pmalek
commented
1 year ago @rainest Did you intend to wait with this for something specific? The HOLD/DO NOT MERGE was still on.
Additionally I believe this deserves a CHANGELOG entry.
Closed rainest closed 1 year ago
pmalek
commented
1 year ago @rainest Did you intend to wait with this for something specific? The HOLD/DO NOT MERGE was still on.
Additionally I believe this deserves a CHANGELOG entry.
What this PR does / why we need it:
Updates the container security context defaults with various settings.
Didn't stick the whole thing in the readme since it'd look a bit silly.
Which issue this PR fixes
Part of https://github.com/Kong/kubernetes-ingress-controller/issues/4102
Special notes for your reviewer:
These settings apply the restricted pod security standard. Namespaces with restricted standards enforced will accept chart Pods with these settings in place.
The
containerSecurityContextfrom values.yaml applies to all chart-managed containers equally. We do not support different security contexts for KIC and Kong containers.The
runAsUsersetting is set to align with the current proxy image user ID, though I am basing this off partial knowledge of the build process and waiting on gateway team confirmation. The controller currently uses a different UID, but I intend to change that in https://github.com/Kong/kubernetes-ingress-controller/pull/4911.Basic testing suggested a mismatch between the controller image and
runAsUserID doesn't actually matter, which makes sense--our executable is world-executable and doesn't need to do anything on the filesystem. The Kong image has many more relevant files, though anything it writes all goes in emptydirs.AFAIK there is no reason we should need any of the restricted capabilities under normal circumstances. As the context settings are part of values.yaml, they can be adjusted if you need to.
Checklist
[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.]
mainbranch.