controller-role.yaml @@ -82,6 +82,10 @@ rules: - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}] resources: ['podsecuritypolicies'] verbs: ['use'] + {{- with .Values.controller.existingPsp }} + resourceNames: [{{ . }}] + {{- else }} resourceNames: [{{ include "ingress-nginx.fullname" . }}] + {{- end }} {{- end }} {{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-psp.yaml b/charts/ingress-nginx/templates/default-backend-psp.yaml index 055f434db..716dbf16f 100644 --- a/charts/ingress-nginx/templates/default-backend-psp.yaml +++ b/charts/ingress-nginx/templates/default-backend-psp.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}} +{{- if and .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled (empty .Values.defaultBackend.existingPsp) -}} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/charts/ingress-nginx/templates/default-backend-role.yaml b/charts/ingress-nginx/templates/default-backend-role.yaml index 23498de22..53b63b6bf 100644 --- a/charts/ingress-nginx/templates/default-backend-role.yaml +++ b/charts/ingress-nginx/templates/default-backend-role.yaml @@ -10,5 +10,9 @@ rules: - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}] resources: ['podsecuritypolicies'] verbs: ['use'] + {{- with .Values.defaultBackend.existingPsp }} + resourceNames: [{{ . }}] + {{- else }} resourceNames: [{{ include "ingress-nginx.fullname" . }}-backend] + {{- end }} {{- end }} diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 6204f8d67..49b9ca942 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -18,6 +18,9 @@ controller: runAsUser: 101 allowPrivilegeEscalation: true + # Use an existing PSP instead of creating one + existingPsp: "" + # Configures the ports the nginx-controller listens on containerPort: http: 80 @@ -473,6 +476,9 @@ controller: namespaceSelector: {} objectSelector: {} + # Use an existing PSP instead of creating one + existingPsp: "" + service: annotations: {} # clusterIP: "" @@ -609,6 +615,9 @@ defaultBackend: readOnlyRootFilesystem: true allowPrivilegeEscalation: false + # Use an existing PSP instead of creating one + existingPsp: "" + extraArgs: {} serviceAccount: