Use the "runtime default" seccomp profile (#3629)

sigv · blurpy · web-flow · commit f16d851ed548 · 2023-03-14T14:01:03.000-07:00
seccomp profiles allow sandboxing processes, in particular to restrict
allowed syscalls from applications to the kernel. Kubernetes default in
current release is Unconfined seccomp profile, which is essentially
privileged. It is preferred for security purposes to restrict this.

KEP-2413 proposes that RuntimeDefault will become the new default for
Kubernetes. With Kubernetes v1.25, this is in Beta, and available with
`SeccompDefault` feature gate and `--seccomp-default` CLI flag.

`nginx-ingress` should switch to this new default, in order to ensure
compatibility down the line, as well as enable enhanced security on
older Kubernetes versions.

Co-authored-by: Christian Ihle &lt;blurpy@users.noreply.github.com&gt;
diff --git a/deployments/daemon-set/nginx-ingress.yaml b/deployments/daemon-set/nginx-ingress.yaml
@@ -20,6 +20,8 @@ spec:
       serviceAccountName: nginx-ingress
       automountServiceAccountToken: true
       securityContext:
+        seccompProfile:
+          type: RuntimeDefault
         sysctls:
           - name: "net.ipv4.ip_unprivileged_port_start"
             value: "0"
diff --git a/deployments/daemon-set/nginx-plus-ingress.yaml b/deployments/daemon-set/nginx-plus-ingress.yaml
@@ -20,6 +20,8 @@ spec:
       serviceAccountName: nginx-ingress
       automountServiceAccountToken: true
       securityContext:
+        seccompProfile:
+          type: RuntimeDefault
         sysctls:
           - name: "net.ipv4.ip_unprivileged_port_start"
             value: "0"
diff --git a/deployments/deployment/nginx-ingress.yaml b/deployments/deployment/nginx-ingress.yaml
@@ -21,6 +21,8 @@ spec:
       serviceAccountName: nginx-ingress
       automountServiceAccountToken: true
       securityContext:
+        seccompProfile:
+          type: RuntimeDefault
         sysctls:
           - name: "net.ipv4.ip_unprivileged_port_start"
             value: "0"
diff --git a/deployments/deployment/nginx-plus-ingress.yaml b/deployments/deployment/nginx-plus-ingress.yaml
@@ -21,6 +21,8 @@ spec:
       serviceAccountName: nginx-ingress
       automountServiceAccountToken: true
       securityContext:
+        seccompProfile:
+          type: RuntimeDefault
         sysctls:
           - name: "net.ipv4.ip_unprivileged_port_start"
             value: "0"
diff --git a/deployments/helm-chart/templates/controller-daemonset.yaml b/deployments/helm-chart/templates/controller-daemonset.yaml
@@ -44,6 +44,8 @@ spec:
       serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }}
       automountServiceAccountToken: true
       securityContext:
+        seccompProfile:
+          type: RuntimeDefault
         sysctls:
           - name: "net.ipv4.ip_unprivileged_port_start"
             value: "0"
diff --git a/deployments/helm-chart/templates/controller-deployment.yaml b/deployments/helm-chart/templates/controller-deployment.yaml
@@ -77,6 +77,8 @@ spec:
       serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }}
       automountServiceAccountToken: true
       securityContext:
+        seccompProfile:
+          type: RuntimeDefault
         sysctls:
           - name: "net.ipv4.ip_unprivileged_port_start"
             value: "0"
