From c5f102e10c8da98a10b8c9638154cfbac1ab6ae5 Mon Sep 17 00:00:00 2001
From: Marco Ebert <marco@giantswarm.io>
Date: Wed, 4 Oct 2023 15:04:39 +0200
Subject: [PATCH] Values: Tighten
 `controller.opentelemetry.containerSecurityContext`.

---
 charts/ingress-nginx/README.md   | 5 +++++
 charts/ingress-nginx/values.yaml | 9 +++++++++
 2 files changed, 14 insertions(+)

diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md
index cf271b400..362bfa17d 100644
--- a/charts/ingress-nginx/README.md
+++ b/charts/ingress-nginx/README.md
@@ -383,6 +383,11 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
 | controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # |
 | controller.opentelemetry.containerSecurityContext.allowPrivilegeEscalation | bool | `false` |  |
+| controller.opentelemetry.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` |  |
+| controller.opentelemetry.containerSecurityContext.readOnlyRootFilesystem | bool | `true` |  |
+| controller.opentelemetry.containerSecurityContext.runAsNonRoot | bool | `true` |  |
+| controller.opentelemetry.containerSecurityContext.runAsUser | int | `65532` | The image's default user, inherited from its base image `cgr.dev/chainguard/static`. |
+| controller.opentelemetry.containerSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |
 | controller.opentelemetry.distroless | bool | `true` |  |
 | controller.opentelemetry.enabled | bool | `false` |  |
 | controller.opentelemetry.image | string | `"registry.k8s.io/ingress-nginx/opentelemetry:v20230721-3e2062ee5@sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472"` |  |
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index f8866454e..cdbbfbe98 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -611,7 +611,16 @@ controller:
     image: registry.k8s.io/ingress-nginx/opentelemetry:v20230721-3e2062ee5@sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472
     distroless: true
     containerSecurityContext:
+      runAsNonRoot: true
+      # -- The image's default user, inherited from its base image `cgr.dev/chainguard/static`.
+      runAsUser: 65532
       allowPrivilegeEscalation: false
+      seccompProfile:
+        type: RuntimeDefault
+      capabilities:
+        drop:
+        - ALL
+      readOnlyRootFilesystem: true
     resources: {}
   admissionWebhooks:
     name: admission