update the reverse-proxy yaml to support privilege and access control settings for a Container (neo4j#1459)

renetapopova · web-flow · commit be38e7ffef03 · 2024-03-06T17:33:53.000Z
diff --git a/modules/ROOT/pages/kubernetes/accessing-neo4j-ingress.adoc b/modules/ROOT/pages/kubernetes/accessing-neo4j-ingress.adoc
@@ -16,6 +16,9 @@ image::reverse-proxy.svg[title="Reverse proxy flow diagram"]
 The Reverse proxy Helm chart creates an HTTP server, which routes requests to either the Bolt reverse proxy or HTTP reverse proxy based on the request headers.
 Upon receiving a response, the Bolt reverse proxy updates the response to replace the Bolt port with either `:80` or `:443`.
 
+From version 5.17.0, the Reverse proxy Helm chart supports defining privilege and access control settings for a Container.
+Make sure that you do not run Neo4j as a root user.
+
 == Configuration options
 
 To see all configurable options, run the following command:
@@ -36,8 +39,7 @@ fullnameOverride: ""
 
 # Parameters for reverse proxy
 reverseProxy:
-  image: "neo4j/helm-charts-reverse-proxy:5.12.0"
-
+  image: "neo4j/helm-charts-reverse-proxy:5.17.0"
   # Name of the kubernetes service. This service should have the ports 7474 and 7687 open.
   # This could be the admin service ex: "standalone-admin" or the loadbalancer service ex: "standalone" created via the neo4j helm chart
   # serviceName , namespace , domain together will form the complete k8s service url. Ex: standalone-admin.default.svc.cluster.local
@@ -47,6 +49,24 @@ reverseProxy:
   # default is set to cluster.local
   domain: "cluster.local"
 
+  # securityContext defines privilege and access control settings for a Container. Making sure that we dont run Neo4j as root user.
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    runAsNonRoot: true
+    runAsUser: 7474
+    runAsGroup: 7474
+    capabilities:
+      drop:
+        - all
+
+  podSecurityContext:
+    runAsNonRoot: true
+    runAsUser: 7474
+    runAsGroup: 7474
+    fsGroup: 7474
+    fsGroupChangePolicy: "Always"
+
+
   # This assumes ingress-nginx controller or haproxy-ingress-controller is already installed in your kubernetes cluster.
   # You can install ingress-nginx by following instructions on this link https://github.com/kubernetes/ingress-nginx/blob/main/docs/deploy/index.md#quick-start
   # You can install haproxy-ingress by following instructions on this link https://haproxy-ingress.github.io/docs/getting-started/
@@ -57,6 +77,7 @@ reverseProxy:
     annotations: {}
 #      "demo": "value"
 #      "demo2": "value2"
+    host: ""
     tls:
       enabled: false
       config: []
