H0llyW00dzZ/k8s-ingress-nginx
H0llyW00dzZ/k8s-ingress-nginx
1
0
Fork 0
mirror of https://github.com/kubernetes/ingress-nginx.git synced 2025-02-06 09:44:13 +00:00
Code Releases Activity

Chart: Remove Pod Security Policy. (#11971)

Browse Source
This commit is contained in:
Marco Ebert 2024-09-15 17:03:24 +02:00 committed by GitHub
parent 61f56cb490
commit 027603927b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
19 changed files with 1 additions and 438 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
charts/ingress-nginx/README.md
View File

@ -244,7 +244,6 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.admissionWebhooks.createSecretJob.resources | object | `{}` | |
| controller.admissionWebhooks.createSecretJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for secret creation containers |
| controller.admissionWebhooks.enabled | bool | `true` | |
| controller.admissionWebhooks.existingPsp | string | `""` | Use an existing PSP instead of creating one |
| controller.admissionWebhooks.extraEnvs | list | `[]` | Additional environment variables to set |
| controller.admissionWebhooks.failurePolicy | string | `"Fail"` | Admission Webhook failure policy to use |
| controller.admissionWebhooks.key | string | `"/usr/local/certificates/key"` | |
@ -307,7 +306,6 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.enableAnnotationValidations | bool | `true` | |
| controller.enableMimalloc | bool | `true` | Enable mimalloc as a drop-in replacement for malloc. # ref: https://github.com/microsoft/mimalloc # |
| controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-mode="auto" Defaults to false |
| controller.existingPsp | string | `""` | Use an existing PSP instead of creating one |
| controller.extraArgs | object | `{}` | Additional command line arguments to pass to Ingress-Nginx Controller E.g. to specify the default SSL certificate you can use |
| controller.extraContainers | list | `[]` | Additional containers to be added to the controller pod. See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. |
| controller.extraEnvs | list | `[]` | Additional environment variables to set |
@ -497,7 +495,6 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| defaultBackend.autoscaling.targetMemoryUtilizationPercentage | int | `50` | |
| defaultBackend.containerSecurityContext | object | `{}` | Security context for default backend containers |
| defaultBackend.enabled | bool | `false` | |
| defaultBackend.existingPsp | string | `""` | Use an existing PSP instead of creating one |
| defaultBackend.extraArgs | object | `{}` | |
| defaultBackend.extraConfigMaps | list | `[]` | |
| defaultBackend.extraEnvs | list | `[]` | Additional environment variables to set for defaultBackend pods |
@ -550,7 +547,6 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| dhParam | string | `""` | A base64-encoded Diffie-Hellman parameter. This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` # Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param |
| imagePullSecrets | list | `[]` | Optional array of imagePullSecrets containing private registry credentials # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ |
| namespaceOverride | string | `""` | Override the deployment namespace; defaults to .Release.Namespace |
| podSecurityPolicy.enabled | bool | `false` | |
| portNamePrefix | string | `""` | Prefix for TCP and UDP ports names in ingress controller service # Some cloud providers, like Yandex Cloud may have a requirements for a port name regex to support cloud load balancer integration |
| rbac.create | bool | `true` | |
| rbac.scope | bool | `false` | |

13
charts/ingress-nginx/ci/deamonset-psp-values.yaml
View File

@ -1,13 +0,0 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: false
service:
type: ClusterIP
podSecurityPolicy:
enabled: true

13
charts/ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml
View File

@ -1,13 +0,0 @@
controller:
kind: DaemonSet
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: true
service:
type: ClusterIP
podSecurityPolicy:
enabled: true

10
charts/ingress-nginx/ci/deployment-psp-values.yaml
View File

@ -1,10 +0,0 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
service:
type: ClusterIP
podSecurityPolicy:
enabled: true

12
charts/ingress-nginx/ci/deployment-webhook-and-psp-values.yaml
View File

@ -1,12 +0,0 @@
controller:
image:
repository: ingress-controller/controller
tag: 1.0.0-dev
digest: null
admissionWebhooks:
enabled: true
service:
type: ClusterIP
podSecurityPolicy:
enabled: true

11
charts/ingress-nginx/templates/_helpers.tpl
View File

@ -235,17 +235,6 @@ readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem }
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiGroup for PodSecurityPolicy.
*/}}
{{- define "podSecurityPolicy.apiGroup" -}}
{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "policy" -}}
{{- else -}}
{{- print "extensions" -}}
{{- end -}}
{{- end -}}
{{/*
Extra modules.
*/}}

10
charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
View File

@ -20,14 +20,4 @@ rules:
verbs:
- get
- update
{{- if .Values.podSecurityPolicy.enabled }}
- apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}]
resources: ['podsecuritypolicies']
verbs: ['use']
{{- with .Values.controller.admissionWebhooks.existingPsp }}
resourceNames: [{{ . }}]
{{- else }}
resourceNames: [{{ include "ingress-nginx.admissionWebhooks.fullname" . }}]
{{- end }}
{{- end }}
{{- end }}

52
charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml
View File

@ -1,52 +0,0 @@
{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
{{- if and .Values.podSecurityPolicy.enabled .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: admission-webhook
{{- with .Values.controller.admissionWebhooks.patch.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
privileged: false
hostPID: false
hostIPC: false
hostNetwork: false
volumes:
- configMap
- downwardAPI
- emptyDir
- secret
- projected
fsGroup:
rule: MustRunAs
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: true
runAsUser:
rule: MustRunAsNonRoot
runAsGroup:
rule: MustRunAs
ranges:
- min: 1
max: 65535
supplementalGroups:
rule: MustRunAs
ranges:
- min: 1
max: 65535
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
seLinux:
rule: RunAsAny
{{- end }}
{{- end }}

100
charts/ingress-nginx/templates/controller-psp.yaml
View File

@ -1,100 +0,0 @@
{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
{{- if and .Values.podSecurityPolicy.enabled (empty .Values.controller.existingPsp) -}}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ include "ingress-nginx.fullname" . }}
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: controller
{{- with .Values.controller.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
privileged: false
hostPID: false
hostIPC: false
hostNetwork: {{ .Values.controller.hostNetwork }}
{{- if or .Values.controller.hostNetwork .Values.controller.hostPort.enabled }}
hostPorts:
{{- if .Values.controller.hostNetwork }}
{{- range $key, $value := .Values.controller.containerPort }}
# controller.containerPort.{{ $key }}
- min: {{ $value }}
max: {{ $value }}
{{- end }}
{{- else if .Values.controller.hostPort.enabled }}
{{- range $key, $value := .Values.controller.hostPort.ports }}
# controller.hostPort.ports.{{ $key }}
- min: {{ $value }}
max: {{ $value }}
{{- end }}
{{- end }}
{{- if .Values.controller.metrics.enabled }}
# controller.metrics.port
- min: {{ .Values.controller.metrics.port }}
max: {{ .Values.controller.metrics.port }}
{{- end }}
{{- if .Values.controller.admissionWebhooks.enabled }}
# controller.admissionWebhooks.port
- min: {{ .Values.controller.admissionWebhooks.port }}
max: {{ .Values.controller.admissionWebhooks.port }}
{{- end }}
{{- range $key, $value := .Values.tcp }}
# tcp.{{ $key }}
- min: {{ $key }}
max: {{ $key }}
{{- end }}
{{- range $key, $value := .Values.udp }}
# udp.{{ $key }}
- min: {{ $key }}
max: {{ $key }}
{{- end }}
{{- end }}
volumes:
- configMap
- downwardAPI
- emptyDir
- secret
- projected
fsGroup:
rule: MustRunAs
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: false
runAsUser:
rule: MustRunAsNonRoot
runAsGroup:
rule: MustRunAs
ranges:
- min: 1
max: 65535
supplementalGroups:
rule: MustRunAs
ranges:
- min: 1
max: 65535
allowPrivilegeEscalation: {{ or .Values.controller.image.allowPrivilegeEscalation .Values.controller.image.chroot }}
requiredDropCapabilities:
- ALL
allowedCapabilities:
- NET_BIND_SERVICE
{{- if .Values.controller.image.chroot }}
{{- if .Values.controller.image.seccompProfile }}
- SYS_ADMIN
{{- end }}
- SYS_CHROOT
{{- end }}
seLinux:
rule: RunAsAny
{{- if .Values.controller.sysctls }}
allowedUnsafeSysctls:
{{- range $sysctl, $value := .Values.controller.sysctls }}
- {{ $sysctl }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

10
charts/ingress-nginx/templates/controller-role.yaml
View File

@ -91,14 +91,4 @@ rules:
- list
- watch
- get
{{- if .Values.podSecurityPolicy.enabled }}
- apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}]
resources: ['podsecuritypolicies']
verbs: ['use']
{{- with .Values.controller.existingPsp }}
resourceNames: [{{ . }}]
{{- else }}
resourceNames: [{{ include "ingress-nginx.fullname" . }}]
{{- end }}
{{- end }}
{{- end }}

50
charts/ingress-nginx/templates/default-backend-psp.yaml
View File

@ -1,50 +0,0 @@
{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
{{- if and .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled (empty .Values.defaultBackend.existingPsp) -}}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ include "ingress-nginx.fullname" . }}-backend
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: default-backend
{{- with .Values.defaultBackend.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
privileged: false
hostPID: false
hostIPC: false
hostNetwork: false
volumes:
- configMap
- downwardAPI
- emptyDir
- secret
- projected
fsGroup:
rule: MustRunAs
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: true
runAsUser:
rule: MustRunAsNonRoot
runAsGroup:
rule: MustRunAs
ranges:
- min: 1
max: 65535
supplementalGroups:
rule: MustRunAs
ranges:
- min: 1
max: 65535
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
seLinux:
rule: RunAsAny
{{- end }}
{{- end }}

22
charts/ingress-nginx/templates/default-backend-role.yaml
View File

@ -1,22 +0,0 @@
{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: default-backend
{{- with .Values.defaultBackend.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.fullname" . }}-backend
namespace: {{ include "ingress-nginx.namespace" . }}
rules:
- apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}]
resources: ['podsecuritypolicies']
verbs: ['use']
{{- with .Values.defaultBackend.existingPsp }}
resourceNames: [{{ . }}]
{{- else }}
resourceNames: [{{ include "ingress-nginx.fullname" . }}-backend]
{{- end }}
{{- end }}

21
charts/ingress-nginx/templates/default-backend-rolebinding.yaml
View File

@ -1,21 +0,0 @@
{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: default-backend
{{- with .Values.defaultBackend.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.fullname" . }}-backend
namespace: {{ include "ingress-nginx.namespace" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "ingress-nginx.fullname" . }}-backend
subjects:
- kind: ServiceAccount
name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }}
namespace: {{ include "ingress-nginx.namespace" . }}
{{- end }}

10
charts/ingress-nginx/values.yaml
View File

@ -41,8 +41,6 @@ controller:
seccompProfile:
type: RuntimeDefault
readOnlyRootFilesystem: false
# -- Use an existing PSP instead of creating one
existingPsp: ""
# -- Configures the controller container name
containerName: controller
# -- Configures the ports that the nginx-controller listens on
@ -758,8 +756,6 @@ controller:
objectSelector: {}
# -- Labels to be added to admission webhooks
labels: {}
# -- Use an existing PSP instead of creating one
existingPsp: ""
service:
annotations: {}
# clusterIP: ""
@ -979,8 +975,6 @@ defaultBackend:
seccompProfile:
type: RuntimeDefault
readOnlyRootFilesystem: true
# -- Use an existing PSP instead of creating one
existingPsp: ""
extraArgs: {}
serviceAccount:
create: true
@ -1166,10 +1160,6 @@ defaultBackend:
rbac:
create: true
scope: false
## If true, create & use Pod Security Policy resources
## https://kubernetes.io/docs/concepts/policy/pod-security-policy/
podSecurityPolicy:
enabled: false
serviceAccount:
create: true
name: ""

17
docs/examples/psp/README.md
View File

@ -1,17 +0,0 @@
# Pod Security Policy (PSP)
In most clusters today, by default, all resources (e.g. `Deployments` and `ReplicatSets`)
have permissions to create pods.
Kubernetes however provides a more fine-grained authorization policy called
[Pod Security Policy (PSP)](https://kubernetes.io/docs/concepts/policy/pod-security-policy/).
PSP allows the cluster owner to define the permission of each object, for example creating a pod.
If you have PSP enabled on the cluster, and you deploy ingress-nginx,
you will need to provide the `Deployment` with the permissions to create pods.
Before applying any objects, first apply the PSP permissions by running:
```console
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/psp/psp.yaml
```
Note: PSP permissions must be granted before the creation of the `Deployment` and the `ReplicaSet`.

75
docs/examples/psp/psp.yaml
View File

@ -1,75 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: ingress-nginx
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: ingress-nginx
namespace: ingress-nginx
spec:
allowedCapabilities:
- NET_BIND_SERVICE
privileged: false
allowPrivilegeEscalation: true
# Allow core volume types.
volumes:
- configMap
- secret
hostIPC: false
hostPID: false
runAsUser:
# Require the container to run without root privileges.
rule: MustRunAsNonRoot
supplementalGroups:
rule: MustRunAs
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: MustRunAs
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false
seLinux:
rule: RunAsAny
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: ingress-nginx-psp
namespace: ingress-nginx
rules:
- apiGroups: [policy]
resources: [podsecuritypolicies]
verbs: [use]
resourceNames: [ingress-nginx]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ingress-nginx-psp
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx-psp
subjects:
- kind: ServiceAccount
name: default
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx

2
docs/troubleshooting.md
View File

@ -443,7 +443,7 @@ $ capsh --decode=0000000000000400
```
## Create a test pod as root
(Note, this may be restricted by PodSecurityPolicy, PodSecurityAdmission/Standards, OPA Gatekeeper, etc. in which case you will need to do the appropriate workaround for testing, e.g. deploy in a new namespace without the restrictions.)
(Note, this may be restricted by PodSecurityAdmission/Standards, OPA Gatekeeper, etc. in which case you will need to do the appropriate workaround for testing, e.g. deploy in a new namespace without the restrictions.)
To test further you may want to install additional utilities, etc. Modify the pod yaml by:
* changing runAsUser from 101 to 0
* removing the "drop..ALL" section from the capabilities.

6
magefiles/utils/helm.go
View File

@ -31,7 +31,6 @@ type IngressChartValue struct {
RunAsUser int `yaml:"runAsUser"`
AllowPrivilegeEscalation bool `yaml:"allowPrivilegeEscalation"`
} `yaml:"image"`
ExistingPsp string `yaml:"existingPsp"`
ContainerName string `yaml:"containerName"`
ContainerPort struct {
HTTP int `yaml:"http"`
@ -226,7 +225,6 @@ type IngressChartValue struct {
NamespaceSelector struct{} `yaml:"namespaceSelector"`
ObjectSelector struct{} `yaml:"objectSelector"`
Labels struct{} `yaml:"labels"`
ExistingPsp string `yaml:"existingPsp"`
NetworkPolicyEnabled bool `yaml:"networkPolicyEnabled"`
Service struct {
Annotations struct{} `yaml:"annotations"`
@ -329,7 +327,6 @@ type IngressChartValue struct {
ReadOnlyRootFilesystem bool `yaml:"readOnlyRootFilesystem"`
AllowPrivilegeEscalation bool `yaml:"allowPrivilegeEscalation"`
} `yaml:"image"`
ExistingPsp string `yaml:"existingPsp"`
ExtraArgs struct{} `yaml:"extraArgs"`
ServiceAccount struct {
Create bool `yaml:"create"`
@ -388,9 +385,6 @@ type IngressChartValue struct {
Create bool `yaml:"create"`
Scope bool `yaml:"scope"`
} `yaml:"rbac"`
PodSecurityPolicy struct {
Enabled bool `yaml:"enabled"`
} `yaml:"podSecurityPolicy"`
ServiceAccount struct {
Create bool `yaml:"create"`
Name string `yaml:"name"`

1
mkdocs.yml
View File

@ -124,7 +124,6 @@ nav:
- Rewrite: "examples/rewrite/README.md"
- Static IPs: "examples/static-ip/README.md"
- TLS termination: "examples/tls-termination/README.md"
- Pod Security Policy (PSP): "examples/psp/README.md"
- Open Policy Agent rules: "examples/openpolicyagent/README.md"
- Canary Deployments: "examples/canary/README.md"
- Developer Guide: