From b1c50b97b630031b1a2659b1b429b1067d70f389 Mon Sep 17 00:00:00 2001 From: Paul Murith Date: Tue, 24 Oct 2023 11:34:52 +0200 Subject: [PATCH 1/4] Add process namespace sharing for ingress controller --- charts/nginx-ingress/templates/controller-daemonset.yaml | 4 ++++ charts/nginx-ingress/templates/controller-deployment.yaml | 3 +++ charts/nginx-ingress/values.yaml | 3 +++ 3 files changed, 10 insertions(+) diff --git a/charts/nginx-ingress/templates/controller-daemonset.yaml b/charts/nginx-ingress/templates/controller-daemonset.yaml index 243907770a..31c44fe53c 100644 --- a/charts/nginx-ingress/templates/controller-daemonset.yaml +++ b/charts/nginx-ingress/templates/controller-daemonset.yaml @@ -76,6 +76,10 @@ spec: {{- end }} hostNetwork: {{ .Values.controller.hostNetwork }} dnsPolicy: {{ .Values.controller.dnsPolicy }} + {{- if .Values.controller.sharedProcessNamespace }} + shareProcessNamespace: true + {{- end }} + {{- end }} containers: - name: {{ include "nginx-ingress.name" . }} image: {{ include "nginx-ingress.image" . }} diff --git a/charts/nginx-ingress/templates/controller-deployment.yaml b/charts/nginx-ingress/templates/controller-deployment.yaml index febddbdc5d..3acc12889c 100644 --- a/charts/nginx-ingress/templates/controller-deployment.yaml +++ b/charts/nginx-ingress/templates/controller-deployment.yaml @@ -83,6 +83,9 @@ spec: terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} hostNetwork: {{ .Values.controller.hostNetwork }} dnsPolicy: {{ .Values.controller.dnsPolicy }} + {{- if .Values.controller.sharedProcessNamespace }} + shareProcessNamespace: true + {{- end }} containers: - image: {{ include "nginx-ingress.image" . }} name: {{ include "nginx-ingress.name" . }} diff --git a/charts/nginx-ingress/values.yaml b/charts/nginx-ingress/values.yaml index dc8997c7bb..ae50af5ed4 100644 --- a/charts/nginx-ingress/values.yaml +++ b/charts/nginx-ingress/values.yaml @@ -64,6 +64,9 @@ controller: ## Enables debugging for NGINX. Uses the nginx-debug binary. Requires error-log-level: debug in the ConfigMap via `controller.config.entries`. nginxDebug: false + ## Shared process namespace between containers in the Ingress Controller pod. + sharedProcessNamespace: false + ## The log level of the Ingress Controller. logLevel: 1 From 8cc645cb26b7d2402ec553974af0b99e56586d46 Mon Sep 17 00:00:00 2001 From: Paul Murith Date: Tue, 24 Oct 2023 11:56:14 +0200 Subject: [PATCH 2/4] Remove unused end --- charts/nginx-ingress/templates/controller-daemonset.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/charts/nginx-ingress/templates/controller-daemonset.yaml b/charts/nginx-ingress/templates/controller-daemonset.yaml index 31c44fe53c..bb3f1a25d4 100644 --- a/charts/nginx-ingress/templates/controller-daemonset.yaml +++ b/charts/nginx-ingress/templates/controller-daemonset.yaml @@ -79,7 +79,6 @@ spec: {{- if .Values.controller.sharedProcessNamespace }} shareProcessNamespace: true {{- end }} - {{- end }} containers: - name: {{ include "nginx-ingress.name" . }} image: {{ include "nginx-ingress.image" . }} From 78df82e4a5d04928d5affe3e18e56fe6e93aaeb4 Mon Sep 17 00:00:00 2001 From: Paul Murith Date: Wed, 25 Oct 2023 14:34:03 +0200 Subject: [PATCH 3/4] Changes shared key to share --- charts/nginx-ingress/templates/controller-daemonset.yaml | 2 +- charts/nginx-ingress/templates/controller-deployment.yaml | 2 +- charts/nginx-ingress/values.yaml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/nginx-ingress/templates/controller-daemonset.yaml b/charts/nginx-ingress/templates/controller-daemonset.yaml index bb3f1a25d4..22e10985aa 100644 --- a/charts/nginx-ingress/templates/controller-daemonset.yaml +++ b/charts/nginx-ingress/templates/controller-daemonset.yaml @@ -76,7 +76,7 @@ spec: {{- end }} hostNetwork: {{ .Values.controller.hostNetwork }} dnsPolicy: {{ .Values.controller.dnsPolicy }} - {{- if .Values.controller.sharedProcessNamespace }} + {{- if .Values.controller.shareProcessNamespace }} shareProcessNamespace: true {{- end }} containers: diff --git a/charts/nginx-ingress/templates/controller-deployment.yaml b/charts/nginx-ingress/templates/controller-deployment.yaml index 3acc12889c..2b4d7dd569 100644 --- a/charts/nginx-ingress/templates/controller-deployment.yaml +++ b/charts/nginx-ingress/templates/controller-deployment.yaml @@ -83,7 +83,7 @@ spec: terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} hostNetwork: {{ .Values.controller.hostNetwork }} dnsPolicy: {{ .Values.controller.dnsPolicy }} - {{- if .Values.controller.sharedProcessNamespace }} + {{- if .Values.controller.shareProcessNamespace }} shareProcessNamespace: true {{- end }} containers: diff --git a/charts/nginx-ingress/values.yaml b/charts/nginx-ingress/values.yaml index ae50af5ed4..97789b4cf0 100644 --- a/charts/nginx-ingress/values.yaml +++ b/charts/nginx-ingress/values.yaml @@ -64,8 +64,8 @@ controller: ## Enables debugging for NGINX. Uses the nginx-debug binary. Requires error-log-level: debug in the ConfigMap via `controller.config.entries`. nginxDebug: false - ## Shared process namespace between containers in the Ingress Controller pod. - sharedProcessNamespace: false + ## Share process namespace between containers in the Ingress Controller pod. + shareProcessNamespace: false ## The log level of the Ingress Controller. logLevel: 1 From 9d05fddca0c8047e5703e6e254d88eac5ecb9066 Mon Sep 17 00:00:00 2001 From: Paul Murith Date: Thu, 26 Oct 2023 18:25:36 +0200 Subject: [PATCH 4/4] Updates README and values.schema.json --- charts/nginx-ingress/README.md | 1 + charts/nginx-ingress/values.schema.json | 10 ++++++++++ 2 files changed, 11 insertions(+) diff --git a/charts/nginx-ingress/README.md b/charts/nginx-ingress/README.md index e23afecfab..19c7961d22 100644 --- a/charts/nginx-ingress/README.md +++ b/charts/nginx-ingress/README.md @@ -342,6 +342,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |`controller.hostNetwork` | Enables the Ingress Controller pods to use the host's network namespace. | false | |`controller.dnsPolicy` | DNS policy for the Ingress Controller pods. | ClusterFirst | |`controller.nginxDebug` | Enables debugging for NGINX. Uses the `nginx-debug` binary. Requires `error-log-level: debug` in the ConfigMap via `controller.config.entries`. | false | +| `controller.shareProcessNamespace` | Enables process namespace sharing. When process namespace sharing is enabled, processes in a container are visible to all other containers in the same pod. [docs](https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/) | false | |`controller.logLevel` | The log level of the Ingress Controller. | 1 | |`controller.image.digest` | The image digest of the Ingress Controller. | None | |`controller.image.repository` | The image repository of the Ingress Controller. | nginx/nginx-ingress | diff --git a/charts/nginx-ingress/values.schema.json b/charts/nginx-ingress/values.schema.json index 26686284a8..07f93660d2 100644 --- a/charts/nginx-ingress/values.schema.json +++ b/charts/nginx-ingress/values.schema.json @@ -241,6 +241,15 @@ true ] }, + "shareProcessNamespace": { + "type": "boolean", + "default": false, + "title": "Enables sharing of the process namespace between pods within the Ingress Controller", + "examples": [ + false, + true + ] + }, "logLevel": { "type": "integer", "default": 1, @@ -1298,6 +1307,7 @@ }, "hostNetwork": false, "nginxDebug": false, + "shareProcessNamespace": false, "logLevel": 1, "customPorts": [], "image": {