nginx · vepatel · Feb 19, 2024 · Feb 13, 2024 · Feb 13, 2024 · Feb 13, 2024
@@ -379,8 +379,11 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
 |`controller.volumeMounts` | The volumeMounts of the Ingress Controller pods. | [] |
 |`controller.initContainers` | InitContainers for the Ingress Controller pods. | [] |
 |`controller.extraContainers` | Extra (eg. sidecar) containers for the Ingress Controller pods. | [] |
+|`controller.podSecurityContext`| The SecurityContext for Ingress Controller pods. | "seccompProfile": {"type": "RuntimeDefault"} |
+|`controller.containerSecurityContext`| The SecurityContext for Ingress Controller container. | {} |
+|`controller.initContainerSecurityContext`| The SecurityContext for Ingress Controller init container when `controller.readOnlyRootFilesystem` is set to `true`. | {} |
 |`controller.resources` | The resources of the Ingress Controller pods. | requests: cpu=100m,memory=128Mi |
-|`controller.initContainerResources` | The resources of the init container which is used when `controller.readOnlyRootFilesystem` is set to `true` | requests: cpu=100m,memory=128Mi |
+|`controller.initContainerResources` | The resources of the init container which is used when `controller.readOnlyRootFilesystem` is set to `true`. | requests: cpu=100m,memory=128Mi |
 |`controller.replicaCount` | The number of replicas of the Ingress Controller deployment. | 1 |
 |`controller.ingressClass.name` | A class of the Ingress Controller. An IngressClass resource with the name equal to the class must be deployed. Otherwise, the Ingress Controller will fail to start. The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. The Ingress Controller processes all the VirtualServer/VirtualServerRoute/TransportServer resources that do not have the "ingressClassName" field for all versions of Kubernetes. | nginx |
 |`controller.ingressClass.create` | Creates a new IngressClass object with the name `controller.ingressClass.name`. Set to `false` to use an existing ingressClass created using `kubectl` with the same name. If you use `helm upgrade`, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.4.2, do not set the value to false. | true |

@@ -40,8 +40,7 @@ spec:
       serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }}
       automountServiceAccountToken: true
       securityContext:
-        seccompProfile:
-          type: RuntimeDefault
+{{ toYaml .Values.controller.podSecurityContext | indent 8 }}
       terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
 {{- if .Values.controller.nodeSelector }}
       nodeSelector:
@@ -117,6 +116,10 @@ spec:
           periodSeconds: 1
           initialDelaySeconds: {{ .Values.controller.readyStatus.initialDelaySeconds }}
 {{- end }}
+{{- if .Values.controller.containerSecurityContext }}
+        securityContext:
+{{ toYaml .Values.controller.containerSecurityContext | indent 10 }}
+{{- else }}
         securityContext:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }}
@@ -127,6 +130,7 @@ spec:
             - ALL
             add:
             - NET_BIND_SERVICE
+{{- end }}
 {{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumeMounts }}
         volumeMounts:
 {{- end }}
@@ -180,6 +184,10 @@ spec:
         resources:
 {{ toYaml .Values.controller.initContainerResources | indent 10 }}
 {{- end }}
+{{- if .Values.controller.initContainerSecurityContext }}
+        securityContext:
+{{ toYaml .Values.controller.initContainerSecurityContext | indent 10 }}
+{{- else }}
         securityContext:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
@@ -188,6 +196,7 @@ spec:
           capabilities:
             drop:
             - ALL
+{{- end }}
         volumeMounts:
         - mountPath: /mnt/etc
           name: nginx-etc

@@ -78,8 +78,7 @@ spec:
       serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }}
       automountServiceAccountToken: true
       securityContext:
-        seccompProfile:
-          type: RuntimeDefault
+{{ toYaml .Values.controller.podSecurityContext | indent 8 }}
       terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
       hostNetwork: {{ .Values.controller.hostNetwork }}
       dnsPolicy: {{ .Values.controller.dnsPolicy }}
@@ -126,6 +125,10 @@ spec:
 {{- end }}
         resources:
 {{ toYaml .Values.controller.resources | indent 10 }}
+{{- if .Values.controller.containerSecurityContext }}
+        securityContext:
+{{ toYaml .Values.controller.containerSecurityContext | indent 10 }}
+{{- else }}
         securityContext:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }}
@@ -136,6 +139,7 @@ spec:
             - ALL
             add:
             - NET_BIND_SERVICE
+{{- end }}
 {{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumeMounts }}
         volumeMounts:
 {{- end }}
@@ -187,6 +191,10 @@ spec:
         resources:
 {{ toYaml .Values.controller.initContainerResources | indent 10 }}
 {{- end }}
+{{- if .Values.controller.initContainerSecurityContext }}
+        securityContext:
+{{ toYaml .Values.controller.initContainerSecurityContext | indent 10 }}
+{{- else }}
         securityContext:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
@@ -195,6 +203,7 @@ spec:
           capabilities:
             drop:
             - ALL
+{{- end }}
         volumeMounts:
         - mountPath: /mnt/etc
           name: nginx-etc

@@ -477,6 +477,24 @@
           "title": "The terminationGracePeriodSeconds Schema",
           "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/terminationGracePeriodSeconds"
         },
+        "podSecurityContext": {
+          "type": "object",
+          "default": {},
+          "title": "The podSecurityContext Schema",
+          "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSecurityContext"
+        },
+        "containerSecurityContext": {
+          "type": "object",
+          "default": {},
+          "title": "The containerSecurityContext Schema",
+          "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext"
+        },
+        "initContainerSecurityContext": {
+          "type": "object",
+          "default": {},
+          "title": "The initContainerSecurityContext Schema",
+          "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext"
+        },
         "resources": {
           "type": "object",
           "default": {},
@@ -1424,6 +1442,13 @@
           },
           "nodeSelector": {},
           "terminationGracePeriodSeconds": 30,
+          "podSecurityContext": {
+            "seccompProfile": {
+              "type": "RuntimeDefault"
+            }
+          },
+          "containerSecurityContext": {},
+          "initContainerSecurityContext": {},
           "resources": {
             "requests": {
               "cpu": "100m",

@@ -167,6 +167,26 @@ controller:
   #   cpu: 1
   #   memory: 1Gi
 
+  ## The security context for the Ingress Controller pods.
+  podSecurityContext:
+    seccompProfile:
+      type: RuntimeDefault
+
+  ## The security context for the Ingress Controller containers.
+  containerSecurityContext: {} # Remove curly brackets before adding values
+    # allowPrivilegeEscalation: true
+    # readOnlyRootFilesystem: true # make sure this value is same as values.controller.readOnlyRootFilesystem
+    # runAsUser: 101 #nginx
+    # runAsNonRoot: true
+    # capabilities:
+    #   drop:
+    #   - ALL
+    #   add:
+    #   - NET_BIND_SERVICE
+
+  ## The security context for the Ingress Controller init container which is used when readOnlyRootFilesystem is set to true.
+  initContainerSecurityContext: {}
+
   ## The resources for the Ingress Controller init container which is used when readOnlyRootFilesystem is set to true.
   initContainerResources:
     requests:
@@ -460,7 +480,7 @@ controller:
   defaultHTTPSListenerPort: 443
 
   ## Configure root filesystem as read-only and add volumes for temporary data.
-  readOnlyRootFilesystem: false
+  readOnlyRootFilesystem: false # after 3 major releases starting 3.5.x, this argument will be moved to the `containerSecurityContext` section.
 
   ## Enable dynamic reloading of certificates
   enableSSLDynamicReload: true

@@ -342,8 +342,11 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
 | **controller.volumeMounts** | The volumeMounts of the Ingress Controller pods. | [] |
 | **controller.initContainers** | InitContainers for the Ingress Controller pods. | [] |
 | **controller.extraContainers** | Extra (eg. sidecar) containers for the Ingress Controller pods. | [] |
+| **controller.podSecurityContext**| The SecurityContext for Ingress Controller pods. | "seccompProfile": {"type": "RuntimeDefault"} |
+| **controller.containerSecurityContext** | The SecurityContext for Ingress Controller container. | {} |
+| **controller.initContainerSecurityContext** | The SecurityContext for Ingress Controller init container when `controller.readOnlyRootFilesystem` is set to `true`. | {} |
 | **controller.resources** | The resources of the Ingress Controller pods. | requests: cpu=100m,memory=128Mi |
-| **controller.initContainerResources** | The resources of the init container which is used when `controller.readOnlyRootFilesystem` is set to `true` | requests: cpu=100m,memory=128Mi |
+| **controller.initContainerResources** | The resources of the init container which is used when `controller.readOnlyRootFilesystem` is set to `true`. | requests: cpu=100m,memory=128Mi |
 | **controller.replicaCount** | The number of replicas of the Ingress Controller deployment. | 1 |
 | **controller.ingressClass.name** | A class of the Ingress Controller. An IngressClass resource with the name equal to the class must be deployed. Otherwise, the Ingress Controller will fail to start. The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. The Ingress Controller processes all the VirtualServer/VirtualServerRoute/TransportServer resources that do not have the "ingressClassName" field for all versions of Kubernetes. | nginx |
 | **controller.ingressClass.create** | Creates a new IngressClass object with the name `controller.ingressClass.name`. Set to `false` to use an existing ingressClass created using `kubectl` with the same name. If you use `helm upgrade`, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.4.2, do not set the value to false. | true |