From 1d54d8b56582007dc010d2cf9f89be5e14d85462 Mon Sep 17 00:00:00 2001 From: Tobias Wolf Date: Fri, 12 Jun 2020 09:45:55 +0200 Subject: [PATCH] Add sysctl exemptions to controller PSP I would like to be able to support this construction in my DaemonSet, I have coontrol over the host and this is the easiest way yo bump the socket properties. ```yaml securityContext: sysctls: - name: net.core.somaxconn value: "8192" ``` --- charts/ingress-nginx/Chart.yaml | 2 +- charts/ingress-nginx/README.md | 1 + .../templates/controller-daemonset.yaml | 14 ++++++++++++-- .../templates/controller-deployment.yaml | 12 +++++++++++- charts/ingress-nginx/templates/controller-psp.yaml | 6 ++++++ charts/ingress-nginx/values.yaml | 9 +++++++-- 6 files changed, 38 insertions(+), 6 deletions(-) diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml index 79e5ad5f43..7a87cf31a4 100644 --- a/charts/ingress-nginx/Chart.yaml +++ b/charts/ingress-nginx/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: ingress-nginx -version: 2.5.0 +version: 2.6.0 appVersion: 0.33.0 home: https://github.com/kubernetes/ingress-nginx description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 40b592f5a8..978b28cf57 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -90,6 +90,7 @@ Parameter | Description | Default `controller.podAnnotations` | annotations to be added to pods | `{}` `controller.podLabels` | labels to add to the pod container metadata | `{}` `controller.podSecurityContext` | Security context policies to add to the controller pod | `{}` +`controller.sysctls` | Map of optional sysctls to enable in the controller and in the PodSecurityPolicy | `{}` `controller.replicaCount` | desired number of controller pods | `1` `controller.minAvailable` | minimum number of available controller pods for PodDisruptionBudget | `1` `controller.resources` | controller pod resource requests & limits | `{}` diff --git a/charts/ingress-nginx/templates/controller-daemonset.yaml b/charts/ingress-nginx/templates/controller-daemonset.yaml index cccd56eb74..94195946b4 100644 --- a/charts/ingress-nginx/templates/controller-daemonset.yaml +++ b/charts/ingress-nginx/templates/controller-daemonset.yaml @@ -42,8 +42,18 @@ spec: {{- if .Values.controller.priorityClassName }} priorityClassName: {{ .Values.controller.priorityClassName }} {{- end }} - {{- if .Values.controller.podSecurityContext }} - securityContext: {{ toYaml .Values.controller.podSecurityContext | nindent 8 }} + {{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }} + securityContext: + {{- end }} + {{- if .Values.controller.podSecurityContext }} + {{- toYaml .Values.controller.podSecurityContext | nindent 8 }} + {{- end }} + {{- if .Values.controller.sysctls }} + sysctls: + {{- range $sysctl, $value := .Values.controller.sysctls }} + - name: {{ $sysctl }} + value: {{ $value }} + {{- end }} {{- end }} containers: - name: controller diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml index e6b6121795..271ef660f7 100644 --- a/charts/ingress-nginx/templates/controller-deployment.yaml +++ b/charts/ingress-nginx/templates/controller-deployment.yaml @@ -46,8 +46,18 @@ spec: {{- if .Values.controller.priorityClassName }} priorityClassName: {{ .Values.controller.priorityClassName }} {{- end }} + {{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }} + securityContext: + {{- end }} {{- if .Values.controller.podSecurityContext }} - securityContext: {{ toYaml .Values.controller.podSecurityContext | nindent 8 }} + {{- toYaml .Values.controller.podSecurityContext | nindent 8 }} + {{- end }} + {{- if .Values.controller.sysctls }} + sysctls: + {{- range $sysctl, $value := .Values.controller.sysctls }} + - name: {{ $sysctl }} + value: {{ $value }} + {{- end }} {{- end }} containers: - name: controller diff --git a/charts/ingress-nginx/templates/controller-psp.yaml b/charts/ingress-nginx/templates/controller-psp.yaml index 8388d7ec92..bcf588c3c4 100644 --- a/charts/ingress-nginx/templates/controller-psp.yaml +++ b/charts/ingress-nginx/templates/controller-psp.yaml @@ -9,6 +9,12 @@ metadata: spec: allowedCapabilities: - NET_BIND_SERVICE +{{- if .Values.controller.sysctls }} + allowedUnsafeSysctls: + {{- range $sysctl, $value := .Values.controller.sysctls }} + - {{ $sysctl }} + {{- end }} +{{- end }} privileged: false allowPrivilegeEscalation: true # Allow core volume types. diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index c75d1e92bb..fdf0bdd7ad 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -67,11 +67,16 @@ controller: # key: value ## Security Context policies for controller pods - ## See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for - ## notes on enabling and using sysctls ## podSecurityContext: {} + ## See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for + ## notes on enabling and using sysctls + ### + sysctls: {} + # sysctls: + # "net.core.somaxconn": "8192" + ## Allows customization of the source of the IP address or FQDN to report ## in the ingress status field. By default, it reads the information provided ## by the service. If disable, the status field reports the IP address of the