Skip to content

Commit 4dc71d3

Browse files
dkorunicdkorunic
committed
BUG/MINOR: kubernetes-ingress: Add pod securityContext and set allowPrivilegeEscalation
Set allowPrivilegeEscalation in PSP and container securityContext to permit adding NET_BIND_SERVICE capability. Add pod securityContext for an unprivileged controller. Signed-off-by: Dinko Korunic <[email protected]>
1 parent 29fac9f commit 4dc71d3

File tree

5 files changed

+17
-5
lines changed

5 files changed

+17
-5
lines changed

haproxy/templates/podsecuritypolicy.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -41,7 +41,7 @@ metadata:
4141
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
4242
{{- end }}
4343
spec:
44-
allowPrivilegeEscalation: false
44+
allowPrivilegeEscalation: true
4545
allowedCapabilities:
4646
- NET_BIND_SERVICE
4747
defaultAllowPrivilegeEscalation: false

haproxy/values.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -366,7 +366,7 @@ securityContext: {}
366366
# runAsNonRoot: true
367367
# runAsUser: 1000
368368
# runAsGroup: 1000
369-
# allowPrivilegeEscalation: false
369+
# allowPrivilegeEscalation: true
370370
# capabilities:
371371
# drop:
372372
# - ALL

kubernetes-ingress/templates/controller-daemonset.yaml

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -78,6 +78,12 @@ spec:
7878
{{- end }}
7979
{{- if .Values.controller.runtimeClassName }}
8080
runtimeClassName: {{ .Values.controller.runtimeClassName }}
81+
{{- end }}
82+
{{- if .Values.controller.unprivileged }}
83+
securityContext:
84+
runAsNonRoot: true
85+
runAsUser: 1000
86+
runAsGroup: 1000
8187
{{- end }}
8288
containers:
8389
- name: {{ template "kubernetes-ingress.name" . }}-{{ .Values.controller.name }}
@@ -114,7 +120,7 @@ spec:
114120
runAsNonRoot: true
115121
runAsUser: 1000
116122
runAsGroup: 1000
117-
allowPrivilegeEscalation: false
123+
allowPrivilegeEscalation: true
118124
capabilities:
119125
drop:
120126
- ALL

kubernetes-ingress/templates/controller-deployment.yaml

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -79,6 +79,12 @@ spec:
7979
{{- end }}
8080
{{- if .Values.controller.runtimeClassName }}
8181
runtimeClassName: {{ .Values.controller.runtimeClassName }}
82+
{{- end }}
83+
{{- if .Values.controller.unprivileged }}
84+
securityContext:
85+
runAsNonRoot: true
86+
runAsUser: 1000
87+
runAsGroup: 1000
8288
{{- end }}
8389
containers:
8490
- name: {{ template "kubernetes-ingress.name" . }}-{{ .Values.controller.name }}
@@ -115,7 +121,7 @@ spec:
115121
runAsNonRoot: true
116122
runAsUser: 1000
117123
runAsGroup: 1000
118-
allowPrivilegeEscalation: false
124+
allowPrivilegeEscalation: true
119125
capabilities:
120126
drop:
121127
- ALL

kubernetes-ingress/templates/controller-podsecuritypolicy.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,7 @@ metadata:
4343
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
4444
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
4545
spec:
46-
allowPrivilegeEscalation: false
46+
allowPrivilegeEscalation: true
4747
allowedCapabilities:
4848
- NET_BIND_SERVICE
4949
defaultAllowPrivilegeEscalation: false

0 commit comments

Comments
 (0)