-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support Pod Security Standard = "restricted" in the helm chart #9212
Comments
@ecerulm: This issue is currently awaiting triage. If Ingress contributors determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Ideally the containers securityContext should try and strive towards the highest default security that they can sustain, independent of PSS. I am not sure what the end result would be for each container, but a decent target could be something like: securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault (Obviously the end-result for each container will be different depending on their circumstances, for example the controller needs the Overall, this would improve the default security out of the box for end-users. If the containers currently support it, there isn't much downside to improving the default security. It also helps clarifying to the end-user that these values are officially supported and will not cause any problem with the containers (e.g.: |
If it helps, we are running with the following config for quite a while to enforce a subset of Kubernetes Pod Security Standards (PSS) via Kyverno PSS Policies.
|
I tested recently on version 4.11.2 of the helm chart and I did not get the error
so I'm closing the issue |
Currently if you try to deploy the ingress-nginx helm chart into a namespace with "pod-security.kubernetes.io/enforce: restricted" it will fail with
Although the helm chart values allow to modify/control several securityContexts (.controller.podSecurityContext, .controller.admissionWebhooks.patch.securityContext, defaultBackend.podSecurityContext, default.containerSecurityContext) it does not provide a way to control that the securityContext in charts/ingress-nginx/templates/admission-webhooks. I don't know if this would be only thing missing.
I would be good to ensure that this could run under PodSecurity/PodSecurityStandard "restricted" , but if it's not possible maybe it would be good to mention in the documentation README.md saying that it needs at least "baseline".
The text was updated successfully, but these errors were encountered: