DevFW-CICD/ingress-nginx-helm
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Chart: Tighten securityContexts and Pod Security Policies. (#10491)

Browse source 
* Values: Fix docs of `controller.podSecurityContext` & `controller.sysctls`.

* Values: Add missing `controller.containerSecurityContext`.

Already in use, but has never been added to values.

* Values: Fix docs of `defaultBackend.podSecurityContext` & `defaultBackend.containerSecurityContext`.

* Helpers: Rename `controller.containerSecurityContext` to `ingress-nginx.controller.containerSecurityContext`.

Due to alignment with other templates.

* Helpers: Improve `extraModules`.

- Make `command` a multiline list.
- Fix `toYaml` usage.
- Remove `toYaml` where not necessary.

* Helpers: Move `ingress-nginx.defaultBackend.fullname`.

* Helpers: Add `ingress-nginx.defaultBackend.containerSecurityContext`.

Extracts the default backend `securityContext` into a template, as for the controller.

* Controller: Fix indentation of `controller.podSecurityContext` & `controller.sysctls`.

* Controller: Improve `controller.extraModules` & `controller.opentelemetry`.

- Add `controller.extraModules.distroless` & `controller.extraModules.resources`.
- Add `controller.opentelemetry.name` & `controller.opentelemetry.distroless`.
- Align `extraModules` inclusion for `controller.extraModules` & `controller.opentelemetry`.
- Remove redundant whitespaces.

* Controller/PSP: Align indentation.

* Controller/PSP: Remove quotes.

* Controller/PSP: Improve comments.

* Controller/PSP: Reorder fields.

See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy.

* Admission Webhooks: Fix indentation of `controller.admissionWebhooks.patch.securityContext`.

* Admission Webhooks/PSP: Align indentation.

* Admission Webhooks/PSP: Reorder fields.

* Admission Webhooks/PSP: Align condition.

* Admission Webhooks/ClusterRole: Align PSP rule.

* Default Backend/PSP: Align indentation.

* Default Backend/PSP: Reorder fields.

See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy.

* Values: Tighten `controller.image`.

Due to recent changes, the controller image can be run without privilege escalation:

- https://github.com/kubernetes/ingress-nginx/issues/8499
- https://github.com/kubernetes/ingress-nginx/pull/7449

* Values: Tighten `controller.extraModules.containerSecurityContext`.

* Values: Tighten `controller.opentelemetry.containerSecurityContext`.

* Values: Tighten `controller.admissionWebhooks.*.securityContext`.

Moves the pod `securityContext` to the containers to not interfere with injected containers.

* Values: Tighten `defaultBackend.image`.
This commit is contained in:
Marco Ebert 2023-11-07 18:52:36 +01:00 committed by GitHub
parent 6499a6bd04
commit 8b026f42d5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
12 changed files with 316 additions and 216 deletions
Download patch file Download diff file Expand all files Collapse all files

71
charts/ingress-nginx/templates/_helpers.tpl
View file

@ -39,23 +39,31 @@ Allows overriding it for multi-namespace deployments in combined charts.
{{- end -}}
{{/*
Container SecurityContext.
Controller container security context.
*/}}
{{- define "controller.containerSecurityContext" -}}
{{- define "ingress-nginx.controller.containerSecurityContext" -}}
{{- if .Values.controller.containerSecurityContext -}}
{{- toYaml .Values.controller.containerSecurityContext -}}
{{- else -}}
runAsNonRoot: {{ .Values.controller.image.runAsNonRoot }}
runAsUser: {{ .Values.controller.image.runAsUser }}
allowPrivilegeEscalation: {{ or .Values.controller.image.allowPrivilegeEscalation .Values.controller.image.chroot }}
{{- if .Values.controller.image.seccompProfile }}
seccompProfile: {{ toYaml .Values.controller.image.seccompProfile | nindent 2 }}
{{- end }}
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
{{- if .Values.controller.image.chroot }}
{{- if .Values.controller.image.seccompProfile }}
- SYS_ADMIN
{{- end }}
- SYS_CHROOT
{{- end }}
runAsUser: {{ .Values.controller.image.runAsUser }}
allowPrivilegeEscalation: {{ .Values.controller.image.allowPrivilegeEscalation }}
{{- end }}
readOnlyRootFilesystem: {{ .Values.controller.image.readOnlyRootFilesystem }}
{{- end -}}
{{- end -}}
{{/*
@ -116,14 +124,6 @@ Users can provide an override for an explicit service they want bound via `.Valu
{{- print $servicePath | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified default backend name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "ingress-nginx.defaultBackend.fullname" -}}
{{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Common labels
*/}}
@ -183,6 +183,14 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
{{- printf "%s-%s" (include "ingress-nginx.admissionWebhooks.fullname" .) .Values.controller.admissionWebhooks.patchWebhookJob.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified default backend name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "ingress-nginx.defaultBackend.fullname" -}}
{{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled
*/}}
@ -194,6 +202,26 @@ Create the name of the backend service account to use - only used when podsecuri
{{- end -}}
{{- end -}}
{{/*
Default backend container security context.
*/}}
{{- define "ingress-nginx.defaultBackend.containerSecurityContext" -}}
{{- if .Values.defaultBackend.containerSecurityContext -}}
{{- toYaml .Values.defaultBackend.containerSecurityContext -}}
{{- else -}}
runAsNonRoot: {{ .Values.defaultBackend.image.runAsNonRoot }}
runAsUser: {{ .Values.defaultBackend.image.runAsUser }}
allowPrivilegeEscalation: {{ .Values.defaultBackend.image.allowPrivilegeEscalation }}
{{- if .Values.defaultBackend.image.seccompProfile }}
seccompProfile: {{ toYaml .Values.defaultBackend.image.seccompProfile | nindent 2 }}
{{- end }}
capabilities:
drop:
- ALL
readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem }}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiGroup for PodSecurityPolicy.
*/}}
@ -230,18 +258,21 @@ Extra modules.
{{- define "extraModules" -}}
- name: {{ .name }}
image: {{ .image }}
{{- if .distroless | default false }}
command: ['/init_module']
command:
{{- if .distroless }}
- /init_module
{{- else }}
command: ['sh', '-c', '/usr/local/bin/init_module.sh']
- sh
- -c
- /usr/local/bin/init_module.sh
{{- end }}
{{- if .containerSecurityContext }}
securityContext: {{ .containerSecurityContext | toYaml | nindent 4 }}
securityContext: {{ toYaml .containerSecurityContext | nindent 4 }}
{{- end }}
{{- if .resources }}
resources: {{ .resources | toYaml | nindent 4 }}
resources: {{ toYaml .resources | nindent 4 }}
{{- end }}
volumeMounts:
- name: {{ toYaml "modules"}}
mountPath: {{ toYaml "/modules_mount"}}
- name: modules
mountPath: /modules_mount
{{- end -}}