Update permissions

sjberman · sjberman · commit a54bbbc3c783 · 2025-01-10T08:39:53.000-07:00
diff --git a/charts/nginx-gateway-fabric/templates/deployment.yaml b/charts/nginx-gateway-fabric/templates/deployment.yaml
@@ -139,6 +139,7 @@ spec:
           capabilities:
             drop:
             - ALL
+          allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
           runAsUser: 101
           runAsGroup: 1001
diff --git a/charts/nginx-gateway-fabric/templates/scc.yaml b/charts/nginx-gateway-fabric/templates/scc.yaml
@@ -15,7 +15,7 @@ readOnlyRootFilesystem: true
 runAsUser:
   type: MustRunAsRange
   uidRangeMin: 101
-  uidRangeMax: 102
+  uidRangeMax: 101
 fsGroup:
   type: MustRunAs
   ranges:
@@ -30,16 +30,8 @@ seLinuxContext:
   type: MustRunAs
 seccompProfiles:
 - runtime/default
-volumes:
-- emptyDir
-- secret
-- configMap
-- projected
 users:
 - {{ printf "system:serviceaccount:%s:%s" .Release.Namespace (include "nginx-gateway.serviceAccountName" .) }}
-allowedCapabilities:
-- NET_BIND_SERVICE
-- KILL
 requiredDropCapabilities:
 - ALL
 {{- end }}
diff --git a/config/tests/static-deployment.yaml b/config/tests/static-deployment.yaml
@@ -69,6 +69,7 @@ spec:
           capabilities:
             drop:
             - ALL
+          allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
           runAsUser: 101
           runAsGroup: 1001
diff --git a/deploy/aws-nlb/deploy.yaml b/deploy/aws-nlb/deploy.yaml
@@ -292,6 +292,7 @@ spec:
           initialDelaySeconds: 3
           periodSeconds: 1
         securityContext:
+          allowPrivilegeEscalation: false
           capabilities:
             drop:
             - ALL
diff --git a/deploy/azure/deploy.yaml b/deploy/azure/deploy.yaml
@@ -289,6 +289,7 @@ spec:
           initialDelaySeconds: 3
           periodSeconds: 1
         securityContext:
+          allowPrivilegeEscalation: false
           capabilities:
             drop:
             - ALL
diff --git a/deploy/default/deploy.yaml b/deploy/default/deploy.yaml
@@ -289,6 +289,7 @@ spec:
           initialDelaySeconds: 3
           periodSeconds: 1
         securityContext:
+          allowPrivilegeEscalation: false
           capabilities:
             drop:
             - ALL
diff --git a/deploy/experimental-nginx-plus/deploy.yaml b/deploy/experimental-nginx-plus/deploy.yaml
@@ -304,6 +304,7 @@ spec:
           initialDelaySeconds: 3
           periodSeconds: 1
         securityContext:
+          allowPrivilegeEscalation: false
           capabilities:
             drop:
             - ALL
diff --git a/deploy/experimental/deploy.yaml b/deploy/experimental/deploy.yaml
@@ -295,6 +295,7 @@ spec:
           initialDelaySeconds: 3
           periodSeconds: 1
         securityContext:
+          allowPrivilegeEscalation: false
           capabilities:
             drop:
             - ALL
diff --git a/deploy/nginx-plus/deploy.yaml b/deploy/nginx-plus/deploy.yaml
@@ -298,6 +298,7 @@ spec:
           initialDelaySeconds: 3
           periodSeconds: 1
         securityContext:
+          allowPrivilegeEscalation: false
           capabilities:
             drop:
             - ALL
diff --git a/deploy/nodeport/deploy.yaml b/deploy/nodeport/deploy.yaml
@@ -289,6 +289,7 @@ spec:
           initialDelaySeconds: 3
           periodSeconds: 1
         securityContext:
+          allowPrivilegeEscalation: false
           capabilities:
             drop:
             - ALL
diff --git a/deploy/openshift/deploy.yaml b/deploy/openshift/deploy.yaml
@@ -297,6 +297,7 @@ spec:
           initialDelaySeconds: 3
           periodSeconds: 1
         securityContext:
+          allowPrivilegeEscalation: false
           capabilities:
             drop:
             - ALL
@@ -458,9 +459,6 @@ allowHostPID: false
 allowHostPorts: false
 allowPrivilegeEscalation: false
 allowPrivilegedContainer: false
-allowedCapabilities:
-- NET_BIND_SERVICE
-- KILL
 apiVersion: security.openshift.io/v1
 fsGroup:
   ranges:
@@ -475,7 +473,7 @@ requiredDropCapabilities:
 - ALL
 runAsUser:
   type: MustRunAsRange
-  uidRangeMax: 102
+  uidRangeMax: 101
   uidRangeMin: 101
 seLinuxContext:
   type: MustRunAs
@@ -488,8 +486,3 @@ supplementalGroups:
   type: MustRunAs
 users:
 - system:serviceaccount:nginx-gateway:nginx-gateway
-volumes:
-- emptyDir
-- secret
-- configMap
-- projected
diff --git a/deploy/snippets-filters-nginx-plus/deploy.yaml b/deploy/snippets-filters-nginx-plus/deploy.yaml
@@ -301,6 +301,7 @@ spec:
           initialDelaySeconds: 3
           periodSeconds: 1
         securityContext:
+          allowPrivilegeEscalation: false
           capabilities:
             drop:
             - ALL
diff --git a/deploy/snippets-filters/deploy.yaml b/deploy/snippets-filters/deploy.yaml
@@ -292,6 +292,7 @@ spec:
           initialDelaySeconds: 3
           periodSeconds: 1
         securityContext:
+          allowPrivilegeEscalation: false
           capabilities:
             drop:
             - ALL
