You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by zh...@apache.org on 2022/02/23 04:16:35 UTC

[apisix-helm-chart] branch master updated: feat: allow defining security context on ingress controller helm chart (#237)

This is an automated email from the ASF dual-hosted git repository.

zhangjintao pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix-helm-chart.git


The following commit(s) were added to refs/heads/master by this push:
     new feae4de  feat: allow defining security context on ingress controller helm chart (#237)
feae4de is described below

commit feae4de865a9378041e6d5d3b95d539ff4bd51ec
Author: Diogo Fernandes <dg...@gmail.com>
AuthorDate: Wed Feb 23 04:16:30 2022 +0000

    feat: allow defining security context on ingress controller helm chart (#237)
---
 charts/apisix-ingress-controller/README.md         | 38 ++++++++++++++++++++++
 .../templates/deployment.yaml                      |  4 +++
 charts/apisix-ingress-controller/values.yaml       | 12 +++++++
 3 files changed, 54 insertions(+)

diff --git a/charts/apisix-ingress-controller/README.md b/charts/apisix-ingress-controller/README.md
index b379834..88ff583 100644
--- a/charts/apisix-ingress-controller/README.md
+++ b/charts/apisix-ingress-controller/README.md
@@ -57,3 +57,41 @@ See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_h
 ```console
 helm show values apisix/apisix-ingress-controller
 ```
+
+### Security context
+
+A security context provides us with a way to define privilege and access control for a Pod or even at the container level.
+
+Check [here](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#securitycontext-v1-core) to see the SecurityContext resource with more detail.
+
+Check also [here](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) to see a full explanation and some examples to configure the security context.
+
+Right below you have an example of the security context configuration. In this case, we define that all the processes in the container will run with user ID 1000. 
+```yaml
+...
+
+spec:
+  securityContext:
+    runAsUser: 1000
+    runAsGroup: 3000
+...
+```
+
+The same for the group definition, where we define the primary group of 3000 for all processes.
+
+**It's quite important to know, if the `runAsGroup` is omited, the primary group will be root(0)**, which in some cases goes against some security policies.
+
+
+To define this configuration at the **pod level**, you need to set:
+```
+    --set podSecurityContext.runAsUser=«VALUE»
+    --set podSecurityContext.runAsGroup=«VALUE»
+    ...
+```
+
+The same for container level, you need to set:
+```
+    --set securityContext.runAsUser=«VALUE»
+    --set SecurityContext.runAsGroup=«VALUE»
+    ...
+```
diff --git a/charts/apisix-ingress-controller/templates/deployment.yaml b/charts/apisix-ingress-controller/templates/deployment.yaml
index 93db4d3..b3567ba 100644
--- a/charts/apisix-ingress-controller/templates/deployment.yaml
+++ b/charts/apisix-ingress-controller/templates/deployment.yaml
@@ -39,6 +39,8 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       serviceAccountName: {{ include "apisix-ingress-controller.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
       volumes:
         - name: configuration
           configMap:
@@ -50,6 +52,8 @@ spec:
         - name: wait-apisix-admin
           image: {{ .Values.initContainer.image }}:{{ .Values.initContainer.tag }}
           command: ['sh', '-c', "until nc -z {{ .Values.config.apisix.serviceName }}.{{ .Values.config.apisix.serviceNamespace }}.svc.{{ .Values.clusterDomain }} {{ .Values.config.apisix.servicePort }} ; do echo waiting for apisix-admin; sleep 2; done;"]
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
       containers:
         - name: {{ .Chart.Name }}
           command:
diff --git a/charts/apisix-ingress-controller/values.yaml b/charts/apisix-ingress-controller/values.yaml
index 84d8297..bb25fc0 100644
--- a/charts/apisix-ingress-controller/values.yaml
+++ b/charts/apisix-ingress-controller/values.yaml
@@ -152,3 +152,15 @@ serviceMonitor:
   labels: {}
   # @param serviceMonitor.annotations ServiceMonitor annotations
   annotations: {}
+
+
+podSecurityContext: {}
+  # fsGroup: 2000
+
+securityContext: {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000