securityContext in admission-webhook now configurable e.g. to set seccompProfiles (#8930)

* Make securityContext in admission-webhook more configurable e.g. to set seccompProfiles Signed-off-by: Oliver Michels <oliver.michels@aldi-sued.com> * Make securityContext in admission-webhook more configurable e.g. to set seccompProfiles Signed-off-by: Oliver Michels <oliver.michels@aldi-sued.com> * Make securityContext in admission-webhook more configurable e.g. to set seccompProfiles Signed-off-by: Oliver Michels <oliver.michels@aldi-sued.com> * Make securityContext in admission-webhook more configurable e.g. to set seccompProfiles Signed-off-by: Oliver Michels <oliver.michels@aldi-sued.com> Signed-off-by: Oliver Michels <oliver.michels@aldi-sued.com>
2022-08-23 01:12:09 +02:00 · 2022-08-23 01:12:09 +02:00 · cad575e923
commit cad575e923
parent 1791b62e45
5 changed files with 16 additions and 12 deletions
--- a/charts/ingress-nginx/Chart.yaml
+++ b/charts/ingress-nginx/Chart.yaml
@ -2,7 +2,7 @@ apiVersion: v2
 name: ingress-nginx
 # When the version is modified, make sure the artifacthub.io/changes list is updated
 # Also update CHANGELOG.md
-version: 4.2.1
+version: 4.2.2
 appVersion: 1.3.0
 home: https://github.com/kubernetes/ingress-nginx
 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
--- a/charts/ingress-nginx/README.md
+++ b/charts/ingress-nginx/README.md
@ -2,7 +2,7 @@

 [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer

-![Version: 4.2.1](https://img.shields.io/badge/Version-4.2.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.0](https://img.shields.io/badge/AppVersion-1.3.0-informational?style=flat-square)
+![Version: 4.2.2](https://img.shields.io/badge/Version-4.2.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.0](https://img.shields.io/badge/AppVersion-1.3.0-informational?style=flat-square)

 To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.

@ -252,7 +252,6 @@ Kubernetes: `>=1.20.0-0`
 | controller.admissionWebhooks.networkPolicyEnabled | bool | `false` |  |
 | controller.admissionWebhooks.objectSelector | object | `{}` |  |
 | controller.admissionWebhooks.patch.enabled | bool | `true` |  |
-| controller.admissionWebhooks.patch.fsGroup | int | `2000` |  |
 | controller.admissionWebhooks.patch.image.digest | string | `"sha256:549e71a6ca248c5abd51cdb73dbc3083df62cf92ed5e6147c780e30f7e007a47"` |  |
 | controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` |  |
 | controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` |  |
@ -262,7 +261,9 @@ Kubernetes: `>=1.20.0-0`
 | controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` |  |
 | controller.admissionWebhooks.patch.podAnnotations | object | `{}` |  |
 | controller.admissionWebhooks.patch.priorityClassName | string | `""` | Provide a priority class name to the webhook patching job |
-| controller.admissionWebhooks.patch.runAsUser | int | `2000` |  |
+| controller.admissionWebhooks.patch.securityContext.fsGroup | int | `2000` |  |
+| controller.admissionWebhooks.patch.securityContext.runAsNonRoot | bool | `true` |  |
+| controller.admissionWebhooks.patch.securityContext.runAsUser | int | `2000` |  |
 | controller.admissionWebhooks.patch.tolerations | list | `[]` |  |
 | controller.admissionWebhooks.patchWebhookJob.resources | object | `{}` |  |
 | controller.admissionWebhooks.port | int | `8443` |  |
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
@ -72,8 +72,8 @@ spec:
    {{- if .Values.controller.admissionWebhooks.patch.tolerations }}
      tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }}
    {{- end }}
+      {{- if .Values.controller.admissionWebhooks.patch.securityContext }}
      securityContext:
-        runAsNonRoot: true
-        runAsUser: {{ .Values.controller.admissionWebhooks.patch.runAsUser }}
-        fsGroup: {{ .Values.controller.admissionWebhooks.patch.fsGroup }}
+        {{- toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }}
+      {{- end }}
 {{- end }}
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
@ -74,8 +74,8 @@ spec:
    {{- if .Values.controller.admissionWebhooks.patch.tolerations }}
      tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }}
    {{- end }}
+      {{- if .Values.controller.admissionWebhooks.patch.securityContext }}
      securityContext:
-        runAsNonRoot: true
-        runAsUser: {{ .Values.controller.admissionWebhooks.patch.runAsUser }}
-        fsGroup: {{ .Values.controller.admissionWebhooks.patch.fsGroup }}
+        {{- toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }}
+      {{- end }}
 {{- end }}
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@ -658,9 +658,12 @@ controller:
      tolerations: []
      # -- Labels to be added to patch job resources
      labels: {}
+      securityContext:
+        runAsNonRoot: true
        runAsUser: 2000
        fsGroup: 2000

+
  metrics:
    port: 10254
    # if this port is changed, change healthz-port: in extraArgs: accordingly