Chart: Tighten securityContexts and Pod Security Policies. (#10491)

* Values: Fix docs of `controller.podSecurityContext` & `controller.sysctls`. * Values: Add missing `controller.containerSecurityContext`. Already in use, but has never been added to values. * Values: Fix docs of `defaultBackend.podSecurityContext` & `defaultBackend.containerSecurityContext`. * Helpers: Rename `controller.containerSecurityContext` to `ingress-nginx.controller.containerSecurityContext`. Due to alignment with other templates. * Helpers: Improve `extraModules`. - Make `command` a multiline list. - Fix `toYaml` usage. - Remove `toYaml` where not necessary. * Helpers: Move `ingress-nginx.defaultBackend.fullname`. * Helpers: Add `ingress-nginx.defaultBackend.containerSecurityContext`. Extracts the default backend `securityContext` into a template, as for the controller. * Controller: Fix indentation of `controller.podSecurityContext` & `controller.sysctls`. * Controller: Improve `controller.extraModules` & `controller.opentelemetry`. - Add `controller.extraModules.distroless` & `controller.extraModules.resources`. - Add `controller.opentelemetry.name` & `controller.opentelemetry.distroless`. - Align `extraModules` inclusion for `controller.extraModules` & `controller.opentelemetry`. - Remove redundant whitespaces. * Controller/PSP: Align indentation. * Controller/PSP: Remove quotes. * Controller/PSP: Improve comments. * Controller/PSP: Reorder fields. See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy. * Admission Webhooks: Fix indentation of `controller.admissionWebhooks.patch.securityContext`. * Admission Webhooks/PSP: Align indentation. * Admission Webhooks/PSP: Reorder fields. * Admission Webhooks/PSP: Align condition. * Admission Webhooks/ClusterRole: Align PSP rule. * Default Backend/PSP: Align indentation. * Default Backend/PSP: Reorder fields. See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy. * Values: Tighten `controller.image`. Due to recent changes, the controller image can be run without privilege escalation: - https://github.com/kubernetes/ingress-nginx/issues/8499 - https://github.com/kubernetes/ingress-nginx/pull/7449 * Values: Tighten `controller.extraModules.containerSecurityContext`. * Values: Tighten `controller.opentelemetry.containerSecurityContext`. * Values: Tighten `controller.admissionWebhooks.*.securityContext`. Moves the pod `securityContext` to the containers to not interfere with injected containers. * Values: Tighten `defaultBackend.image`.
2023-11-07 18:52:36 +01:00 · 2023-11-07 18:52:36 +01:00 · 8b026f42d5
commit 8b026f42d5
parent 6499a6bd04
12 changed files with 316 additions and 216 deletions
--- a/charts/ingress-nginx/templates/controller-psp.yaml
+++ b/charts/ingress-nginx/templates/controller-psp.yaml
@ -4,6 +4,8 @@ apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
  name: {{ include "ingress-nginx.fullname" . }}
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
  labels:
    {{- include "ingress-nginx.labels" . | nindent 4 }}
    app.kubernetes.io/component: controller
@ -11,84 +13,88 @@ metadata:
    {{- toYaml . | nindent 4 }}
    {{- end }}
 spec:
-  allowedCapabilities:
-    - NET_BIND_SERVICE
-  {{- if .Values.controller.image.chroot }}
-    - SYS_CHROOT
-  {{- end }}
-{{- if .Values.controller.sysctls }}
-  allowedUnsafeSysctls:
-  {{- range $sysctl, $value := .Values.controller.sysctls }}
-  - {{ $sysctl }}
-  {{- end }}
-{{- end }}
  privileged: false
-  allowPrivilegeEscalation: true
-  # Allow core volume types.
-  volumes:
-    - 'configMap'
-    - 'emptyDir'
-    - 'projected'
-    - 'secret'
-    - 'downwardAPI'
-{{- if .Values.controller.hostNetwork }}
+  hostPID: false
+  hostIPC: false
  hostNetwork: {{ .Values.controller.hostNetwork }}
-{{- end }}
 {{- if or .Values.controller.hostNetwork .Values.controller.hostPort.enabled }}
  hostPorts:
-{{- if .Values.controller.hostNetwork }}
-{{- range $key, $value := .Values.controller.containerPort }}
-  # {{ $key }}
-  - min: {{ $value }}
-    max: {{ $value }}
+  {{- if .Values.controller.hostNetwork }}
+  {{- range $key, $value := .Values.controller.containerPort }}
+    # controller.containerPort.{{ $key }}
+    - min: {{ $value }}
+      max: {{ $value }}
+  {{- end }}
+  {{- else if .Values.controller.hostPort.enabled }}
+  {{- range $key, $value := .Values.controller.hostPort.ports }}
+    # controller.hostPort.ports.{{ $key }}
+    - min: {{ $value }}
+      max: {{ $value }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.controller.metrics.enabled }}
+    # controller.metrics.port
+    - min: {{ .Values.controller.metrics.port }}
+      max: {{ .Values.controller.metrics.port }}
+  {{- end }}
+  {{- if .Values.controller.admissionWebhooks.enabled }}
+    # controller.admissionWebhooks.port
+    - min: {{ .Values.controller.admissionWebhooks.port }}
+      max: {{ .Values.controller.admissionWebhooks.port }}
+  {{- end }}
+  {{- range $key, $value := .Values.tcp }}
+    # tcp.{{ $key }}
+    - min: {{ $key }}
+      max: {{ $key }}
+  {{- end }}
+  {{- range $key, $value := .Values.udp }}
+    # udp.{{ $key }}
+    - min: {{ $key }}
+      max: {{ $key }}
+  {{- end }}
 {{- end }}
-{{- else if .Values.controller.hostPort.enabled }}
-{{- range $key, $value := .Values.controller.hostPort.ports }}
-  # {{ $key }}
-  - min: {{ $value }}
-    max: {{ $value }}
-{{- end }}
-{{- end }}
-{{- if .Values.controller.metrics.enabled }}
-  # metrics
-  - min: {{ .Values.controller.metrics.port }}
-    max: {{ .Values.controller.metrics.port }}
-{{- end }}
-{{- if .Values.controller.admissionWebhooks.enabled }}
-  # admission webhooks
-  - min: {{ .Values.controller.admissionWebhooks.port }}
-    max: {{ .Values.controller.admissionWebhooks.port }}
-{{- end }}
-{{- range $key, $value := .Values.tcp }}
-  # {{ $key }}-tcp
-  - min: {{ $key }}
-    max: {{ $key }}
-{{- end }}
-{{- range $key, $value := .Values.udp }}
-  # {{ $key }}-udp
-  - min: {{ $key }}
-    max: {{ $key }}
-{{- end }}
-{{- end }}
-  hostIPC: false
-  hostPID: false
-  runAsUser:
-    # Require the container to run without root privileges.
-    rule: 'MustRunAsNonRoot'
-  supplementalGroups:
-    rule: 'MustRunAs'
-    ranges:
-      # Forbid adding the root group.
-      - min: 1
-        max: 65535
+  volumes:
+    - configMap
+    - downwardAPI
+    - emptyDir
+    - secret
+    - projected
  fsGroup:
-    rule: 'MustRunAs'
+    rule: MustRunAs
    ranges:
-      # Forbid adding the root group.
      - min: 1
        max: 65535
  readOnlyRootFilesystem: false
+  runAsUser:
+    rule: MustRunAsNonRoot
+  runAsGroup:
+    rule: MustRunAs
+    ranges:
+      - min: 1
+        max: 65535
+  supplementalGroups:
+    rule: MustRunAs
+    ranges:
+      - min: 1
+        max: 65535
+  allowPrivilegeEscalation: {{ or .Values.controller.image.allowPrivilegeEscalation .Values.controller.image.chroot }}
+  requiredDropCapabilities:
+    - ALL
+  allowedCapabilities:
+    - NET_BIND_SERVICE
+  {{- if .Values.controller.image.chroot }}
+  {{- if .Values.controller.image.seccompProfile }}
+    - SYS_ADMIN
+  {{- end }}
+    - SYS_CHROOT
+  {{- end }}
  seLinux:
-    rule: 'RunAsAny'
+    rule: RunAsAny
+{{- if .Values.controller.sysctls }}
+  allowedUnsafeSysctls:
+  {{- range $sysctl, $value := .Values.controller.sysctls }}
+    - {{ $sysctl }}
+  {{- end }}
+{{- end }}
 {{- end }}
 {{- end }}