Merge pull request #6356 from AlexisMtr/pod-security-context

Add securitycontext settings on defaultbackend
2020-11-02 08:14:53 -08:00 · 2020-11-02 08:14:53 -08:00 · fb6b572378
commit fb6b572378
parent ba5e4ff118 8c56e4df9d
2 changed files with 9 additions and 0 deletions
--- a/charts/ingress-nginx/templates/default-backend-deployment.yaml
+++ b/charts/ingress-nginx/templates/default-backend-deployment.yaml
@ -52,7 +52,13 @@ spec:
          {{- end }}
        {{- end }}
          securityContext:
+            capabilities:
+              drop:
+              - ALL
            runAsUser: {{ .Values.defaultBackend.image.runAsUser }}
+            runAsNonRoot: {{ .Values.defaultBackend.image.runAsNonRoot }}
+            allowPrivilegeEscalation: {{ .Values.defaultBackend.image.allowPrivilegeEscalation }}
+            readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem}}
        {{- if .Values.defaultBackend.extraEnvs }}
          env: {{ toYaml .Values.defaultBackend.extraEnvs | nindent 12 }}
        {{- end }}
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@ -555,6 +555,9 @@ defaultBackend:
    pullPolicy: IfNotPresent
    # nobody user -> uid 65534
    runAsUser: 65534
+    runAsNonRoot: true
+    readOnlyRootFilesystem: true
+    allowPrivilegeEscalation: false

  extraArgs: {}