ingress-nginx-helm

History

Marco Ebert 8b026f42d5 Chart: Tighten `securityContext`s and Pod Security Policies. (#10491 ) * Values: Fix docs of `controller.podSecurityContext` & `controller.sysctls`. * Values: Add missing `controller.containerSecurityContext`. Already in use, but has never been added to values. * Values: Fix docs of `defaultBackend.podSecurityContext` & `defaultBackend.containerSecurityContext`. * Helpers: Rename `controller.containerSecurityContext` to `ingress-nginx.controller.containerSecurityContext`. Due to alignment with other templates. * Helpers: Improve `extraModules`. - Make `command` a multiline list. - Fix `toYaml` usage. - Remove `toYaml` where not necessary. * Helpers: Move `ingress-nginx.defaultBackend.fullname`. * Helpers: Add `ingress-nginx.defaultBackend.containerSecurityContext`. Extracts the default backend `securityContext` into a template, as for the controller. * Controller: Fix indentation of `controller.podSecurityContext` & `controller.sysctls`. * Controller: Improve `controller.extraModules` & `controller.opentelemetry`. - Add `controller.extraModules.distroless` & `controller.extraModules.resources`. - Add `controller.opentelemetry.name` & `controller.opentelemetry.distroless`. - Align `extraModules` inclusion for `controller.extraModules` & `controller.opentelemetry`. - Remove redundant whitespaces. * Controller/PSP: Align indentation. * Controller/PSP: Remove quotes. * Controller/PSP: Improve comments. * Controller/PSP: Reorder fields. See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy. * Admission Webhooks: Fix indentation of `controller.admissionWebhooks.patch.securityContext`. * Admission Webhooks/PSP: Align indentation. * Admission Webhooks/PSP: Reorder fields. * Admission Webhooks/PSP: Align condition. * Admission Webhooks/ClusterRole: Align PSP rule. * Default Backend/PSP: Align indentation. * Default Backend/PSP: Reorder fields. See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy. * Values: Tighten `controller.image`. Due to recent changes, the controller image can be run without privilege escalation: - https://github.com/kubernetes/ingress-nginx/issues/8499 - https://github.com/kubernetes/ingress-nginx/pull/7449 * Values: Tighten `controller.extraModules.containerSecurityContext`. * Values: Tighten `controller.opentelemetry.containerSecurityContext`. * Values: Tighten `controller.admissionWebhooks..securityContext`. Moves the pod `securityContext` to the containers to not interfere with injected containers. Values: Tighten `defaultBackend.image`.	2023-11-07 18:52:36 +01:00
..
ingress-nginx	Chart: Tighten `securityContext`s and Pod Security Policies. (#10491 )	2023-11-07 18:52:36 +01:00

Chart: Tighten securityContexts and Pod Security Policies. (#10491 )

* Values: Fix docs of `controller.podSecurityContext` & `controller.sysctls`.

* Values: Add missing `controller.containerSecurityContext`.

Already in use, but has never been added to values.

* Values: Fix docs of `defaultBackend.podSecurityContext` & `defaultBackend.containerSecurityContext`.

* Helpers: Rename `controller.containerSecurityContext` to `ingress-nginx.controller.containerSecurityContext`.

Due to alignment with other templates.

* Helpers: Improve `extraModules`.

- Make `command` a multiline list.
- Fix `toYaml` usage.
- Remove `toYaml` where not necessary.

* Helpers: Move `ingress-nginx.defaultBackend.fullname`.

* Helpers: Add `ingress-nginx.defaultBackend.containerSecurityContext`.

Extracts the default backend `securityContext` into a template, as for the controller.

* Controller: Fix indentation of `controller.podSecurityContext` & `controller.sysctls`.

* Controller: Improve `controller.extraModules` & `controller.opentelemetry`.

- Add `controller.extraModules.distroless` & `controller.extraModules.resources`.
- Add `controller.opentelemetry.name` & `controller.opentelemetry.distroless`.
- Align `extraModules` inclusion for `controller.extraModules` & `controller.opentelemetry`.
- Remove redundant whitespaces.

* Controller/PSP: Align indentation.

* Controller/PSP: Remove quotes.

* Controller/PSP: Improve comments.

* Controller/PSP: Reorder fields.

See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy.

* Admission Webhooks: Fix indentation of `controller.admissionWebhooks.patch.securityContext`.

* Admission Webhooks/PSP: Align indentation.

* Admission Webhooks/PSP: Reorder fields.

* Admission Webhooks/PSP: Align condition.

* Admission Webhooks/ClusterRole: Align PSP rule.

* Default Backend/PSP: Align indentation.

* Default Backend/PSP: Reorder fields.

See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy.

* Values: Tighten `controller.image`.

Due to recent changes, the controller image can be run without privilege escalation:

- https://github.com/kubernetes/ingress-nginx/issues/8499
- https://github.com/kubernetes/ingress-nginx/pull/7449

* Values: Tighten `controller.extraModules.containerSecurityContext`.

* Values: Tighten `controller.opentelemetry.containerSecurityContext`.

* Values: Tighten `controller.admissionWebhooks.*.securityContext`.

Moves the pod `securityContext` to the containers to not interfere with injected containers.

* Values: Tighten `defaultBackend.image`.

2023-11-07 18:52:36 +01:00

ingress-nginx Chart: Tighten securityContexts and Pod Security Policies. (#10491 ) 2023-11-07 18:52:36 +01:00