mirror of
https://github.com/bitnami/charts.git
synced 2026-02-27 15:37:06 +08:00
[bitnami/nginx-ingress-controller] fix: 🔒 Improve podSecurityContext and containerSecurityContext with essential security fields (#22166)
* [bitnami/nginx-ingress-controller] fix: 🔒 Improve podSecurityContext and containerSecurityContext with essential security fields Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * chore: 🔧 Bump chart version Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> --------- Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
committed by
GitHub
GitHub
parent
49a13fbabd
commit
f7b589aec2
@@ -34,4 +34,4 @@ maintainers:
|
||||
name: nginx-ingress-controller
|
||||
sources:
|
||||
- https://github.com/bitnami/charts/tree/main/bitnami/nginx-ingress-controller
|
||||
version: 9.10.3
|
||||
version: 9.11.0
|
||||
|
||||
@@ -129,9 +129,13 @@ The command removes all the Kubernetes components associated with the chart and
|
||||
| `updateStrategy` | Strategy to use to update Pods | `{}` |
|
||||
| `revisionHistoryLimit` | The number of old history to retain to allow rollback | `10` |
|
||||
| `podSecurityContext.enabled` | Enable Controller pods' Security Context | `true` |
|
||||
| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
|
||||
| `podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
|
||||
| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
|
||||
| `podSecurityContext.fsGroup` | Group ID for the container filesystem | `1001` |
|
||||
| `containerSecurityContext.enabled` | Enable Controller containers' Security Context | `true` |
|
||||
| `containerSecurityContext.allowPrivilegeEscalation` | Switch to allow priviledge escalation on the Controller container | `true` |
|
||||
| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
|
||||
| `containerSecurityContext.runAsUser` | User ID for the Controller container | `1001` |
|
||||
| `containerSecurityContext.capabilities.drop` | Linux Kernel capabilities that should be dropped | `[]` |
|
||||
| `containerSecurityContext.capabilities.add` | Linux Kernel capabilities that should be added | `[]` |
|
||||
@@ -202,8 +206,12 @@ The command removes all the Kubernetes components associated with the chart and
|
||||
| `defaultBackend.serverBlockConfig` | NGINX backend default server block configuration | `""` |
|
||||
| `defaultBackend.replicaCount` | Desired number of default backend pods | `1` |
|
||||
| `defaultBackend.podSecurityContext.enabled` | Enable Default backend pods' Security Context | `true` |
|
||||
| `defaultBackend.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
|
||||
| `defaultBackend.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
|
||||
| `defaultBackend.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
|
||||
| `defaultBackend.podSecurityContext.fsGroup` | Group ID for the container filesystem | `1001` |
|
||||
| `defaultBackend.containerSecurityContext.enabled` | Enable Default backend containers' Security Context | `true` |
|
||||
| `defaultBackend.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
|
||||
| `defaultBackend.containerSecurityContext.runAsUser` | User ID for the Default backend container | `1001` |
|
||||
| `defaultBackend.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
|
||||
| `defaultBackend.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
|
||||
|
||||
@@ -238,15 +238,22 @@ revisionHistoryLimit: 10
|
||||
## Controller pods' Security Context
|
||||
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
|
||||
## @param podSecurityContext.enabled Enable Controller pods' Security Context
|
||||
## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
|
||||
## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface
|
||||
## @param podSecurityContext.supplementalGroups Set filesystem extra groups
|
||||
## @param podSecurityContext.fsGroup Group ID for the container filesystem
|
||||
##
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
fsGroupChangePolicy: Always
|
||||
sysctls: []
|
||||
supplementalGroups: []
|
||||
fsGroup: 1001
|
||||
## Controller containers' Security Context (only main container)
|
||||
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
|
||||
## @param containerSecurityContext.enabled Enable Controller containers' Security Context
|
||||
## @param containerSecurityContext.allowPrivilegeEscalation Switch to allow priviledge escalation on the Controller container
|
||||
## @param containerSecurityContext.seLinuxOptions Set SELinux options in container
|
||||
## @param containerSecurityContext.runAsUser User ID for the Controller container
|
||||
## @param containerSecurityContext.capabilities.drop [array] Linux Kernel capabilities that should be dropped
|
||||
## @param containerSecurityContext.capabilities.add [array] Linux Kernel capabilities that should be added
|
||||
@@ -256,6 +263,7 @@ podSecurityContext:
|
||||
containerSecurityContext:
|
||||
enabled: true
|
||||
allowPrivilegeEscalation: true
|
||||
seLinuxOptions: {}
|
||||
runAsUser: 1001
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
@@ -533,20 +541,28 @@ defaultBackend:
|
||||
## Default backend pods' Security Context
|
||||
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
|
||||
## @param defaultBackend.podSecurityContext.enabled Enable Default backend pods' Security Context
|
||||
## @param defaultBackend.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
|
||||
## @param defaultBackend.podSecurityContext.sysctls Set kernel settings using the sysctl interface
|
||||
## @param defaultBackend.podSecurityContext.supplementalGroups Set filesystem extra groups
|
||||
## @param defaultBackend.podSecurityContext.fsGroup Group ID for the container filesystem
|
||||
##
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
fsGroupChangePolicy: Always
|
||||
sysctls: []
|
||||
supplementalGroups: []
|
||||
fsGroup: 1001
|
||||
## Default backend containers' Security Context (only main container)
|
||||
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
|
||||
## @param defaultBackend.containerSecurityContext.enabled Enable Default backend containers' Security Context
|
||||
## @param defaultBackend.containerSecurityContext.seLinuxOptions Set SELinux options in container
|
||||
## @param defaultBackend.containerSecurityContext.runAsUser User ID for the Default backend container
|
||||
## @param defaultBackend.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
|
||||
## @param defaultBackend.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
|
||||
##
|
||||
containerSecurityContext:
|
||||
enabled: true
|
||||
seLinuxOptions: {}
|
||||
runAsUser: 1001
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
|
||||
Reference in New Issue
Block a user