From 63f287aa639fa63a58e963c874593ecf4e59cd5c Mon Sep 17 00:00:00 2001 From: Venktesh Date: Tue, 13 Feb 2024 16:12:52 +0000 Subject: [PATCH 1/4] Add SecurityContext to helm values --- .../templates/controller-daemonset.yaml | 13 ++++++++-- .../templates/controller-deployment.yaml | 13 ++++++++-- charts/nginx-ingress/values.schema.json | 25 +++++++++++++++++++ charts/nginx-ingress/values.yaml | 22 +++++++++++++++- 4 files changed, 68 insertions(+), 5 deletions(-) diff --git a/charts/nginx-ingress/templates/controller-daemonset.yaml b/charts/nginx-ingress/templates/controller-daemonset.yaml index b2459c927c..58c2a3be52 100644 --- a/charts/nginx-ingress/templates/controller-daemonset.yaml +++ b/charts/nginx-ingress/templates/controller-daemonset.yaml @@ -40,8 +40,7 @@ spec: serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }} automountServiceAccountToken: true securityContext: - seccompProfile: - type: RuntimeDefault +{{ toYaml .Values.controller.podSecurityContext | indent 8 }} terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} {{- if .Values.controller.nodeSelector }} nodeSelector: @@ -117,6 +116,10 @@ spec: periodSeconds: 1 initialDelaySeconds: {{ .Values.controller.readyStatus.initialDelaySeconds }} {{- end }} +{{- if .Values.controller.containerSecurityContext }} + securityContext: +{{ toYaml .Values.controller.containerSecurityContext | indent 10 }} +{{- else }} securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }} @@ -127,6 +130,7 @@ spec: - ALL add: - NET_BIND_SERVICE +{{- end }} {{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumeMounts }} volumeMounts: {{- end }} @@ -180,6 +184,10 @@ spec: resources: {{ toYaml .Values.controller.initContainerResources | indent 10 }} {{- end }} +{{- if .Values.controller.initContainerSecurityContext }} + securityContext: +{{ toYaml .Values.controller.initContainerSecurityContext | indent 10 }} +{{- else }} securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true @@ -188,6 +196,7 @@ spec: capabilities: drop: - ALL +{{- end }} volumeMounts: - mountPath: /mnt/etc name: nginx-etc diff --git a/charts/nginx-ingress/templates/controller-deployment.yaml b/charts/nginx-ingress/templates/controller-deployment.yaml index 1f291ff4cd..6d04d3aa5b 100644 --- a/charts/nginx-ingress/templates/controller-deployment.yaml +++ b/charts/nginx-ingress/templates/controller-deployment.yaml @@ -78,8 +78,7 @@ spec: serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }} automountServiceAccountToken: true securityContext: - seccompProfile: - type: RuntimeDefault +{{ toYaml .Values.controller.podSecurityContext | indent 8 }} terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} hostNetwork: {{ .Values.controller.hostNetwork }} dnsPolicy: {{ .Values.controller.dnsPolicy }} @@ -126,6 +125,10 @@ spec: {{- end }} resources: {{ toYaml .Values.controller.resources | indent 10 }} +{{- if .Values.controller.containerSecurityContext }} + securityContext: +{{ toYaml .Values.controller.containerSecurityContext | indent 10 }} +{{- else }} securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }} @@ -136,6 +139,7 @@ spec: - ALL add: - NET_BIND_SERVICE +{{- end }} {{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumeMounts }} volumeMounts: {{- end }} @@ -187,6 +191,10 @@ spec: resources: {{ toYaml .Values.controller.initContainerResources | indent 10 }} {{- end }} +{{- if .Values.controller.initContainerSecurityContext }} + securityContext: +{{ toYaml .Values.controller.initContainerSecurityContext | indent 10 }} +{{- else }} securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true @@ -195,6 +203,7 @@ spec: capabilities: drop: - ALL +{{- end }} volumeMounts: - mountPath: /mnt/etc name: nginx-etc diff --git a/charts/nginx-ingress/values.schema.json b/charts/nginx-ingress/values.schema.json index 15ceaeeec1..4065379e52 100644 --- a/charts/nginx-ingress/values.schema.json +++ b/charts/nginx-ingress/values.schema.json @@ -477,6 +477,24 @@ "title": "The terminationGracePeriodSeconds Schema", "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/terminationGracePeriodSeconds" }, + "podSecurityContext": { + "type": "object", + "default": {}, + "title": "The podSecurityContext Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSecurityContext" + }, + "containerSecurityContext": { + "type": "object", + "default": {}, + "title": "The containerSecurityContext Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" + }, + "initContainerSecurityContext": { + "type": "object", + "default": {}, + "title": "The initContainerSecurityContext Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" + }, "resources": { "type": "object", "default": {}, @@ -1424,6 +1442,13 @@ }, "nodeSelector": {}, "terminationGracePeriodSeconds": 30, + "podSecurityContext": { + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "containerSecurityContext": {}, + "initContainerSecurityContext": {}, "resources": { "requests": { "cpu": "100m", diff --git a/charts/nginx-ingress/values.yaml b/charts/nginx-ingress/values.yaml index 5e98237194..a24a5972c5 100644 --- a/charts/nginx-ingress/values.yaml +++ b/charts/nginx-ingress/values.yaml @@ -167,6 +167,26 @@ controller: # cpu: 1 # memory: 1Gi + ## The security context for the Ingress Controller pods. + podSecurityContext: + seccompProfile: + type: RuntimeDefault + + ## The security context for the Ingress Controller containers. + containerSecurityContext: {} # Remove curly brackets before adding values + # allowPrivilegeEscalation: true + # readOnlyRootFilesystem: true # make sure this value is same as values.controller.readOnlyRootFilesystem + # runAsUser: 101 #nginx + # runAsNonRoot: true + # capabilities: + # drop: + # - ALL + # add: + # - NET_BIND_SERVICE + + ## The security context for the Ingress Controller init container which is used when readOnlyRootFilesystem is set to true. + initContainerSecurityContext: {} + ## The resources for the Ingress Controller init container which is used when readOnlyRootFilesystem is set to true. initContainerResources: requests: @@ -460,7 +480,7 @@ controller: defaultHTTPSListenerPort: 443 ## Configure root filesystem as read-only and add volumes for temporary data. - readOnlyRootFilesystem: false + readOnlyRootFilesystem: false # after 3 major releases starting 3.5.x, this argument will be moved to the `containerSecurityContext` section. ## Enable dynamic reloading of certificates enableSSLDynamicReload: true From b2136cdc53c7aff4504fb9e42b3270f7a4681389 Mon Sep 17 00:00:00 2001 From: Venktesh Date: Tue, 13 Feb 2024 16:34:10 +0000 Subject: [PATCH 2/4] Add docs --- charts/nginx-ingress/README.md | 5 ++++- .../installation/installing-nic/installation-with-helm.md | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/charts/nginx-ingress/README.md b/charts/nginx-ingress/README.md index ceeb03bc9e..f285a482ab 100644 --- a/charts/nginx-ingress/README.md +++ b/charts/nginx-ingress/README.md @@ -379,8 +379,11 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |`controller.volumeMounts` | The volumeMounts of the Ingress Controller pods. | [] | |`controller.initContainers` | InitContainers for the Ingress Controller pods. | [] | |`controller.extraContainers` | Extra (eg. sidecar) containers for the Ingress Controller pods. | [] | +|`controller.podSecurityContext`| The SecurityContext for Ingress Controller pods. | "seccompProfile": {"type": "RuntimeDefault"} | +|`controller.containerSecurityContext`| The SecurityContext for Ingress Controller container. | {} | +|`controller.initContainerSecurityContext`| The SecurityContext for Ingress Controller init container when `controller.readOnlyRootFilesystem` is set to `true`. | {} | |`controller.resources` | The resources of the Ingress Controller pods. | requests: cpu=100m,memory=128Mi | -|`controller.initContainerResources` | The resources of the init container which is used when `controller.readOnlyRootFilesystem` is set to `true` | requests: cpu=100m,memory=128Mi | +|`controller.initContainerResources` | The resources of the init container which is used when `controller.readOnlyRootFilesystem` is set to `true`. | requests: cpu=100m,memory=128Mi | |`controller.replicaCount` | The number of replicas of the Ingress Controller deployment. | 1 | |`controller.ingressClass.name` | A class of the Ingress Controller. An IngressClass resource with the name equal to the class must be deployed. Otherwise, the Ingress Controller will fail to start. The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. The Ingress Controller processes all the VirtualServer/VirtualServerRoute/TransportServer resources that do not have the "ingressClassName" field for all versions of Kubernetes. | nginx | |`controller.ingressClass.create` | Creates a new IngressClass object with the name `controller.ingressClass.name`. Set to `false` to use an existing ingressClass created using `kubectl` with the same name. If you use `helm upgrade`, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.4.2, do not set the value to false. | true | diff --git a/docs/content/installation/installing-nic/installation-with-helm.md b/docs/content/installation/installing-nic/installation-with-helm.md index edd2b904e2..daa0d1282a 100644 --- a/docs/content/installation/installing-nic/installation-with-helm.md +++ b/docs/content/installation/installing-nic/installation-with-helm.md @@ -342,8 +342,11 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont | **controller.volumeMounts** | The volumeMounts of the Ingress Controller pods. | [] | | **controller.initContainers** | InitContainers for the Ingress Controller pods. | [] | | **controller.extraContainers** | Extra (eg. sidecar) containers for the Ingress Controller pods. | [] | +| **controller.podSecurityContext**| The SecurityContext for Ingress Controller pods. | "seccompProfile": {"type": "RuntimeDefault"} | +| **controller.containerSecurityContext** | The SecurityContext for Ingress Controller container. | {} | +| **controller.initContainerSecurityContext** | The SecurityContext for Ingress Controller init container when `controller.readOnlyRootFilesystem` is set to `true`. | {} | | **controller.resources** | The resources of the Ingress Controller pods. | requests: cpu=100m,memory=128Mi | -| **controller.initContainerResources** | The resources of the init container which is used when `controller.readOnlyRootFilesystem` is set to `true` | requests: cpu=100m,memory=128Mi | +| **controller.initContainerResources** | The resources of the init container which is used when `controller.readOnlyRootFilesystem` is set to `true`. | requests: cpu=100m,memory=128Mi | | **controller.replicaCount** | The number of replicas of the Ingress Controller deployment. | 1 | | **controller.ingressClass.name** | A class of the Ingress Controller. An IngressClass resource with the name equal to the class must be deployed. Otherwise, the Ingress Controller will fail to start. The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. The Ingress Controller processes all the VirtualServer/VirtualServerRoute/TransportServer resources that do not have the "ingressClassName" field for all versions of Kubernetes. | nginx | | **controller.ingressClass.create** | Creates a new IngressClass object with the name `controller.ingressClass.name`. Set to `false` to use an existing ingressClass created using `kubectl` with the same name. If you use `helm upgrade`, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.4.2, do not set the value to false. | true | From b68d3165197dcecd28aa5350c068e29d52165b7e Mon Sep 17 00:00:00 2001 From: Venktesh Date: Mon, 19 Feb 2024 12:06:38 +0000 Subject: [PATCH 3/4] Add review suggestions --- charts/nginx-ingress/README.md | 6 +++--- charts/nginx-ingress/templates/_helpers.tpl | 11 +++++++++++ .../templates/controller-daemonset.yaml | 16 ++++++++-------- .../templates/controller-deployment.yaml | 16 ++++++++-------- charts/nginx-ingress/values.yaml | 6 ++++-- .../installing-nic/installation-with-helm.md | 6 +++--- 6 files changed, 37 insertions(+), 24 deletions(-) diff --git a/charts/nginx-ingress/README.md b/charts/nginx-ingress/README.md index f285a482ab..75d9fc4ea4 100644 --- a/charts/nginx-ingress/README.md +++ b/charts/nginx-ingress/README.md @@ -381,9 +381,9 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |`controller.extraContainers` | Extra (eg. sidecar) containers for the Ingress Controller pods. | [] | |`controller.podSecurityContext`| The SecurityContext for Ingress Controller pods. | "seccompProfile": {"type": "RuntimeDefault"} | |`controller.containerSecurityContext`| The SecurityContext for Ingress Controller container. | {} | -|`controller.initContainerSecurityContext`| The SecurityContext for Ingress Controller init container when `controller.readOnlyRootFilesystem` is set to `true`. | {} | +|`controller.initContainerSecurityContext`| The SecurityContext for Ingress Controller init container when `readOnlyRootFilesystem` is enabled by either setting `controller.securityContext.readOnlyRootFilesystem` or `controller.readOnlyRootFilesystem`to `true`. | {} | |`controller.resources` | The resources of the Ingress Controller pods. | requests: cpu=100m,memory=128Mi | -|`controller.initContainerResources` | The resources of the init container which is used when `controller.readOnlyRootFilesystem` is set to `true`. | requests: cpu=100m,memory=128Mi | +|`controller.initContainerResources` | The resources of the init container which is used when `readOnlyRootFilesystem` is enabled by either setting `controller.securityContext.readOnlyRootFilesystem` or `controller.readOnlyRootFilesystem`to `true`. | requests: cpu=100m,memory=128Mi | |`controller.replicaCount` | The number of replicas of the Ingress Controller deployment. | 1 | |`controller.ingressClass.name` | A class of the Ingress Controller. An IngressClass resource with the name equal to the class must be deployed. Otherwise, the Ingress Controller will fail to start. The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. The Ingress Controller processes all the VirtualServer/VirtualServerRoute/TransportServer resources that do not have the "ingressClassName" field for all versions of Kubernetes. | nginx | |`controller.ingressClass.create` | Creates a new IngressClass object with the name `controller.ingressClass.name`. Set to `false` to use an existing ingressClass created using `kubectl` with the same name. If you use `helm upgrade`, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.4.2, do not set the value to false. | true | @@ -468,7 +468,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |`controller.disableIPV6` | Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack. | false | |`controller.defaultHTTPListenerPort` | Sets the port for the HTTP `default_server` listener. | 80 | |`controller.defaultHTTPSListenerPort` | Sets the port for the HTTPS `default_server` listener. | 443 | -|`controller.readOnlyRootFilesystem` | Configure root filesystem as read-only and add volumes for temporary data. | false | +|`controller.readOnlyRootFilesystem` | Configure root filesystem as read-only and add volumes for temporary data. Three major releases after 3.5.x this argument will be moved permanently to the `controller.securityContext` section. | false | |`controller.enableSSLDynamicReload` | Enable lazy loading for SSL Certificates. | true | |`controller.enableTelemetryReporting` | Enable telemetry reporting. | true | |`rbac.create` | Configures RBAC. | true | diff --git a/charts/nginx-ingress/templates/_helpers.tpl b/charts/nginx-ingress/templates/_helpers.tpl index 274566617a..3f13513dc9 100644 --- a/charts/nginx-ingress/templates/_helpers.tpl +++ b/charts/nginx-ingress/templates/_helpers.tpl @@ -134,6 +134,17 @@ Expand image name. {{- printf "%s-%s" (include "nginx-ingress.fullname" .) "prometheus-service" -}} {{- end -}} +{{/* +return if readOnlyRootFilesystem is enabled or not. +*/}} +{{- define "nginx-ingress.readOnlyRootFilesystem" -}} +{{- if or .Values.controller.readOnlyRootFilesystem (and .Values.controller.securityContext .Values.controller.securityContext.readOnlyRootFilesystem) -}} +true +{{- else -}} +false +{{- end -}} +{{- end -}} + {{/* Build the args for the service binary. */}} diff --git a/charts/nginx-ingress/templates/controller-daemonset.yaml b/charts/nginx-ingress/templates/controller-daemonset.yaml index 58c2a3be52..5ed507b10a 100644 --- a/charts/nginx-ingress/templates/controller-daemonset.yaml +++ b/charts/nginx-ingress/templates/controller-daemonset.yaml @@ -54,10 +54,10 @@ spec: affinity: {{ toYaml .Values.controller.affinity | indent 8 }} {{- end }} -{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumes }} +{{- if or (eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" ) .Values.controller.volumes }} volumes: {{- end }} -{{- if .Values.controller.readOnlyRootFilesystem }} +{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }} - name: nginx-etc emptyDir: {} - name: nginx-cache @@ -116,9 +116,9 @@ spec: periodSeconds: 1 initialDelaySeconds: {{ .Values.controller.readyStatus.initialDelaySeconds }} {{- end }} -{{- if .Values.controller.containerSecurityContext }} +{{- if .Values.controller.securityContext }} securityContext: -{{ toYaml .Values.controller.containerSecurityContext | indent 10 }} +{{ toYaml .Values.controller.securityContext | indent 10 }} {{- else }} securityContext: allowPrivilegeEscalation: false @@ -131,10 +131,10 @@ spec: add: - NET_BIND_SERVICE {{- end }} -{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumeMounts }} +{{- if or (eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" ) .Values.controller.volumeMounts }} volumeMounts: {{- end }} -{{- if .Values.controller.readOnlyRootFilesystem }} +{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }} - mountPath: /etc/nginx name: nginx-etc - mountPath: /var/cache/nginx @@ -172,10 +172,10 @@ spec: {{- if .Values.controller.extraContainers }} {{ toYaml .Values.controller.extraContainers | nindent 6 }} {{- end }} -{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.initContainers }} +{{- if or (eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" ) .Values.controller.initContainers }} initContainers: {{- end }} -{{- if .Values.controller.readOnlyRootFilesystem }} +{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }} - name: init-{{ include "nginx-ingress.name" . }} image: {{ include "nginx-ingress.image" . }} imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" diff --git a/charts/nginx-ingress/templates/controller-deployment.yaml b/charts/nginx-ingress/templates/controller-deployment.yaml index 6d04d3aa5b..e2a4b16c0d 100644 --- a/charts/nginx-ingress/templates/controller-deployment.yaml +++ b/charts/nginx-ingress/templates/controller-deployment.yaml @@ -56,10 +56,10 @@ spec: topologySpreadConstraints: {{ toYaml .Values.controller.topologySpreadConstraints | indent 8 }} {{- end }} -{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumes }} +{{- if or (eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true") .Values.controller.volumes }} volumes: {{- end }} -{{- if .Values.controller.readOnlyRootFilesystem }} +{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }} - name: nginx-etc emptyDir: {} - name: nginx-cache @@ -125,9 +125,9 @@ spec: {{- end }} resources: {{ toYaml .Values.controller.resources | indent 10 }} -{{- if .Values.controller.containerSecurityContext }} +{{- if .Values.controller.securityContext }} securityContext: -{{ toYaml .Values.controller.containerSecurityContext | indent 10 }} +{{ toYaml .Values.controller.securityContext | indent 10 }} {{- else }} securityContext: allowPrivilegeEscalation: false @@ -140,10 +140,10 @@ spec: add: - NET_BIND_SERVICE {{- end }} -{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumeMounts }} +{{- if or ( eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" ) .Values.controller.volumeMounts }} volumeMounts: {{- end }} -{{- if .Values.controller.readOnlyRootFilesystem }} +{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }} - mountPath: /etc/nginx name: nginx-etc - mountPath: /var/cache/nginx @@ -179,10 +179,10 @@ spec: {{- if .Values.controller.extraContainers }} {{ toYaml .Values.controller.extraContainers | nindent 6 }} {{- end }} -{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.initContainers }} +{{- if or ( eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" ) .Values.controller.initContainers }} initContainers: {{- end }} -{{- if .Values.controller.readOnlyRootFilesystem }} +{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }} - name: init-{{ include "nginx-ingress.name" . }} image: {{ include "nginx-ingress.image" . }} imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" diff --git a/charts/nginx-ingress/values.yaml b/charts/nginx-ingress/values.yaml index a24a5972c5..916f7a48e8 100644 --- a/charts/nginx-ingress/values.yaml +++ b/charts/nginx-ingress/values.yaml @@ -175,7 +175,7 @@ controller: ## The security context for the Ingress Controller containers. containerSecurityContext: {} # Remove curly brackets before adding values # allowPrivilegeEscalation: true - # readOnlyRootFilesystem: true # make sure this value is same as values.controller.readOnlyRootFilesystem + # readOnlyRootFilesystem: true # runAsUser: 101 #nginx # runAsNonRoot: true # capabilities: @@ -480,7 +480,9 @@ controller: defaultHTTPSListenerPort: 443 ## Configure root filesystem as read-only and add volumes for temporary data. - readOnlyRootFilesystem: false # after 3 major releases starting 3.5.x, this argument will be moved to the `containerSecurityContext` section. + ## Three major releases after 3.5.x this argument will be moved to the `securityContext` section. + ## This value will not be used if `controller.securityContext` is set + readOnlyRootFilesystem: false ## Enable dynamic reloading of certificates enableSSLDynamicReload: true diff --git a/docs/content/installation/installing-nic/installation-with-helm.md b/docs/content/installation/installing-nic/installation-with-helm.md index daa0d1282a..cec1938f53 100644 --- a/docs/content/installation/installing-nic/installation-with-helm.md +++ b/docs/content/installation/installing-nic/installation-with-helm.md @@ -344,9 +344,9 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont | **controller.extraContainers** | Extra (eg. sidecar) containers for the Ingress Controller pods. | [] | | **controller.podSecurityContext**| The SecurityContext for Ingress Controller pods. | "seccompProfile": {"type": "RuntimeDefault"} | | **controller.containerSecurityContext** | The SecurityContext for Ingress Controller container. | {} | -| **controller.initContainerSecurityContext** | The SecurityContext for Ingress Controller init container when `controller.readOnlyRootFilesystem` is set to `true`. | {} | +| **controller.initContainerSecurityContext** | The SecurityContext for Ingress Controller init container when `readOnlyRootFilesystem` is enabled by either setting `controller.securityContext.readOnlyRootFilesystem` or `controller.readOnlyRootFilesystem`to `true`. | {} | | **controller.resources** | The resources of the Ingress Controller pods. | requests: cpu=100m,memory=128Mi | -| **controller.initContainerResources** | The resources of the init container which is used when `controller.readOnlyRootFilesystem` is set to `true`. | requests: cpu=100m,memory=128Mi | +| **controller.initContainerResources** | The resources of the init container which is used when `readOnlyRootFilesystem` is enabled by either setting `controller.securityContext.readOnlyRootFilesystem` or `controller.readOnlyRootFilesystem`to `true`. | requests: cpu=100m,memory=128Mi | | **controller.replicaCount** | The number of replicas of the Ingress Controller deployment. | 1 | | **controller.ingressClass.name** | A class of the Ingress Controller. An IngressClass resource with the name equal to the class must be deployed. Otherwise, the Ingress Controller will fail to start. The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. The Ingress Controller processes all the VirtualServer/VirtualServerRoute/TransportServer resources that do not have the "ingressClassName" field for all versions of Kubernetes. | nginx | | **controller.ingressClass.create** | Creates a new IngressClass object with the name `controller.ingressClass.name`. Set to `false` to use an existing ingressClass created using `kubectl` with the same name. If you use `helm upgrade`, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.4.2, do not set the value to false. | true | @@ -431,7 +431,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont | **controller.disableIPV6** | Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack. | false | | **controller.defaultHTTPListenerPort** | Sets the port for the HTTP `default_server` listener. | 80 | | **controller.defaultHTTPSListenerPort** | Sets the port for the HTTPS `default_server` listener. | 443 | -| **controller.readOnlyRootFilesystem** | Configure root filesystem as read-only and add volumes for temporary data. | false | +| **controller.readOnlyRootFilesystem** | Configure root filesystem as read-only and add volumes for temporary data. Three major releases after 3.5.x this argument will be moved permanently to the `controller.securityContext` section. | false | | **controller.enableSSLDynamicReload** | Enable lazy loading for SSL Certificates. | true | | **rbac.create** | Configures RBAC. | true | | **prometheus.create** | Expose NGINX or NGINX Plus metrics in the Prometheus format. | true | From 85d9d6e762ad665d28a16a167da05760c8dee89a Mon Sep 17 00:00:00 2001 From: Venktesh Date: Mon, 19 Feb 2024 12:14:11 +0000 Subject: [PATCH 4/4] Fix typos --- charts/nginx-ingress/README.md | 2 +- charts/nginx-ingress/values.schema.json | 6 +++--- charts/nginx-ingress/values.yaml | 2 +- .../installation/installing-nic/installation-with-helm.md | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/nginx-ingress/README.md b/charts/nginx-ingress/README.md index 75d9fc4ea4..fa3232c2b0 100644 --- a/charts/nginx-ingress/README.md +++ b/charts/nginx-ingress/README.md @@ -380,7 +380,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |`controller.initContainers` | InitContainers for the Ingress Controller pods. | [] | |`controller.extraContainers` | Extra (eg. sidecar) containers for the Ingress Controller pods. | [] | |`controller.podSecurityContext`| The SecurityContext for Ingress Controller pods. | "seccompProfile": {"type": "RuntimeDefault"} | -|`controller.containerSecurityContext`| The SecurityContext for Ingress Controller container. | {} | +|`controller.securityContext`| The SecurityContext for Ingress Controller container. | {} | |`controller.initContainerSecurityContext`| The SecurityContext for Ingress Controller init container when `readOnlyRootFilesystem` is enabled by either setting `controller.securityContext.readOnlyRootFilesystem` or `controller.readOnlyRootFilesystem`to `true`. | {} | |`controller.resources` | The resources of the Ingress Controller pods. | requests: cpu=100m,memory=128Mi | |`controller.initContainerResources` | The resources of the init container which is used when `readOnlyRootFilesystem` is enabled by either setting `controller.securityContext.readOnlyRootFilesystem` or `controller.readOnlyRootFilesystem`to `true`. | requests: cpu=100m,memory=128Mi | diff --git a/charts/nginx-ingress/values.schema.json b/charts/nginx-ingress/values.schema.json index 5c2e21d490..2a1569c66b 100644 --- a/charts/nginx-ingress/values.schema.json +++ b/charts/nginx-ingress/values.schema.json @@ -514,10 +514,10 @@ "title": "The podSecurityContext Schema", "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSecurityContext" }, - "containerSecurityContext": { + "securityContext": { "type": "object", "default": {}, - "title": "The containerSecurityContext Schema", + "title": "The securityContext Schema", "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" }, "initContainerSecurityContext": { @@ -1478,7 +1478,7 @@ "type": "RuntimeDefault" } }, - "containerSecurityContext": {}, + "securityContext": {}, "initContainerSecurityContext": {}, "resources": { "requests": { diff --git a/charts/nginx-ingress/values.yaml b/charts/nginx-ingress/values.yaml index 916f7a48e8..6c2cabb95d 100644 --- a/charts/nginx-ingress/values.yaml +++ b/charts/nginx-ingress/values.yaml @@ -173,7 +173,7 @@ controller: type: RuntimeDefault ## The security context for the Ingress Controller containers. - containerSecurityContext: {} # Remove curly brackets before adding values + securityContext: {} # Remove curly brackets before adding values # allowPrivilegeEscalation: true # readOnlyRootFilesystem: true # runAsUser: 101 #nginx diff --git a/docs/content/installation/installing-nic/installation-with-helm.md b/docs/content/installation/installing-nic/installation-with-helm.md index cec1938f53..afa3f6f862 100644 --- a/docs/content/installation/installing-nic/installation-with-helm.md +++ b/docs/content/installation/installing-nic/installation-with-helm.md @@ -343,7 +343,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont | **controller.initContainers** | InitContainers for the Ingress Controller pods. | [] | | **controller.extraContainers** | Extra (eg. sidecar) containers for the Ingress Controller pods. | [] | | **controller.podSecurityContext**| The SecurityContext for Ingress Controller pods. | "seccompProfile": {"type": "RuntimeDefault"} | -| **controller.containerSecurityContext** | The SecurityContext for Ingress Controller container. | {} | +| **controller.securityContext** | The SecurityContext for Ingress Controller container. | {} | | **controller.initContainerSecurityContext** | The SecurityContext for Ingress Controller init container when `readOnlyRootFilesystem` is enabled by either setting `controller.securityContext.readOnlyRootFilesystem` or `controller.readOnlyRootFilesystem`to `true`. | {} | | **controller.resources** | The resources of the Ingress Controller pods. | requests: cpu=100m,memory=128Mi | | **controller.initContainerResources** | The resources of the init container which is used when `readOnlyRootFilesystem` is enabled by either setting `controller.securityContext.readOnlyRootFilesystem` or `controller.readOnlyRootFilesystem`to `true`. | requests: cpu=100m,memory=128Mi |