Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Pod Security Standard = "restricted" in the helm chart #9212

Closed
ecerulm opened this issue Oct 25, 2022 · 5 comments
Closed

Support Pod Security Standard = "restricted" in the helm chart #9212

ecerulm opened this issue Oct 25, 2022 · 5 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.

Comments

@ecerulm
Copy link

ecerulm commented Oct 25, 2022

Currently if you try to deploy the ingress-nginx helm chart into a namespace with "pod-security.kubernetes.io/enforce: restricted" it will fail with

Error creating: pods "nginx-controller-ingress-nginx-admission-create-nb4r4" is forbidden: violates PodSecurity "restricted:v1.23": unrestricted capabilities (container "create" must set securityContext.capabilities.drop=["ALL"])

Although the helm chart values allow to modify/control several securityContexts (.controller.podSecurityContext, .controller.admissionWebhooks.patch.securityContext, defaultBackend.podSecurityContext, default.containerSecurityContext) it does not provide a way to control that the securityContext in charts/ingress-nginx/templates/admission-webhooks. I don't know if this would be only thing missing.

I would be good to ensure that this could run under PodSecurity/PodSecurityStandard "restricted" , but if it's not possible maybe it would be good to mention in the documentation README.md saying that it needs at least "baseline".
@ecerulm ecerulm added the kind/feature Categorizes issue or PR as related to a new feature. label Oct 25, 2022
@k8s-ci-robot
Copy link
Contributor

@ecerulm: This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority labels Oct 25, 2022
@longwuyuan
Copy link
Contributor

#9056
#9056

@ecerulm ecerulm mentioned this issue Oct 25, 2022
Closed
5 tasks
@jemag
Copy link

jemag commented Apr 13, 2023

Ideally the containers securityContext should try and strive towards the highest default security that they can sustain, independent of PSS. I am not sure what the end result would be for each container, but a decent target could be something like:

securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
    - ALL
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  runAsUser: 1000
  seccompProfile:
    type: RuntimeDefault

(Obviously the end-result for each container will be different depending on their circumstances, for example the controller needs the NET_BIND_SERVICE cap and to run as user 101 I believe)

Overall, this would improve the default security out of the box for end-users. If the containers currently support it, there isn't much downside to improving the default security.

It also helps clarifying to the end-user that these values are officially supported and will not cause any problem with the containers (e.g.: readOnlyRootFilesystem: true could for example cause problems for containers expecting to write to specific directories). By having them already specified, the end-user does not need to do extensive testing to ensure it does not cause any issue.

@jemag jemag mentioned this issue Apr 14, 2023
Closed
@pkoraca
Copy link

pkoraca commented Apr 25, 2023

If it helps, we are running with the following config for quite a while to enforce a subset of Kubernetes Pod Security Standards (PSS) via Kyverno PSS Policies.

      values: |
        ingress-nginx:
          controller:
            admissionWebhooks:
              createSecretJob:
                securityContext:
                  allowPrivilegeEscalation: false
                  capabilities:
                    drop:
                      - ALL
                  readOnlyRootFilesystem: true
                  runAsUser: 2000
                  runAsGroup: 2000
                  runAsNonRoot: true                
              patchWebhookJob:
                securityContext:
                  allowPrivilegeEscalation: false
                  capabilities:
                    drop:
                      - ALL
                  readOnlyRootFilesystem: true
                  runAsUser: 2000
                  runAsGroup: 2000
                  runAsNonRoot: true                    
            containerSecurityContext:
              capabilities:
                drop:
                  - ALL
                add:
                  - NET_BIND_SERVICE
              runAsUser: 101
              runAsGroup: 101
              allowPrivilegeEscalation: false
              readOnlyRootFilesystem: false
              runAsNonRoot: true

@jkroepke jkroepke mentioned this issue May 27, 2023
Closed
@ecerulm
Copy link
Author

ecerulm commented Aug 17, 2024

I tested recently on version 4.11.2 of the helm chart and I did not get the error Error creating: pods "nginx-controller-ingress-nginx-admission-create-nb4r4" is forbidden: violates PodSecurity "restricted:v1.23": unrestricted capabilities (container "create" must set securityContext.capabilities.drop=["ALL"]) while deploying to a namespace with:

apiVersion: v1
kind: Namespace
metadata:
  name: ingress-nginx
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/enforce-version: v1.30

so I'm closing the issue

@ecerulm ecerulm closed this as completed Aug 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@ecerulm @pkoraca @longwuyuan @jemag @k8s-ci-robot