Chart: Tighten securityContexts and Pod Security Policies. (#10491)

* Values: Fix docs of `controller.podSecurityContext` & `controller.sysctls`. * Values: Add missing `controller.containerSecurityContext`. Already in use, but has never been added to values. * Values: Fix docs of `defaultBackend.podSecurityContext` & `defaultBackend.containerSecurityContext`. * Helpers: Rename `controller.containerSecurityContext` to `ingress-nginx.controller.containerSecurityContext`. Due to alignment with other templates. * Helpers: Improve `extraModules`. - Make `command` a multiline list. - Fix `toYaml` usage. - Remove `toYaml` where not necessary. * Helpers: Move `ingress-nginx.defaultBackend.fullname`. * Helpers: Add `ingress-nginx.defaultBackend.containerSecurityContext`. Extracts the default backend `securityContext` into a template, as for the controller. * Controller: Fix indentation of `controller.podSecurityContext` & `controller.sysctls`. * Controller: Improve `controller.extraModules` & `controller.opentelemetry`. - Add `controller.extraModules.distroless` & `controller.extraModules.resources`. - Add `controller.opentelemetry.name` & `controller.opentelemetry.distroless`. - Align `extraModules` inclusion for `controller.extraModules` & `controller.opentelemetry`. - Remove redundant whitespaces. * Controller/PSP: Align indentation. * Controller/PSP: Remove quotes. * Controller/PSP: Improve comments. * Controller/PSP: Reorder fields. See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy. * Admission Webhooks: Fix indentation of `controller.admissionWebhooks.patch.securityContext`. * Admission Webhooks/PSP: Align indentation. * Admission Webhooks/PSP: Reorder fields. * Admission Webhooks/PSP: Align condition. * Admission Webhooks/ClusterRole: Align PSP rule. * Default Backend/PSP: Align indentation. * Default Backend/PSP: Reorder fields. See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy. * Values: Tighten `controller.image`. Due to recent changes, the controller image can be run without privilege escalation: - https://github.com/kubernetes/ingress-nginx/issues/8499 - https://github.com/kubernetes/ingress-nginx/pull/7449 * Values: Tighten `controller.extraModules.containerSecurityContext`. * Values: Tighten `controller.opentelemetry.containerSecurityContext`. * Values: Tighten `controller.admissionWebhooks.*.securityContext`. Moves the pod `securityContext` to the containers to not interfere with injected containers. * Values: Tighten `defaultBackend.image`.
2023-11-07 18:52:36 +01:00 · 2023-11-07 18:52:36 +01:00 · 8b026f42d5
commit 8b026f42d5
parent 6499a6bd04
12 changed files with 316 additions and 216 deletions
--- a/charts/ingress-nginx/templates/_helpers.tpl
+++ b/charts/ingress-nginx/templates/_helpers.tpl
@ -39,23 +39,31 @@ Allows overriding it for multi-namespace deployments in combined charts.
 {{- end -}}

 {{/*
-Container SecurityContext.
+Controller container security context.
 */}}
-{{- define "controller.containerSecurityContext" -}}
+{{- define "ingress-nginx.controller.containerSecurityContext" -}}
 {{- if .Values.controller.containerSecurityContext -}}
 {{- toYaml .Values.controller.containerSecurityContext -}}
 {{- else -}}
+runAsNonRoot: {{ .Values.controller.image.runAsNonRoot }}
+runAsUser: {{ .Values.controller.image.runAsUser }}
+allowPrivilegeEscalation: {{ or .Values.controller.image.allowPrivilegeEscalation .Values.controller.image.chroot }}
+{{- if .Values.controller.image.seccompProfile }}
+seccompProfile: {{ toYaml .Values.controller.image.seccompProfile | nindent 2 }}
+{{- end }}
 capabilities:
  drop:
  - ALL
  add:
  - NET_BIND_SERVICE
  {{- if .Values.controller.image.chroot }}
+  {{- if .Values.controller.image.seccompProfile }}
+  - SYS_ADMIN
+  {{- end }}
  - SYS_CHROOT
  {{- end }}
-runAsUser: {{ .Values.controller.image.runAsUser }}
-allowPrivilegeEscalation: {{ .Values.controller.image.allowPrivilegeEscalation }}
-{{- end }}
+readOnlyRootFilesystem: {{ .Values.controller.image.readOnlyRootFilesystem }}
+{{- end -}}
 {{- end -}}

 {{/*
@ -116,14 +124,6 @@ Users can provide an override for an explicit service they want bound via `.Valu
 {{- print $servicePath | trimSuffix "-" -}}
 {{- end -}}

-{{/*
-Create a default fully qualified default backend name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-*/}}
-{{- define "ingress-nginx.defaultBackend.fullname" -}}
-{{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-
 {{/*
 Common labels
 */}}
@ -183,6 +183,14 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- printf "%s-%s" (include "ingress-nginx.admissionWebhooks.fullname" .) .Values.controller.admissionWebhooks.patchWebhookJob.name | trunc 63 | trimSuffix "-" -}}
 {{- end -}}

+{{/*
+Create a default fully qualified default backend name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "ingress-nginx.defaultBackend.fullname" -}}
+{{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
 {{/*
 Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled
 */}}
@ -194,6 +202,26 @@ Create the name of the backend service account to use - only used when podsecuri
 {{- end -}}
 {{- end -}}

+{{/*
+Default backend container security context.
+*/}}
+{{- define "ingress-nginx.defaultBackend.containerSecurityContext" -}}
+{{- if .Values.defaultBackend.containerSecurityContext -}}
+{{- toYaml .Values.defaultBackend.containerSecurityContext -}}
+{{- else -}}
+runAsNonRoot: {{ .Values.defaultBackend.image.runAsNonRoot }}
+runAsUser: {{ .Values.defaultBackend.image.runAsUser }}
+allowPrivilegeEscalation: {{ .Values.defaultBackend.image.allowPrivilegeEscalation }}
+{{- if .Values.defaultBackend.image.seccompProfile }}
+seccompProfile: {{ toYaml .Values.defaultBackend.image.seccompProfile | nindent 2 }}
+{{- end }}
+capabilities:
+  drop:
+  - ALL
+readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem }}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Return the appropriate apiGroup for PodSecurityPolicy.
 */}}
@ -230,18 +258,21 @@ Extra modules.
 {{- define "extraModules" -}}
 - name: {{ .name }}
  image: {{ .image }}
-  {{- if .distroless | default false }}
-  command: ['/init_module']
+  command:
+  {{- if .distroless }}
+    - /init_module
  {{- else }}
-  command: ['sh', '-c', '/usr/local/bin/init_module.sh']
+    - sh
+    - -c
+    - /usr/local/bin/init_module.sh
  {{- end }}
  {{- if .containerSecurityContext }}
-  securityContext: {{ .containerSecurityContext | toYaml | nindent 4 }}
+  securityContext: {{ toYaml .containerSecurityContext | nindent 4 }}
  {{- end }}
  {{- if .resources }}
-  resources: {{ .resources | toYaml | nindent 4 }}
+  resources: {{ toYaml .resources | nindent 4 }}
  {{- end }}
  volumeMounts:
-    - name: {{ toYaml "modules"}}
-      mountPath: {{ toYaml "/modules_mount"}}
+    - name: modules
+      mountPath: /modules_mount
 {{- end -}}
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
@ -21,14 +21,13 @@ rules:
      - get
      - update
 {{- if .Values.podSecurityPolicy.enabled }}
-  - apiGroups: ['extensions']
-    resources: ['podsecuritypolicies']
-    verbs:     ['use']
-    resourceNames:
+  - apiGroups:      [{{ template "podSecurityPolicy.apiGroup" . }}]
+    resources:      ['podsecuritypolicies']
+    verbs:          ['use']
    {{- with .Values.controller.admissionWebhooks.existingPsp }}
-    - {{ . }}
+    resourceNames:  [{{ . }}]
    {{- else }}
-    - {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
+    resourceNames:  [{{ include "ingress-nginx.admissionWebhooks.fullname" . }}]
    {{- end }}
 {{- end }}
 {{- end }}
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
@ -73,8 +73,7 @@ spec:
    {{- if .Values.controller.admissionWebhooks.patch.tolerations }}
      tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }}
    {{- end }}
-      {{- if .Values.controller.admissionWebhooks.patch.securityContext }}
-      securityContext:
-        {{- toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }}
-      {{- end }}
+    {{- if .Values.controller.admissionWebhooks.patch.securityContext }}
+      securityContext: {{ toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }}
+    {{- end }}
 {{- end }}
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
@ -75,8 +75,7 @@ spec:
    {{- if .Values.controller.admissionWebhooks.patch.tolerations }}
      tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }}
    {{- end }}
-      {{- if .Values.controller.admissionWebhooks.patch.securityContext }}
-      securityContext:
-        {{- toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }}
-      {{- end }}
+    {{- if .Values.controller.admissionWebhooks.patch.securityContext }}
+      securityContext: {{ toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }}
+    {{- end }}
 {{- end }}
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml
@ -1,5 +1,5 @@
 {{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
-{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.podSecurityPolicy.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}}
+{{- if and .Values.podSecurityPolicy.enabled .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
@ -7,6 +7,7 @@ metadata:
  annotations:
    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
  labels:
    {{- include "ingress-nginx.labels" . | nindent 4 }}
    app.kubernetes.io/component: admission-webhook
@ -14,28 +15,38 @@ metadata:
    {{- toYaml . | nindent 4 }}
    {{- end }}
 spec:
-  allowPrivilegeEscalation: false
+  privileged: false
+  hostPID: false
+  hostIPC: false
+  hostNetwork: false
+  volumes:
+    - configMap
+    - downwardAPI
+    - emptyDir
+    - secret
+    - projected
  fsGroup:
-    ranges:
-    - max: 65535
-      min: 1
    rule: MustRunAs
-  requiredDropCapabilities:
-  - ALL
+    ranges:
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: true
  runAsUser:
    rule: MustRunAsNonRoot
+  runAsGroup:
+    rule: MustRunAs
+    ranges:
+      - min: 1
+        max: 65535
+  supplementalGroups:
+    rule: MustRunAs
+    ranges:
+      - min: 1
+        max: 65535
+  allowPrivilegeEscalation: false
+  requiredDropCapabilities:
+    - ALL
  seLinux:
    rule: RunAsAny
-  supplementalGroups:
-    ranges:
-    - max: 65535
-      min: 1
-    rule: MustRunAs
-  volumes:
-  - configMap
-  - emptyDir
-  - projected
-  - secret
-  - downwardAPI
 {{- end }}
 {{- end }}
--- a/charts/ingress-nginx/templates/controller-daemonset.yaml
+++ b/charts/ingress-nginx/templates/controller-daemonset.yaml
@ -60,16 +60,16 @@ spec:
    {{- end }}
    {{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }}
      securityContext:
-    {{- end }}
-    {{- if .Values.controller.podSecurityContext }}
+      {{- if .Values.controller.podSecurityContext }}
        {{- toYaml .Values.controller.podSecurityContext | nindent 8 }}
-    {{- end }}
-    {{- if .Values.controller.sysctls }}
+      {{- end }}
+      {{- if .Values.controller.sysctls }}
        sysctls:
-    {{- range $sysctl, $value := .Values.controller.sysctls }}
-        - name: {{ $sysctl | quote }}
-          value: {{ $value | quote }}
-    {{- end }}
+        {{- range $sysctl, $value := .Values.controller.sysctls }}
+          - name: {{ $sysctl | quote }}
+            value: {{ $value | quote }}
+        {{- end }}
+      {{- end }}
    {{- end }}
    {{- if .Values.controller.shareProcessNamespace }}
      shareProcessNamespace: {{ .Values.controller.shareProcessNamespace }}
@ -83,9 +83,8 @@ spec:
        {{- if .Values.controller.lifecycle }}
          lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }}
        {{- end }}
-          args:
-            {{- include "ingress-nginx.params" . | nindent 12 }}
-          securityContext: {{ include "controller.containerSecurityContext" . | nindent 12 }}
+          args: {{ include "ingress-nginx.params" . | nindent 12 }}
+          securityContext: {{ include "ingress-nginx.controller.containerSecurityContext" . | nindent 12 }}
          env:
            - name: POD_NAME
              valueFrom:
@ -150,11 +149,11 @@ spec:
          volumeMounts:
          {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
            - name: modules
-            {{ if .Values.controller.image.chroot }}
+            {{- if .Values.controller.image.chroot }}
              mountPath: /chroot/modules_mount
-            {{ else }}
+            {{- else }}
              mountPath: /modules_mount
-            {{ end }}
+            {{- end }}
          {{- end }}
          {{- if .Values.controller.customTemplate.configMapName }}
            - mountPath: /etc/nginx/template
@ -174,24 +173,25 @@ spec:
          resources: {{ toYaml .Values.controller.resources | nindent 12 }}
        {{- end }}
      {{- if .Values.controller.extraContainers }}
-        {{ toYaml .Values.controller.extraContainers | nindent 8 }}
+        {{- toYaml .Values.controller.extraContainers | nindent 8 }}
      {{- end }}
    {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
      initContainers:
      {{- if .Values.controller.extraInitContainers }}
-        {{ toYaml .Values.controller.extraInitContainers | nindent 8 }}
+        {{- toYaml .Values.controller.extraInitContainers | nindent 8 }}
      {{- end }}
      {{- if .Values.controller.extraModules }}
        {{- range .Values.controller.extraModules }}
          {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
-          {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext) | nindent 8 }}
+          {{- include "extraModules" (dict "name" .name "image" .image "distroless" .distroless "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
+        {{- end }}
+      {{- end }}
+      {{- if .Values.controller.opentelemetry.enabled }}
+        {{- with .Values.controller.opentelemetry }}
+          {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
+          {{- include "extraModules" (dict "name" .name "image" .image "distroless" .distroless "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
        {{- end }}
      {{- end }}
-      {{- if .Values.controller.opentelemetry.enabled}}
-          {{- $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }}
-          {{ $otelResources := $.Values.controller.opentelemetry.resources | default dict }}
-          {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext "distroless" true "resources" $otelResources) | nindent 8}}
-      {{- end}}
    {{- end }}
    {{- if .Values.controller.hostNetwork }}
      hostNetwork: {{ .Values.controller.hostNetwork }}
--- a/charts/ingress-nginx/templates/controller-deployment.yaml
+++ b/charts/ingress-nginx/templates/controller-deployment.yaml
@ -63,16 +63,16 @@ spec:
    {{- end }}
    {{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }}
      securityContext:
-    {{- end }}
-    {{- if .Values.controller.podSecurityContext }}
+      {{- if .Values.controller.podSecurityContext }}
        {{- toYaml .Values.controller.podSecurityContext | nindent 8 }}
-    {{- end }}
-    {{- if .Values.controller.sysctls }}
+      {{- end }}
+      {{- if .Values.controller.sysctls }}
        sysctls:
-    {{- range $sysctl, $value := .Values.controller.sysctls }}
-        - name: {{ $sysctl | quote }}
-          value: {{ $value | quote }}
-    {{- end }}
+        {{- range $sysctl, $value := .Values.controller.sysctls }}
+          - name: {{ $sysctl | quote }}
+            value: {{ $value | quote }}
+        {{- end }}
+      {{- end }}
    {{- end }}
    {{- if .Values.controller.shareProcessNamespace }}
      shareProcessNamespace: {{ .Values.controller.shareProcessNamespace }}
@ -86,9 +86,8 @@ spec:
        {{- if .Values.controller.lifecycle }}
          lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }}
        {{- end }}
-          args:
-            {{- include "ingress-nginx.params" . | nindent 12 }}
-          securityContext: {{ include "controller.containerSecurityContext" . | nindent 12 }}
+          args: {{ include "ingress-nginx.params" . | nindent 12 }}
+          securityContext: {{ include "ingress-nginx.controller.containerSecurityContext" . | nindent 12 }}
          env:
            - name: POD_NAME
              valueFrom:
@ -153,11 +152,11 @@ spec:
          volumeMounts:
          {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
            - name: modules
-            {{ if .Values.controller.image.chroot }}
+            {{- if .Values.controller.image.chroot }}
              mountPath: /chroot/modules_mount
-            {{ else }}
+            {{- else }}
              mountPath: /modules_mount
-            {{ end }}
+            {{- end }}
          {{- end }}
          {{- if .Values.controller.customTemplate.configMapName }}
            - mountPath: /etc/nginx/template
@ -177,24 +176,25 @@ spec:
          resources: {{ toYaml .Values.controller.resources | nindent 12 }}
        {{- end }}
      {{- if .Values.controller.extraContainers }}
-        {{ toYaml .Values.controller.extraContainers | nindent 8 }}
+        {{- toYaml .Values.controller.extraContainers | nindent 8 }}
      {{- end }}
    {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
      initContainers:
      {{- if .Values.controller.extraInitContainers }}
-        {{ toYaml .Values.controller.extraInitContainers | nindent 8 }}
+        {{- toYaml .Values.controller.extraInitContainers | nindent 8 }}
      {{- end }}
      {{- if .Values.controller.extraModules }}
        {{- range .Values.controller.extraModules }}
          {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
-          {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext) | nindent 8 }}
+          {{- include "extraModules" (dict "name" .name "image" .image "distroless" .distroless "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
+        {{- end }}
+      {{- end }}
+      {{- if .Values.controller.opentelemetry.enabled }}
+        {{- with .Values.controller.opentelemetry }}
+          {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
+          {{- include "extraModules" (dict "name" .name "image" .image "distroless" .distroless "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
        {{- end }}
      {{- end }}
-      {{- if .Values.controller.opentelemetry.enabled}}
-          {{- $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }}
-          {{ $otelResources := $.Values.controller.opentelemetry.resources | default dict }}
-          {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext "distroless" true "resources" $otelResources) | nindent 8}}
-      {{- end}}
    {{- end }}
    {{- if .Values.controller.hostNetwork }}
      hostNetwork: {{ .Values.controller.hostNetwork }}
--- a/charts/ingress-nginx/templates/controller-psp.yaml
+++ b/charts/ingress-nginx/templates/controller-psp.yaml
@ -4,6 +4,8 @@ apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
  name: {{ include "ingress-nginx.fullname" . }}
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
  labels:
    {{- include "ingress-nginx.labels" . | nindent 4 }}
    app.kubernetes.io/component: controller
@ -11,84 +13,88 @@ metadata:
    {{- toYaml . | nindent 4 }}
    {{- end }}
 spec:
-  allowedCapabilities:
-    - NET_BIND_SERVICE
-  {{- if .Values.controller.image.chroot }}
-    - SYS_CHROOT
-  {{- end }}
-{{- if .Values.controller.sysctls }}
-  allowedUnsafeSysctls:
-  {{- range $sysctl, $value := .Values.controller.sysctls }}
-  - {{ $sysctl }}
-  {{- end }}
-{{- end }}
  privileged: false
-  allowPrivilegeEscalation: true
-  # Allow core volume types.
-  volumes:
-    - 'configMap'
-    - 'emptyDir'
-    - 'projected'
-    - 'secret'
-    - 'downwardAPI'
-{{- if .Values.controller.hostNetwork }}
+  hostPID: false
+  hostIPC: false
  hostNetwork: {{ .Values.controller.hostNetwork }}
-{{- end }}
 {{- if or .Values.controller.hostNetwork .Values.controller.hostPort.enabled }}
  hostPorts:
-{{- if .Values.controller.hostNetwork }}
-{{- range $key, $value := .Values.controller.containerPort }}
-  # {{ $key }}
-  - min: {{ $value }}
-    max: {{ $value }}
+  {{- if .Values.controller.hostNetwork }}
+  {{- range $key, $value := .Values.controller.containerPort }}
+    # controller.containerPort.{{ $key }}
+    - min: {{ $value }}
+      max: {{ $value }}
+  {{- end }}
+  {{- else if .Values.controller.hostPort.enabled }}
+  {{- range $key, $value := .Values.controller.hostPort.ports }}
+    # controller.hostPort.ports.{{ $key }}
+    - min: {{ $value }}
+      max: {{ $value }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.controller.metrics.enabled }}
+    # controller.metrics.port
+    - min: {{ .Values.controller.metrics.port }}
+      max: {{ .Values.controller.metrics.port }}
+  {{- end }}
+  {{- if .Values.controller.admissionWebhooks.enabled }}
+    # controller.admissionWebhooks.port
+    - min: {{ .Values.controller.admissionWebhooks.port }}
+      max: {{ .Values.controller.admissionWebhooks.port }}
+  {{- end }}
+  {{- range $key, $value := .Values.tcp }}
+    # tcp.{{ $key }}
+    - min: {{ $key }}
+      max: {{ $key }}
+  {{- end }}
+  {{- range $key, $value := .Values.udp }}
+    # udp.{{ $key }}
+    - min: {{ $key }}
+      max: {{ $key }}
+  {{- end }}
 {{- end }}
-{{- else if .Values.controller.hostPort.enabled }}
-{{- range $key, $value := .Values.controller.hostPort.ports }}
-  # {{ $key }}
-  - min: {{ $value }}
-    max: {{ $value }}
-{{- end }}
-{{- end }}
-{{- if .Values.controller.metrics.enabled }}
-  # metrics
-  - min: {{ .Values.controller.metrics.port }}
-    max: {{ .Values.controller.metrics.port }}
-{{- end }}
-{{- if .Values.controller.admissionWebhooks.enabled }}
-  # admission webhooks
-  - min: {{ .Values.controller.admissionWebhooks.port }}
-    max: {{ .Values.controller.admissionWebhooks.port }}
-{{- end }}
-{{- range $key, $value := .Values.tcp }}
-  # {{ $key }}-tcp
-  - min: {{ $key }}
-    max: {{ $key }}
-{{- end }}
-{{- range $key, $value := .Values.udp }}
-  # {{ $key }}-udp
-  - min: {{ $key }}
-    max: {{ $key }}
-{{- end }}
-{{- end }}
-  hostIPC: false
-  hostPID: false
-  runAsUser:
-    # Require the container to run without root privileges.
-    rule: 'MustRunAsNonRoot'
-  supplementalGroups:
-    rule: 'MustRunAs'
-    ranges:
-      # Forbid adding the root group.
-      - min: 1
-        max: 65535
+  volumes:
+    - configMap
+    - downwardAPI
+    - emptyDir
+    - secret
+    - projected
  fsGroup:
-    rule: 'MustRunAs'
+    rule: MustRunAs
    ranges:
-      # Forbid adding the root group.
      - min: 1
        max: 65535
  readOnlyRootFilesystem: false
+  runAsUser:
+    rule: MustRunAsNonRoot
+  runAsGroup:
+    rule: MustRunAs
+    ranges:
+      - min: 1
+        max: 65535
+  supplementalGroups:
+    rule: MustRunAs
+    ranges:
+      - min: 1
+        max: 65535
+  allowPrivilegeEscalation: {{ or .Values.controller.image.allowPrivilegeEscalation .Values.controller.image.chroot }}
+  requiredDropCapabilities:
+    - ALL
+  allowedCapabilities:
+    - NET_BIND_SERVICE
+  {{- if .Values.controller.image.chroot }}
+  {{- if .Values.controller.image.seccompProfile }}
+    - SYS_ADMIN
+  {{- end }}
+    - SYS_CHROOT
+  {{- end }}
  seLinux:
-    rule: 'RunAsAny'
+    rule: RunAsAny
+{{- if .Values.controller.sysctls }}
+  allowedUnsafeSysctls:
+  {{- range $sysctl, $value := .Values.controller.sysctls }}
+    - {{ $sysctl }}
+  {{- end }}
+{{- end }}
 {{- end }}
 {{- end }}
--- a/charts/ingress-nginx/templates/default-backend-deployment.yaml
+++ b/charts/ingress-nginx/templates/default-backend-deployment.yaml
@ -65,14 +65,7 @@ spec:
            {{- end }}
          {{- end }}
        {{- end }}
-          securityContext:
-            capabilities:
-              drop:
-              - ALL
-            runAsUser: {{ .Values.defaultBackend.image.runAsUser }}
-            runAsNonRoot: {{ .Values.defaultBackend.image.runAsNonRoot }}
-            allowPrivilegeEscalation: {{ .Values.defaultBackend.image.allowPrivilegeEscalation }}
-            readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem}}
+          securityContext: {{ include "ingress-nginx.defaultBackend.containerSecurityContext" . | nindent 12 }}
        {{- if .Values.defaultBackend.extraEnvs }}
          env: {{ toYaml .Values.defaultBackend.extraEnvs | nindent 12 }}
        {{- end }}
--- a/charts/ingress-nginx/templates/default-backend-psp.yaml
+++ b/charts/ingress-nginx/templates/default-backend-psp.yaml
@ -4,6 +4,8 @@ apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
  name: {{ include "ingress-nginx.fullname" . }}-backend
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
  labels:
    {{- include "ingress-nginx.labels" . | nindent 4 }}
    app.kubernetes.io/component: default-backend
@ -11,28 +13,38 @@ metadata:
    {{- toYaml . | nindent 4 }}
    {{- end }}
 spec:
-  allowPrivilegeEscalation: false
+  privileged: false
+  hostPID: false
+  hostIPC: false
+  hostNetwork: false
+  volumes:
+    - configMap
+    - downwardAPI
+    - emptyDir
+    - secret
+    - projected
  fsGroup:
-    ranges:
-    - max: 65535
-      min: 1
    rule: MustRunAs
-  requiredDropCapabilities:
-  - ALL
+    ranges:
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: true
  runAsUser:
    rule: MustRunAsNonRoot
+  runAsGroup:
+    rule: MustRunAs
+    ranges:
+      - min: 1
+        max: 65535
+  supplementalGroups:
+    rule: MustRunAs
+    ranges:
+      - min: 1
+        max: 65535
+  allowPrivilegeEscalation: false
+  requiredDropCapabilities:
+    - ALL
  seLinux:
    rule: RunAsAny
-  supplementalGroups:
-    ranges:
-    - max: 65535
-      min: 1
-    rule: MustRunAs
-  volumes:
-  - configMap
-  - emptyDir
-  - projected
-  - secret
-  - downwardAPI
 {{- end }}
 {{- end }}