From dee411affd3a9ddc4a3a7522d0e7694a5da17ec7 Mon Sep 17 00:00:00 2001 From: Valters Jansons Date: Sat, 11 Mar 2023 23:16:39 +0200 Subject: [PATCH] Use the "runtime default" seccomp profile seccomp profiles allow sandboxing processes, in particular to restrict allowed syscalls from applications to the kernel. Kubernetes default in current release is Unconfined seccomp profile, which is essentially privileged. It is preferred for security purposes to restrict this. KEP-2413 proposes that RuntimeDefault will become the new default for Kubernetes. With Kubernetes v1.25, this is in Beta, and available with `SeccompDefault` feature gate and `--seccomp-default` CLI flag. `nginx-ingress` should switch to this new default, in order to ensure compatibility down the line, as well as enable enhanced security on older Kubernetes versions. Co-authored-by: Christian Ihle --- deployments/daemon-set/nginx-ingress.yaml | 2 ++ deployments/daemon-set/nginx-plus-ingress.yaml | 2 ++ deployments/deployment/nginx-ingress.yaml | 2 ++ deployments/deployment/nginx-plus-ingress.yaml | 2 ++ deployments/helm-chart/templates/controller-daemonset.yaml | 2 ++ deployments/helm-chart/templates/controller-deployment.yaml | 2 ++ 6 files changed, 12 insertions(+) diff --git a/deployments/daemon-set/nginx-ingress.yaml b/deployments/daemon-set/nginx-ingress.yaml index 58f988ac5d..31be3de079 100644 --- a/deployments/daemon-set/nginx-ingress.yaml +++ b/deployments/daemon-set/nginx-ingress.yaml @@ -20,6 +20,8 @@ spec: serviceAccountName: nginx-ingress automountServiceAccountToken: true securityContext: + seccompProfile: + type: RuntimeDefault sysctls: - name: "net.ipv4.ip_unprivileged_port_start" value: "0" diff --git a/deployments/daemon-set/nginx-plus-ingress.yaml b/deployments/daemon-set/nginx-plus-ingress.yaml index 3d2ee496d1..9b7f94ec02 100644 --- a/deployments/daemon-set/nginx-plus-ingress.yaml +++ b/deployments/daemon-set/nginx-plus-ingress.yaml @@ -20,6 +20,8 @@ spec: serviceAccountName: nginx-ingress automountServiceAccountToken: true securityContext: + seccompProfile: + type: RuntimeDefault sysctls: - name: "net.ipv4.ip_unprivileged_port_start" value: "0" diff --git a/deployments/deployment/nginx-ingress.yaml b/deployments/deployment/nginx-ingress.yaml index 95faf6a256..1d1aeefaec 100644 --- a/deployments/deployment/nginx-ingress.yaml +++ b/deployments/deployment/nginx-ingress.yaml @@ -21,6 +21,8 @@ spec: serviceAccountName: nginx-ingress automountServiceAccountToken: true securityContext: + seccompProfile: + type: RuntimeDefault sysctls: - name: "net.ipv4.ip_unprivileged_port_start" value: "0" diff --git a/deployments/deployment/nginx-plus-ingress.yaml b/deployments/deployment/nginx-plus-ingress.yaml index 3151d1ff8e..08f5bb6977 100644 --- a/deployments/deployment/nginx-plus-ingress.yaml +++ b/deployments/deployment/nginx-plus-ingress.yaml @@ -21,6 +21,8 @@ spec: serviceAccountName: nginx-ingress automountServiceAccountToken: true securityContext: + seccompProfile: + type: RuntimeDefault sysctls: - name: "net.ipv4.ip_unprivileged_port_start" value: "0" diff --git a/deployments/helm-chart/templates/controller-daemonset.yaml b/deployments/helm-chart/templates/controller-daemonset.yaml index 64663d28ae..9cb7a0a7bb 100644 --- a/deployments/helm-chart/templates/controller-daemonset.yaml +++ b/deployments/helm-chart/templates/controller-daemonset.yaml @@ -44,6 +44,8 @@ spec: serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }} automountServiceAccountToken: true securityContext: + seccompProfile: + type: RuntimeDefault sysctls: - name: "net.ipv4.ip_unprivileged_port_start" value: "0" diff --git a/deployments/helm-chart/templates/controller-deployment.yaml b/deployments/helm-chart/templates/controller-deployment.yaml index d0a65e127b..cb4b551a16 100644 --- a/deployments/helm-chart/templates/controller-deployment.yaml +++ b/deployments/helm-chart/templates/controller-deployment.yaml @@ -77,6 +77,8 @@ spec: serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }} automountServiceAccountToken: true securityContext: + seccompProfile: + type: RuntimeDefault sysctls: - name: "net.ipv4.ip_unprivileged_port_start" value: "0"