E582 Apply UID/GID defaults from image · nginx/kubernetes-ingress@ee75176 · GitHub
[go: up one dir, main page]
Skip to content

Commit ee75176

Browse files
sigvsigv
committed
Apply UID/GID defaults from image
`build/Dockerfile` specifies `USER 101` for `common` target, which is re-applied into the final images. Helm Chart/Manifests do not need to specify UID explicitly, and can instead use the image's UID. (PodSecurityContext v1 core specifies `runAsUser` defaults to user specified in image metadata if unspecified.) The existing `runAsNonRoot: true` flag (already in place) will ensure during runtime that the image is configured with a custom user ID. This is notably helpful for users running OpenShift, because OpenShift attempts to enforce custom UID/GID ranges for individual namespaces as part of `restricted-v2` Security Context Constraint. When removing hard-coded values from manifests, OpenShift will be able to assign its own UID/GID. In practice, this means a different model of configuring file system permissions. OpenShift assigns the container process GID 0 as supplemental to assist with that. Locations that are expected to be written to must be owned by GID 0, with group write permissions. Previous changes to `main` have ensured that is the case. Init container copying files is not a concern, as we will have the same UID as owner there as the main NIC container. Reference: https://cloud.redhat.com/blog/a-guide-to-openshift-and-uids
1 parent 1593812 commit ee75176

File tree

7 files changed

+0
-13
lines changed

7 files changed

+0
-13
lines changed

charts/nginx-ingress/templates/controller-daemonset.yaml

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -100,7 +100,6 @@ spec:
100100
securityContext:
101101
allowPrivilegeEscalation: false
102102
readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }}
103-
runAsUser: 101 #nginx
104103
runAsNonRoot: true
105104
capabilities:
106105
drop:
@@ -153,7 +152,6 @@ spec:
153152
securityContext:
154153
allowPrivilegeEscalation: false
155154
readOnlyRootFilesystem: true
156-
runAsUser: 101 #nginx
157155
runAsNonRoot: true
158156
capabilities:
159157
drop:

charts/nginx-ingress/templates/controller-deployment.yaml

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -109,7 +109,6 @@ spec:
109109
securityContext:
110110
allowPrivilegeEscalation: false
111111
readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }}
112-
runAsUser: 101 #nginx
113112
runAsNonRoot: true
114113
capabilities:
115114
drop:
@@ -160,7 +159,6 @@ spec:
160159
securityContext:
161160
allowPrivilegeEscalation: false
162161
readOnlyRootFilesystem: true
163-
runAsUser: 101 #nginx
164162
runAsNonRoot: true
165163
capabilities:
166164
drop:

charts/nginx-ingress/values.yaml

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -176,7 +176,6 @@ controller:
176176
securityContext: {} # Remove curly brackets before adding values
177177
# allowPrivilegeEscalation: true
178178
# readOnlyRootFilesystem: true
179-
# runAsUser: 101 #nginx
180179
# runAsNonRoot: true
181180
# capabilities:
182181
# drop:

deployments/daemon-set/nginx-ingress.yaml

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -61,7 +61,6 @@ spec:
6161
securityContext:
6262
allowPrivilegeEscalation: false
6363
# readOnlyRootFilesystem: true
64-
runAsUser: 101 #nginx
6564
runAsNonRoot: true
6665
capabilities:
6766
drop:
@@ -103,7 +102,6 @@ spec:
103102
# securityContext:
104103
# allowPrivilegeEscalation: false
105104
# readOnlyRootFilesystem: true
106-
# runAsUser: 101 #nginx
107105
# runAsNonRoot: true
108106
# capabilities:
109107
# drop:

deployments/daemon-set/nginx-plus-ingress.yaml

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -61,7 +61,6 @@ spec:
6161
securityContext:
6262
allowPrivilegeEscalation: false
6363
# readOnlyRootFilesystem: true
64-
runAsUser: 101 #nginx
6564
runAsNonRoot: true
6665
capabilities:
6766
drop:
@@ -106,7 +105,6 @@ spec:
106105
# securityContext:
107106
# allowPrivilegeEscalation: false
108107
# readOnlyRootFilesystem: true
109-
# runAsUser: 101 #nginx
110108
# runAsNonRoot: true
111109
# capabilities:
112110
# drop:

deployments/deployment/nginx-ingress.yaml

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -60,7 +60,6 @@ spec:
6060
securityContext:
6161
allowPrivilegeEscalation: false
6262
# readOnlyRootFilesystem: true
63-
runAsUser: 101 #nginx
6463
runAsNonRoot: true
6564
capabilities:
6665
drop:
@@ -104,7 +103,6 @@ spec:
104103
# securityContext:
105104
# allowPrivilegeEscalation: false
106105
# readOnlyRootFilesystem: true
107-
# runAsUser: 101 #nginx
108106
# runAsNonRoot: true
109107
# capabilities:
110108
# drop:

deployments/deployment/nginx-plus-ingress.yaml

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -62,7 +62,6 @@ spec:
6262
securityContext:
6363
allowPrivilegeEscalation: false
6464
# readOnlyRootFilesystem: true
65-
runAsUser: 101 #nginx
6665
runAsNonRoot: true
6766
capabilities:
6867
drop:
@@ -110,7 +109,6 @@ spec:
110109
# securityContext:
111110
# allowPrivilegeEscalation: false
112111
# readOnlyRootFilesystem: true
113-
# runAsUser: 101 #nginx
114112
# runAsNonRoot: true
115113
# capabilities:
116114
# drop:

0 commit comments

Comments
 (0)
0