From 1a89585261b3277df7eaa51e26f2ecb7457d7704 Mon Sep 17 00:00:00 2001
From: Markus Blaschke <mblaschke82@gmail.com>
Date: Wed, 24 Jul 2019 01:34:14 +0200
Subject: [PATCH] [stable/nginx-ingress] Add variable for
 allowPrivilegeEscalation (#12435)

* Add allowPrivilegeEscalation as variable

Adds variable for allowPrivilegeEscalation which allows to use NET_BIND_SERVICE with a PodSecurityPolicy which forbids privilege escalation.

Signed-off-by: Markus Blaschke <mblaschke82@gmail.com>

* Set allowPrivilegeEscalation to true

Should be enabled as NET_BIND_SERVICE is active by default

Signed-off-by: Markus Blaschke <mblaschke82@gmail.com>
---
 wallarm-ingress/Chart.yaml                           | 2 +-
 wallarm-ingress/templates/controller-daemonset.yaml  | 1 +
 wallarm-ingress/templates/controller-deployment.yaml | 1 +
 wallarm-ingress/values.yaml                          | 1 +
 4 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/wallarm-ingress/Chart.yaml b/wallarm-ingress/Chart.yaml
index 30ea65f..dc979e9 100644
--- a/wallarm-ingress/Chart.yaml
+++ b/wallarm-ingress/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
 name: nginx-ingress
-version: 1.11.0
+version: 1.11.1
 appVersion: 0.25.0
 home: https://github.com/kubernetes/ingress-nginx
 description: An nginx Ingress controller that uses ConfigMap to store the nginx configuration.
diff --git a/wallarm-ingress/templates/controller-daemonset.yaml b/wallarm-ingress/templates/controller-daemonset.yaml
index d05fdab..a7b7fc8 100644
--- a/wallarm-ingress/templates/controller-daemonset.yaml
+++ b/wallarm-ingress/templates/controller-daemonset.yaml
@@ -95,6 +95,7 @@ spec:
                 add:
                 - NET_BIND_SERVICE
             runAsUser: {{ .Values.controller.image.runAsUser }}
+            allowPrivilegeEscalation: {{ .Values.controller.image.allowPrivilegeEscalation }}
           {{- end }}
           env:
             - name: POD_NAME
diff --git a/wallarm-ingress/templates/controller-deployment.yaml b/wallarm-ingress/templates/controller-deployment.yaml
index 335a9ab..8334884 100644
--- a/wallarm-ingress/templates/controller-deployment.yaml
+++ b/wallarm-ingress/templates/controller-deployment.yaml
@@ -95,6 +95,7 @@ spec:
                 add:
                 - NET_BIND_SERVICE
             runAsUser: {{ .Values.controller.image.runAsUser }}
+            allowPrivilegeEscalation: {{ .Values.controller.image.allowPrivilegeEscalation }}
           {{- end }}
           env:
             - name: POD_NAME
diff --git a/wallarm-ingress/values.yaml b/wallarm-ingress/values.yaml
index 59300d4..8d58021 100644
--- a/wallarm-ingress/values.yaml
+++ b/wallarm-ingress/values.yaml
@@ -9,6 +9,7 @@ controller:
     pullPolicy: IfNotPresent
     # www-data -> uid 33
     runAsUser: 33
+    allowPrivilegeEscalation: true
 
   # Configures the ports the nginx-controller listens on
   containerPort: