diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 480a5dd1f..be4bc5140 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -502,7 +502,8 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | dhParam | string | `""` | A base64-encoded Diffie-Hellman parameter. This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` # Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param | | imagePullSecrets | list | `[]` | Optional array of imagePullSecrets containing private registry credentials # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | | namespaceOverride | string | `""` | Override the deployment namespace; defaults to .Release.Namespace | -| podSecurityPolicy.enabled | bool | `false` | | +| podSecurityAdmission.audit | string | `"restricted"` | | +| podSecurityAdmission.enforce | string | `"baseline"` | | | portNamePrefix | string | `""` | Prefix for TCP and UDP ports names in ingress controller service # Some cloud providers, like Yandex Cloud may have a requirements for a port name regex to support cloud load balancer integration | | rbac.create | bool | `true` | | | rbac.scope | bool | `false` | | diff --git a/charts/ingress-nginx/ci/deamonset-psp-values.yaml b/charts/ingress-nginx/ci/deamonset-psp-values.yaml deleted file mode 100644 index 8026a6356..000000000 --- a/charts/ingress-nginx/ci/deamonset-psp-values.yaml +++ /dev/null @@ -1,13 +0,0 @@ -controller: - kind: DaemonSet - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - admissionWebhooks: - enabled: false - service: - type: ClusterIP - -podSecurityPolicy: - enabled: true diff --git a/charts/ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml b/charts/ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml deleted file mode 100644 index fccdb134c..000000000 --- a/charts/ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml +++ /dev/null @@ -1,13 +0,0 @@ -controller: - kind: DaemonSet - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - admissionWebhooks: - enabled: true - service: - type: ClusterIP - -podSecurityPolicy: - enabled: true diff --git a/charts/ingress-nginx/ci/deployment-psp-values.yaml b/charts/ingress-nginx/ci/deployment-psa-values.yaml similarity index 68% rename from charts/ingress-nginx/ci/deployment-psp-values.yaml rename to charts/ingress-nginx/ci/deployment-psa-values.yaml index 2f332a7b2..6ffd86e68 100644 --- a/charts/ingress-nginx/ci/deployment-psp-values.yaml +++ b/charts/ingress-nginx/ci/deployment-psa-values.yaml @@ -6,5 +6,6 @@ controller: service: type: ClusterIP -podSecurityPolicy: - enabled: true +podSecurityAdmission: + enforce: privileged + audit: baseline diff --git a/charts/ingress-nginx/ci/deployment-webhook-and-psp-values.yaml b/charts/ingress-nginx/ci/deployment-webhook-and-psp-values.yaml deleted file mode 100644 index 6195bb339..000000000 --- a/charts/ingress-nginx/ci/deployment-webhook-and-psp-values.yaml +++ /dev/null @@ -1,12 +0,0 @@ -controller: - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - admissionWebhooks: - enabled: true - service: - type: ClusterIP - -podSecurityPolicy: - enabled: true diff --git a/charts/ingress-nginx/templates/_helpers.tpl b/charts/ingress-nginx/templates/_helpers.tpl index 2b6377869..7e6b702ac 100644 --- a/charts/ingress-nginx/templates/_helpers.tpl +++ b/charts/ingress-nginx/templates/_helpers.tpl @@ -183,28 +183,6 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- printf "%s-%s" (include "ingress-nginx.admissionWebhooks.fullname" .) .Values.controller.admissionWebhooks.patchWebhookJob.name | trunc 63 | trimSuffix "-" -}} {{- end -}} -{{/* -Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled -*/}} -{{- define "ingress-nginx.defaultBackend.serviceAccountName" -}} -{{- if .Values.defaultBackend.serviceAccount.create -}} - {{ default (printf "%s-backend" (include "ingress-nginx.fullname" .)) .Values.defaultBackend.serviceAccount.name }} -{{- else -}} - {{ default "default-backend" .Values.defaultBackend.serviceAccount.name }} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiGroup for PodSecurityPolicy. -*/}} -{{- define "podSecurityPolicy.apiGroup" -}} -{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} -{{- print "policy" -}} -{{- else -}} -{{- print "extensions" -}} -{{- end -}} -{{- end -}} - {{/* Check the ingress controller version tag is at most three versions behind the last release */}} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml index ec43a3bc1..1a90dbaf4 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml @@ -20,15 +20,4 @@ rules: verbs: - get - update -{{- if .Values.podSecurityPolicy.enabled }} - - apiGroups: ['extensions'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: - {{- with .Values.controller.admissionWebhooks.existingPsp }} - - {{ . }} - {{- else }} - - {{ include "ingress-nginx.admissionWebhooks.fullname" . }} - {{- end }} -{{- end }} {{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml deleted file mode 100644 index ae40dc898..000000000 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.podSecurityPolicy.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} - annotations: - "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded - labels: - {{- include "ingress-nginx.labels" . | nindent 4 }} - app.kubernetes.io/component: admission-webhook - {{- with .Values.controller.admissionWebhooks.patch.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - allowPrivilegeEscalation: false - fsGroup: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - requiredDropCapabilities: - - ALL - runAsUser: - rule: MustRunAsNonRoot - seLinux: - rule: RunAsAny - supplementalGroups: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - volumes: - - configMap - - emptyDir - - projected - - secret - - downwardAPI -{{- end }} -{{- end }} diff --git a/charts/ingress-nginx/templates/controller-psp.yaml b/charts/ingress-nginx/templates/controller-psp.yaml deleted file mode 100644 index 3c499b9d4..000000000 --- a/charts/ingress-nginx/templates/controller-psp.yaml +++ /dev/null @@ -1,94 +0,0 @@ -{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} -{{- if and .Values.podSecurityPolicy.enabled (empty .Values.controller.existingPsp) -}} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ include "ingress-nginx.fullname" . }} - labels: - {{- include "ingress-nginx.labels" . | nindent 4 }} - app.kubernetes.io/component: controller - {{- with .Values.controller.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - allowedCapabilities: - - NET_BIND_SERVICE - {{- if .Values.controller.image.chroot }} - - SYS_CHROOT - {{- end }} -{{- if .Values.controller.sysctls }} - allowedUnsafeSysctls: - {{- range $sysctl, $value := .Values.controller.sysctls }} - - {{ $sysctl }} - {{- end }} -{{- end }} - privileged: false - allowPrivilegeEscalation: true - # Allow core volume types. - volumes: - - 'configMap' - - 'emptyDir' - - 'projected' - - 'secret' - - 'downwardAPI' -{{- if .Values.controller.hostNetwork }} - hostNetwork: {{ .Values.controller.hostNetwork }} -{{- end }} -{{- if or .Values.controller.hostNetwork .Values.controller.hostPort.enabled }} - hostPorts: -{{- if .Values.controller.hostNetwork }} -{{- range $key, $value := .Values.controller.containerPort }} - # {{ $key }} - - min: {{ $value }} - max: {{ $value }} -{{- end }} -{{- else if .Values.controller.hostPort.enabled }} -{{- range $key, $value := .Values.controller.hostPort.ports }} - # {{ $key }} - - min: {{ $value }} - max: {{ $value }} -{{- end }} -{{- end }} -{{- if .Values.controller.metrics.enabled }} - # metrics - - min: {{ .Values.controller.metrics.port }} - max: {{ .Values.controller.metrics.port }} -{{- end }} -{{- if .Values.controller.admissionWebhooks.enabled }} - # admission webhooks - - min: {{ .Values.controller.admissionWebhooks.port }} - max: {{ .Values.controller.admissionWebhooks.port }} -{{- end }} -{{- range $key, $value := .Values.tcp }} - # {{ $key }}-tcp - - min: {{ $key }} - max: {{ $key }} -{{- end }} -{{- range $key, $value := .Values.udp }} - # {{ $key }}-udp - - min: {{ $key }} - max: {{ $key }} -{{- end }} -{{- end }} - hostIPC: false - hostPID: false - runAsUser: - # Require the container to run without root privileges. - rule: 'MustRunAsNonRoot' - supplementalGroups: - rule: 'MustRunAs' - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - fsGroup: - rule: 'MustRunAs' - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - readOnlyRootFilesystem: false - seLinux: - rule: 'RunAsAny' -{{- end }} -{{- end }} diff --git a/charts/ingress-nginx/templates/controller-role.yaml b/charts/ingress-nginx/templates/controller-role.yaml index f6217a29a..88e030dbf 100644 --- a/charts/ingress-nginx/templates/controller-role.yaml +++ b/charts/ingress-nginx/templates/controller-role.yaml @@ -88,14 +88,4 @@ rules: - list - watch - get -{{- if .Values.podSecurityPolicy.enabled }} - - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}] - resources: ['podsecuritypolicies'] - verbs: ['use'] - {{- with .Values.controller.existingPsp }} - resourceNames: [{{ . }}] - {{- else }} - resourceNames: [{{ include "ingress-nginx.fullname" . }}] - {{- end }} -{{- end }} {{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-psp.yaml b/charts/ingress-nginx/templates/default-backend-psp.yaml deleted file mode 100644 index c144c8fbf..000000000 --- a/charts/ingress-nginx/templates/default-backend-psp.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} -{{- if and .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled (empty .Values.defaultBackend.existingPsp) -}} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ include "ingress-nginx.fullname" . }}-backend - labels: - {{- include "ingress-nginx.labels" . | nindent 4 }} - app.kubernetes.io/component: default-backend - {{- with .Values.defaultBackend.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - allowPrivilegeEscalation: false - fsGroup: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - requiredDropCapabilities: - - ALL - runAsUser: - rule: MustRunAsNonRoot - seLinux: - rule: RunAsAny - supplementalGroups: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - volumes: - - configMap - - emptyDir - - projected - - secret - - downwardAPI -{{- end }} -{{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-role.yaml b/charts/ingress-nginx/templates/default-backend-role.yaml deleted file mode 100644 index dd7868aa0..000000000 --- a/charts/ingress-nginx/templates/default-backend-role.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - {{- include "ingress-nginx.labels" . | nindent 4 }} - app.kubernetes.io/component: default-backend - {{- with .Values.defaultBackend.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - name: {{ include "ingress-nginx.fullname" . }}-backend - namespace: {{ include "ingress-nginx.namespace" . }} -rules: - - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}] - resources: ['podsecuritypolicies'] - verbs: ['use'] - {{- with .Values.defaultBackend.existingPsp }} - resourceNames: [{{ . }}] - {{- else }} - resourceNames: [{{ include "ingress-nginx.fullname" . }}-backend] - {{- end }} -{{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-rolebinding.yaml b/charts/ingress-nginx/templates/default-backend-rolebinding.yaml deleted file mode 100644 index 3203b6f57..000000000 --- a/charts/ingress-nginx/templates/default-backend-rolebinding.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - {{- include "ingress-nginx.labels" . | nindent 4 }} - app.kubernetes.io/component: default-backend - {{- with .Values.defaultBackend.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - name: {{ include "ingress-nginx.fullname" . }}-backend - namespace: {{ include "ingress-nginx.namespace" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "ingress-nginx.fullname" . }}-backend -subjects: - - kind: ServiceAccount - name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }} - namespace: {{ include "ingress-nginx.namespace" . }} -{{- end }} diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 99cdeaa41..32e5d662a 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -909,8 +909,9 @@ rbac: scope: false ## If true, create & use Pod Security Policy resources ## https://kubernetes.io/docs/concepts/policy/pod-security-policy/ -podSecurityPolicy: - enabled: false +podSecurityAdmission: + enforce: baseline + audit: restricted serviceAccount: create: true name: "" diff --git a/docs/examples/psp/README.md b/docs/examples/psp/README.md deleted file mode 100644 index f8426baf2..000000000 --- a/docs/examples/psp/README.md +++ /dev/null @@ -1,17 +0,0 @@ -# Pod Security Policy (PSP) - -In most clusters today, by default, all resources (e.g. `Deployments` and `ReplicatSets`) -have permissions to create pods. -Kubernetes however provides a more fine-grained authorization policy called -[Pod Security Policy (PSP)](https://kubernetes.io/docs/concepts/policy/pod-security-policy/). - -PSP allows the cluster owner to define the permission of each object, for example creating a pod. -If you have PSP enabled on the cluster, and you deploy ingress-nginx, -you will need to provide the `Deployment` with the permissions to create pods. - -Before applying any objects, first apply the PSP permissions by running: -```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/psp/psp.yaml -``` - -Note: PSP permissions must be granted before the creation of the `Deployment` and the `ReplicaSet`. diff --git a/docs/examples/psp/psp.yaml b/docs/examples/psp/psp.yaml deleted file mode 100644 index 0f859dece..000000000 --- a/docs/examples/psp/psp.yaml +++ /dev/null @@ -1,75 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: ingress-nginx - ---- - -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: ingress-nginx - namespace: ingress-nginx -spec: - allowedCapabilities: - - NET_BIND_SERVICE - privileged: false - allowPrivilegeEscalation: true - # Allow core volume types. - volumes: - - configMap - - secret - hostIPC: false - hostPID: false - runAsUser: - # Require the container to run without root privileges. - rule: MustRunAsNonRoot - supplementalGroups: - rule: MustRunAs - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - fsGroup: - rule: MustRunAs - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - readOnlyRootFilesystem: false - seLinux: - rule: RunAsAny - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: ingress-nginx-psp - namespace: ingress-nginx -rules: -- apiGroups: [policy] - resources: [podsecuritypolicies] - verbs: [use] - resourceNames: [ingress-nginx] - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: ingress-nginx-psp - namespace: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ingress-nginx-psp -subjects: -- kind: ServiceAccount - name: default -- kind: ServiceAccount - name: ingress-nginx - namespace: ingress-nginx -- kind: ServiceAccount - name: ingress-nginx-admission - namespace: ingress-nginx diff --git a/go.work.sum b/go.work.sum index b90672997..e8b110fe7 100644 --- a/go.work.sum +++ b/go.work.sum @@ -186,6 +186,8 @@ github.com/klauspost/asmfmt v1.3.2/go.mod h1:AG8TuvYojzulgDAMCnYn50l/5QV3Bs/tp6j github.com/klauspost/compress v1.15.9/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU= github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg= github.com/ledongthuc/pdf v0.0.0-20220302134840-0c2507a12d80/go.mod h1:imJHygn/1yfhB7XSJJKlFZKl/J+dCPAknuiaGOshXAs= +github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo= +github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8/go.mod h1:mC1jAcsrzbxHt8iiaC+zU4b1ylILSosueou12R++wfY= github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3/go.mod h1:RagcQ7I8IeTMnF8JTXieKnO4Z6JCsikNEzj0DwauVzE= github.com/moby/term v0.0.0-20221205130635-1aeaba878587/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y= @@ -199,6 +201,7 @@ github.com/onsi/gomega v1.27.4/go.mod h1:riYq/GJKh8hhoM01HN6Vmuy93AarCXCBGpvFDK3 github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI= github.com/orisano/pixelmatch v0.0.0-20220722002657-fb0b55479cde/go.mod h1:nZgzbfBr3hhjoZnS66nKrHmduYNpc34ny7RK4z5/HM0= github.com/pierrec/lz4/v4 v4.1.15/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4= +github.com/pquerna/cachecontrol v0.1.0/go.mod h1:NrUG3Z7Rdu85UNR3vm7SOsl1nFIeSiQnrHV5K9mBcUI= github.com/seccomp/libseccomp-golang v0.9.2-0.20220502022130-f33da4d89646/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg= github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4= github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= @@ -208,7 +211,10 @@ github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYp github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA= +go.etcd.io/etcd/api/v3 v3.5.7/go.mod h1:9qew1gCdDDLu+VwmeG+iFpL+QlpHTo7iubavdVDgCAA= +go.etcd.io/etcd/client/pkg/v3 v3.5.7/go.mod h1:o0Abi1MK86iad3YrWhgUsbGx1pmTS+hrORWc2CamuhY= go.etcd.io/etcd/client/v2 v2.305.7/go.mod h1:GQGT5Z3TBuAQGvgPfhR7VPySu/SudxmEkRq9BgzFU6s= +go.etcd.io/etcd/client/v3 v3.5.7/go.mod h1:sOWmj9DZUMyAngS7QQwCyAXXAL6WhgTOPLNS/NabQgw= go.etcd.io/etcd/pkg/v3 v3.5.7/go.mod h1:kcOfWt3Ov9zgYdOiJ/o1Y9zFfLhQjylTgL4Lru8opRo= go.etcd.io/etcd/raft/v3 v3.5.7/go.mod h1:TflkAb/8Uy6JFBxcRaH2Fr6Slm9mCPVdI2efzxY96yU= go.etcd.io/etcd/server/v3 v3.5.7/go.mod h1:gxBgT84issUVBRpZ3XkW1T55NjOb4vZZRI4wVvNhf4A= @@ -254,6 +260,7 @@ golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -284,6 +291,7 @@ google.golang.org/genproto v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:xZnkP7mR google.golang.org/genproto v0.0.0-20230706204954-ccb25ca9f130/go.mod h1:O9kGHb51iE/nOGvQaDUuadVYqovW56s5emA88lQnj6Y= google.golang.org/genproto v0.0.0-20230711160842-782d3b101e98 h1:Z0hjGZePRE0ZBWotvtrwxFNrNE9CUAGtplaDK5NNI/g= google.golang.org/genproto v0.0.0-20230711160842-782d3b101e98/go.mod h1:S7mY02OqCJTD0E1OiQy1F72PWFB4bZJ87cAtLPYgDR0= +google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d h1:VBu5YqKPv6XiJ199exd8Br+Aetz+o08F+PLMnwJQHAY= google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:vHYtlOoi6TsQ3Uk2yxR7NI5z8uoV+3pZtR4jmHIkRig= google.golang.org/genproto/googleapis/api v0.0.0-20230706204954-ccb25ca9f130/go.mod h1:mPBs5jNgx2GuQGvFwUvVKqtn6HsUw9nP64BedgvqEsQ= google.golang.org/genproto/googleapis/api v0.0.0-20230711160842-782d3b101e98/go.mod h1:rsr7RhLuwsDKL7RmgDDCUc6yaGr1iqceVb5Wv6f6YvQ= diff --git a/magefiles/utils/helm.go b/magefiles/utils/helm.go index dea68caab..de5d12fc3 100644 --- a/magefiles/utils/helm.go +++ b/magefiles/utils/helm.go @@ -388,10 +388,8 @@ type IngressChartValue struct { Create bool `yaml:"create"` Scope bool `yaml:"scope"` } `yaml:"rbac"` - PodSecurityPolicy struct { - Enabled bool `yaml:"enabled"` - } `yaml:"podSecurityPolicy"` - ServiceAccount struct { + PodSecurityAdmission map[string]string `yaml:"podSecurityAdmission"` + ServiceAccount struct { Create bool `yaml:"create"` Name string `yaml:"name"` AutomountServiceAccountToken bool `yaml:"automountServiceAccountToken"` diff --git a/test/e2e/framework/util.go b/test/e2e/framework/util.go index abdb168e1..1b45aa9dd 100644 --- a/test/e2e/framework/util.go +++ b/test/e2e/framework/util.go @@ -19,6 +19,7 @@ package framework import ( "context" "fmt" + "maps" "os" "time" @@ -120,7 +121,15 @@ func CreateKubeNamespace(baseName string, c kubernetes.Interface) (string, error // CreateKubeNamespaceWithLabel creates a new namespace with given labels in the cluster func CreateKubeNamespaceWithLabel(baseName string, labels map[string]string, c kubernetes.Interface) (string, error) { - return createNamespace(baseName, labels, c) + if labels == nil { + labels = make(map[string]string) + } + newLabels := map[string]string{ + "pod-security.kubernetes.io/enforce": "baseline", + "pod-security.kubernetes.io/audit": "restricted", + } + maps.Copy(newLabels, labels) + return createNamespace(baseName, newLabels, c) } // DeleteKubeNamespace deletes a namespace and all the objects inside diff --git a/test/e2e/settings/pod_security_policy.go b/test/e2e/settings/pod_security_policy.go deleted file mode 100644 index b21fb870e..000000000 --- a/test/e2e/settings/pod_security_policy.go +++ /dev/null @@ -1,142 +0,0 @@ -/* -Copyright 2018 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package settings - -import ( - "context" - "net/http" - "strconv" - "strings" - - "github.com/onsi/ginkgo/v2" - "github.com/stretchr/testify/assert" - appsv1 "k8s.io/api/apps/v1" - corev1 "k8s.io/api/core/v1" - policyv1beta1 "k8s.io/api/policy/v1beta1" - rbacv1 "k8s.io/api/rbac/v1" - k8sErrors "k8s.io/apimachinery/pkg/api/errors" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - - "k8s.io/ingress-nginx/test/e2e/framework" -) - -const ( - ingressControllerPSP = "ingress-controller-psp" -) - -var _ = framework.IngressNginxDescribe("[Security] Pod Security Policies", func() { - f := framework.NewDefaultFramework("pod-security-policies") - - ginkgo.It("should be running with a Pod Security Policy", func() { - k8sversion, err := f.KubeClientSet.Discovery().ServerVersion() - if err != nil { - assert.Nil(ginkgo.GinkgoT(), err, "getting version") - } - - numversion, err := strconv.Atoi(k8sversion.Minor) - if err != nil { - assert.Nil(ginkgo.GinkgoT(), err, "converting version") - } - - if numversion > 24 { - ginkgo.Skip("PSP not supported in this version") - } - - psp := createPodSecurityPolicy() - _, err = f.KubeClientSet.PolicyV1beta1().PodSecurityPolicies().Create(context.TODO(), psp, metav1.CreateOptions{}) - if !k8sErrors.IsAlreadyExists(err) { - assert.Nil(ginkgo.GinkgoT(), err, "creating Pod Security Policy") - } - - role, err := f.KubeClientSet.RbacV1().Roles(f.Namespace).Get(context.TODO(), "nginx-ingress", metav1.GetOptions{}) - assert.Nil(ginkgo.GinkgoT(), err, "getting ingress controller cluster role") - assert.NotNil(ginkgo.GinkgoT(), role) - - role.Rules = append(role.Rules, rbacv1.PolicyRule{ - APIGroups: []string{"policy"}, - Resources: []string{"podsecuritypolicies"}, - ResourceNames: []string{ingressControllerPSP}, - Verbs: []string{"use"}, - }) - - _, err = f.KubeClientSet.RbacV1().Roles(f.Namespace).Update(context.TODO(), role, metav1.UpdateOptions{}) - assert.Nil(ginkgo.GinkgoT(), err, "updating ingress controller cluster role to use a pod security policy") - - // update the deployment just to trigger a rolling update and the use of the security policy - err = f.UpdateIngressControllerDeployment(func(deployment *appsv1.Deployment) error { - args := deployment.Spec.Template.Spec.Containers[0].Args - args = append(args, "--v=2") - deployment.Spec.Template.Spec.Containers[0].Args = args - _, err := f.KubeClientSet.AppsV1().Deployments(f.Namespace).Update(context.TODO(), deployment, metav1.UpdateOptions{}) - - return err - }) - assert.Nil(ginkgo.GinkgoT(), err, "unexpected error updating ingress controller deployment flags") - - f.WaitForNginxListening(80) - - f.NewEchoDeployment() - - f.WaitForNginxConfiguration( - func(cfg string) bool { - return strings.Contains(cfg, "server_tokens off") - }) - - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", "foo.bar.com"). - Expect(). - Status(http.StatusNotFound) - }) -}) - -func createPodSecurityPolicy() *policyv1beta1.PodSecurityPolicy { - trueValue := true - return &policyv1beta1.PodSecurityPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: ingressControllerPSP, - }, - Spec: policyv1beta1.PodSecurityPolicySpec{ - AllowPrivilegeEscalation: &trueValue, - RequiredDropCapabilities: []corev1.Capability{"All"}, - RunAsUser: policyv1beta1.RunAsUserStrategyOptions{ - Rule: "RunAsAny", - }, - SELinux: policyv1beta1.SELinuxStrategyOptions{ - Rule: "RunAsAny", - }, - FSGroup: policyv1beta1.FSGroupStrategyOptions{ - Ranges: []policyv1beta1.IDRange{ - { - Min: 1, - Max: 65535, - }, - }, - Rule: "MustRunAs", - }, - SupplementalGroups: policyv1beta1.SupplementalGroupsStrategyOptions{ - Ranges: []policyv1beta1.IDRange{ - { - Min: 1, - Max: 65535, - }, - }, - Rule: "MustRunAs", - }, - }, - } -} diff --git a/test/e2e/settings/pod_security_policy_volumes.go b/test/e2e/settings/pod_security_policy_volumes.go deleted file mode 100644 index f8fc58300..000000000 --- a/test/e2e/settings/pod_security_policy_volumes.go +++ /dev/null @@ -1,127 +0,0 @@ -/* -Copyright 2018 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package settings - -import ( - "context" - "net/http" - "strconv" - "strings" - - "github.com/onsi/ginkgo/v2" - "github.com/stretchr/testify/assert" - - appsv1 "k8s.io/api/apps/v1" - corev1 "k8s.io/api/core/v1" - rbacv1 "k8s.io/api/rbac/v1" - k8sErrors "k8s.io/apimachinery/pkg/api/errors" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - - "k8s.io/ingress-nginx/test/e2e/framework" -) - -var _ = framework.IngressNginxDescribe("[Security] Pod Security Policies with volumes", func() { - f := framework.NewDefaultFramework("pod-security-policies-volumes") - - ginkgo.It("should be running with a Pod Security Policy", func() { - k8sversion, err := f.KubeClientSet.Discovery().ServerVersion() - if err != nil { - assert.Nil(ginkgo.GinkgoT(), err, "getting version") - } - - numversion, err := strconv.Atoi(k8sversion.Minor) - if err != nil { - assert.Nil(ginkgo.GinkgoT(), err, "converting version") - } - - if numversion > 24 { - ginkgo.Skip("PSP not supported in this version") - } - psp := createPodSecurityPolicy() - _, err = f.KubeClientSet.PolicyV1beta1().PodSecurityPolicies().Create(context.TODO(), psp, metav1.CreateOptions{}) - if !k8sErrors.IsAlreadyExists(err) { - assert.Nil(ginkgo.GinkgoT(), err, "creating Pod Security Policy") - } - - role, err := f.KubeClientSet.RbacV1().Roles(f.Namespace).Get(context.TODO(), "nginx-ingress", metav1.GetOptions{}) - assert.Nil(ginkgo.GinkgoT(), err, "getting ingress controller cluster role") - assert.NotNil(ginkgo.GinkgoT(), role) - - role.Rules = append(role.Rules, rbacv1.PolicyRule{ - APIGroups: []string{"policy"}, - Resources: []string{"podsecuritypolicies"}, - ResourceNames: []string{ingressControllerPSP}, - Verbs: []string{"use"}, - }) - - _, err = f.KubeClientSet.RbacV1().Roles(f.Namespace).Update(context.TODO(), role, metav1.UpdateOptions{}) - assert.Nil(ginkgo.GinkgoT(), err, "updating ingress controller cluster role to use a pod security policy") - - err = f.UpdateIngressControllerDeployment(func(deployment *appsv1.Deployment) error { - args := deployment.Spec.Template.Spec.Containers[0].Args - args = append(args, "--v=2") - deployment.Spec.Template.Spec.Containers[0].Args = args - - deployment.Spec.Template.Spec.Volumes = []corev1.Volume{ - { - Name: "ssl", VolumeSource: corev1.VolumeSource{ - EmptyDir: &corev1.EmptyDirVolumeSource{}, - }, - }, - { - Name: "tmp", VolumeSource: corev1.VolumeSource{ - EmptyDir: &corev1.EmptyDirVolumeSource{}, - }, - }, - } - - fsGroup := int64(33) - deployment.Spec.Template.Spec.SecurityContext = &corev1.PodSecurityContext{ - FSGroup: &fsGroup, - } - - deployment.Spec.Template.Spec.Containers[0].VolumeMounts = []corev1.VolumeMount{ - { - Name: "ssl", MountPath: "/etc/my-amazing-ssl", - }, - { - Name: "tmp", MountPath: "/my-other-tmp", - }, - } - - _, err := f.KubeClientSet.AppsV1().Deployments(f.Namespace).Update(context.TODO(), deployment, metav1.UpdateOptions{}) - - return err - }) - assert.Nil(ginkgo.GinkgoT(), err, "updating ingress controller deployment") - - f.WaitForNginxListening(80) - - f.NewEchoDeployment() - - f.WaitForNginxConfiguration( - func(cfg string) bool { - return strings.Contains(cfg, "server_tokens off") - }) - - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", "foo.bar.com"). - Expect(). - Status(http.StatusNotFound) - }) -})