nginx
diff --git a/‎charts/nginx-ingress/README.md‎
Lines changed: 5 additions & 2 deletions b/‎charts/nginx-ingress/README.md‎
Lines changed: 5 additions & 2 deletions
diff --git a/‎charts/nginx-ingress/templates/_helpers.tpl‎
Lines changed: 11 additions & 0 deletions b/‎charts/nginx-ingress/templates/_helpers.tpl‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎charts/nginx-ingress/templates/controller-daemonset.yaml‎
Lines changed: 17 additions & 8 deletions b/‎charts/nginx-ingress/templates/controller-daemonset.yaml‎
Lines changed: 17 additions & 8 deletions
diff --git a/‎charts/nginx-ingress/templates/controller-deployment.yaml‎
Lines changed: 17 additions & 8 deletions b/‎charts/nginx-ingress/templates/controller-deployment.yaml‎
Lines changed: 17 additions & 8 deletions
diff --git a/‎charts/nginx-ingress/values.schema.json‎
Lines changed: 25 additions & 0 deletions b/‎charts/nginx-ingress/values.schema.json‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎charts/nginx-ingress/values.yaml‎
Lines changed: 22 additions & 0 deletions b/‎charts/nginx-ingress/values.yaml‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎docs/content/installation/installing-nic/installation-with-helm.md‎
Lines changed: 5 additions & 2 deletions b/‎docs/content/installation/installing-nic/installation-with-helm.md‎
Lines changed: 5 additions & 2 deletions
@@ -379,8 +379,11 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
 |`controller.volumeMounts` | The volumeMounts of the Ingress Controller pods. | [] |
 |`controller.initContainers` | InitContainers for the Ingress Controller pods. | [] |
 |`controller.extraContainers` | Extra (eg. sidecar) containers for the Ingress Controller pods. | [] |
+|`controller.podSecurityContext`| The SecurityContext for Ingress Controller pods. | "seccompProfile": {"type": "RuntimeDefault"} |
+|`controller.securityContext`| The SecurityContext for Ingress Controller container. | {} |
+|`controller.initContainerSecurityContext`| The SecurityContext for Ingress Controller init container when `readOnlyRootFilesystem` is enabled by either setting `controller.securityContext.readOnlyRootFilesystem` or `controller.readOnlyRootFilesystem`to `true`. | {} |
 |`controller.resources` | The resources of the Ingress Controller pods. | requests: cpu=100m,memory=128Mi |
-|`controller.initContainerResources` | The resources of the init container which is used when `controller.readOnlyRootFilesystem` is set to `true` | requests: cpu=100m,memory=128Mi |
+|`controller.initContainerResources` | The resources of the init container which is used when `readOnlyRootFilesystem` is enabled by either setting `controller.securityContext.readOnlyRootFilesystem` or `controller.readOnlyRootFilesystem`to `true`. | requests: cpu=100m,memory=128Mi |
 |`controller.replicaCount` | The number of replicas of the Ingress Controller deployment. | 1 |
 |`controller.ingressClass.name` | A class of the Ingress Controller. An IngressClass resource with the name equal to the class must be deployed. Otherwise, the Ingress Controller will fail to start. The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. The Ingress Controller processes all the VirtualServer/VirtualServerRoute/TransportServer resources that do not have the "ingressClassName" field for all versions of Kubernetes. | nginx |
 |`controller.ingressClass.create` | Creates a new IngressClass object with the name `controller.ingressClass.name`. Set to `false` to use an existing ingressClass created using `kubectl` with the same name. If you use `helm upgrade`, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.4.2, do not set the value to false. | true |
@@ -465,7 +468,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
 |`controller.disableIPV6` | Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack. | false |
 |`controller.defaultHTTPListenerPort`  | Sets the port for the HTTP `default_server` listener. | 80 |
 |`controller.defaultHTTPSListenerPort` | Sets the port for the HTTPS `default_server` listener. | 443 |
-|`controller.readOnlyRootFilesystem` | Configure root filesystem as read-only and add volumes for temporary data. | false |
+|`controller.readOnlyRootFilesystem` | Configure root filesystem as read-only and add volumes for temporary data. Three major releases after 3.5.x this argument will be moved permanently to the `controller.securityContext` section. | false |
 |`controller.enableSSLDynamicReload` | Enable lazy loading for SSL Certificates. | true |
 |`controller.enableTelemetryReporting` | Enable telemetry reporting. | true |
 |`rbac.create` | Configures RBAC. | true |
 
@@ -134,6 +134,17 @@ Expand image name.
 {{- printf "%s-%s" (include "nginx-ingress.fullname" .) "prometheus-service"  -}}
 {{- end -}}
 
+{{/*
+return if readOnlyRootFilesystem is enabled or not.
+*/}}
+{{- define "nginx-ingress.readOnlyRootFilesystem" -}}
+{{- if or .Values.controller.readOnlyRootFilesystem (and .Values.controller.securityContext .Values.controller.securityContext.readOnlyRootFilesystem) -}}
+true
+{{- else -}}
+false
+{{- end -}}
+{{- end -}}
+
 {{/*
 Build the args for the service binary.
 */}}
 
@@ -40,8 +40,7 @@ spec:
       serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }}
       automountServiceAccountToken: true
       securityContext:
-        seccompProfile:
-          type: RuntimeDefault
+{{ toYaml .Values.controller.podSecurityContext | indent 8 }}
       terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
 {{- if .Values.controller.nodeSelector }}
       nodeSelector:
@@ -55,10 +54,10 @@ spec:
       affinity:
 {{ toYaml .Values.controller.affinity | indent 8 }}
 {{- end }}
-{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumes }}
+{{- if or (eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" ) .Values.controller.volumes }}
       volumes:
 {{- end }}
-{{- if .Values.controller.readOnlyRootFilesystem }}
+{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }}
       - name: nginx-etc
         emptyDir: {}
       - name: nginx-cache
@@ -117,6 +116,10 @@ spec:
           periodSeconds: 1
           initialDelaySeconds: {{ .Values.controller.readyStatus.initialDelaySeconds }}
 {{- end }}
+{{- if .Values.controller.securityContext }}
+        securityContext:
+{{ toYaml .Values.controller.securityContext | indent 10 }}
+{{- else }}
         securityContext:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }}
@@ -127,10 +130,11 @@ spec:
             - ALL
             add:
             - NET_BIND_SERVICE
-{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumeMounts }}
+{{- end }}
+{{- if or (eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" ) .Values.controller.volumeMounts }}
         volumeMounts:
 {{- end }}
-{{- if .Values.controller.readOnlyRootFilesystem }}
+{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }}
         - mountPath: /etc/nginx
           name: nginx-etc
         - mountPath: /var/cache/nginx
@@ -168,10 +172,10 @@ spec:
 {{- if .Values.controller.extraContainers }}
       {{ toYaml .Values.controller.extraContainers | nindent 6 }}
 {{- end }}
-{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.initContainers }}
+{{- if or (eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" ) .Values.controller.initContainers }}
       initContainers:
 {{- end }}
-{{- if .Values.controller.readOnlyRootFilesystem }}
+{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }}
       - name: init-{{ include "nginx-ingress.name" . }}
         image: {{ include "nginx-ingress.image" . }}
         imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}"
@@ -180,6 +184,10 @@ spec:
         resources:
 {{ toYaml .Values.controller.initContainerResources | indent 10 }}
 {{- end }}
+{{- if .Values.controller.initContainerSecurityConte
E18F
xt }}
+        securityContext:
+{{ toYaml .Values.controller.initContainerSecurityContext | indent 10 }}
+{{- else }}
         securityContext:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
@@ -188,6 +196,7 @@ spec:
           capabilities:
             drop:
             - ALL
+{{- end }}
         volumeMounts:
         - mountPath: /mnt/etc
           name: nginx-etc
 
@@ -56,10 +56,10 @@ spec:
       topologySpreadConstraints:
 {{ toYaml .Values.controller.topologySpreadConstraints | indent 8 }}
 {{- end }}
-{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumes }}
+{{- if or (eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true") .Values.controller.volumes }}
       volumes:
 {{- end }}
-{{- if .Values.controller.readOnlyRootFilesystem }}
+{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }}
       - name: nginx-etc
         emptyDir: {}
       - name: nginx-cache
@@ -78,8 +78,7 @@ spec:
       serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }}
       automountServiceAccountToken: true
       securityContext:
-        seccompProfile:
-          type: RuntimeDefault
+{{ toYaml .Values.controller.podSecurityContext | indent 8 }}
       terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
       hostNetwork: {{ .Values.controller.hostNetwork }}
       dnsPolicy: {{ .Values.controller.dnsPolicy }}
@@ -126,6 +125,10 @@ spec:
 {{- end }}
         resources:
 {{ toYaml .Values.controller.resources | indent 10 }}
+{{- if .Values.controller.securityContext }}
+        securityContext:
+{{ toYaml .Values.controller.securityContext | indent 10 }}
+{{- else }}
         securityContext:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }}
@@ -136,10 +139,11 @@ spec:
             - ALL
             add:
             - NET_BIND_SERVICE
-{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumeMounts }}
+{{- end }}
+{{- if or ( eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" ) .Values.controller.volumeMounts }}
         volumeMounts:
 {{- end }}
-{{- if .Values.controller.readOnlyRootFilesystem }}
+{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }}
         - mountPath: /etc/nginx
           name: nginx-etc
         - mountPath: /var/cache/nginx
@@ -175,10 +179,10 @@ spec:
 {{- if .Values.controller.extraContainers }}
       {{ toYaml .Values.controller.extraContainers | nindent 6 }}
 {{- end }}
-{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.initContainers }}
+{{- if or ( eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" ) .Values.controller.initContainers }}
       initContainers:
 {{- end }}
-{{- if .Values.controller.readOnlyRootFilesystem }}
+{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }}
       - name: init-{{ include "nginx-ingress.name" . }}
         image: {{ include "nginx-ingress.image" . }}
         imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}"
@@ -187,6 +191,10 @@ spec:
         resources:
 {{ toYaml .Values.controller.initContainerResources | indent 10 }}
 {{- end }}
+{{- if .Values.controller.initContainerSecurityContext }}
+        securityContext:
+{{ toYaml .Values.controller.initContainerSecurityContext | indent 10 }}
+{{- else }}
         securityContext:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
@@ -195,6 +203,7 @@ spec:
           capabilities:
             drop:
             - ALL
+{{- end }}
         volumeMounts:
         - mountPath: /mnt/etc
           name: nginx-etc
 
@@ -508,6 +508,24 @@
           "title": "The terminationGracePeriodSeconds Schema",
           "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/terminationGracePeriodSeconds"
         },
+        "podSecurityContext": {
+          "type": "object",
+          "default": {},
+          "title": "The podSecurityContext Schema",
+          "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSecurityContext"
+        },
+        "securityContext": {
+          "type": "object",
+          "default": {},
+          "title": "The securityContext Schema",
+          "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext"
+        },
+        "initContainerSecurityContext": {
+          "type": "object",
+          "default": {},
+          "title": "The initContainerSecurityContext Schema",
+          "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext"
+        },
         "resources": {
           "type": "object",
           "default": {},
@@ -1455,6 +1473,13 @@
           },
           "nodeSelector": {},
           "terminationGracePeriodSeconds": 30,
+          "podSecurityContext": {
+            "seccompProfile": {
+              "type": "RuntimeDefault"
+            }
+          },
+          "securityContext": {},
+          "initContainerSecurityContext": {},
           "resources": {
             "requests": {
               "cpu": "100m",
 
@@ -167,6 +167,26 @@ controller:
   #   cpu: 1
   #   memory: 1Gi
 
+  ## The security context for the Ingress Controller pods.
+  podSecurityContext:
+    seccompProfile:
+      type: RuntimeDefault
+
+  ## The security context for the Ingress Controller containers.
+  securityContext: {} # Remove curly brackets before adding values
+    # allowPrivilegeEscalation: true
+    # readOnlyRootFilesystem: true
+    # runAsUser: 101 #nginx
+    # runAsNonRoot: true
+    # capabilities:
+    #   drop:
+    #   - ALL
+    #   add:
+    #   - NET_BIND_SERVICE
+
+  ## The security context for the Ingress Controller init container which is used when readOnlyRootFilesystem is set to true.
+  initContainerSecurityContext: {}
+
   ## The resources for the Ingress Controller init container which is used when readOnlyRootFilesystem is set to true.
   initContainerResources:
     requests:
@@ -460,6 +480,8 @@ controller:
   defaultHTTPSListenerPort: 443
 
   ## Configure root filesystem as read-only and add volumes for temporary data.
+  ## Three major releases after 3.5.x this argument will be moved to the `securityContext` section.
+  ## This value will not be used if `controller.securityContext` is set
   readOnlyRootFilesystem: false
 
   ## Enable dynamic reloading of certificates
 
@@ -342,8 +342,11 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
 | **controller.volumeMounts** | The volumeMounts of the Ingress Controller pods. | [] |
 | **controller.initContainers** | InitContainers for the Ingress Controller pods. | [] |
 | **controller.extraContainers** | Extra (eg. sidecar) containers for the Ingress Controller pods. | [] |
+| **controller.podSecurityContext**| The SecurityContext for Ingress Controller pods. | "seccompProfile": {"type": "RuntimeDefault"} |
+| **controller.securityContext** | The SecurityContext for Ingress Controller container. | {} |
+| **controller.initContainerSecurityContext** | The SecurityContext for Ingress Controller init container when `readOnlyRootFilesystem` is enabled by either setting `controller.securityContext.readOnlyRootFilesystem` or `controller.readOnlyRootFilesystem`to `true`. | {} |
 | **controller.resources** | The resources of the Ingress Controller pods. | requests: cpu=100m,memory=128Mi |
-| **controller.initContainerResources** | The resources of the init container which is used when `controller.readOnlyRootFilesystem` is set to `true` | requests: cpu=100m,memory=128Mi |
+| **controller.initContainerResources** | The resources of the init container which is used when `readOnlyRootFilesystem` is enabled by either setting `controller.securityContext.readOnlyRootFilesystem` or `controller.readOnlyRootFilesystem`to `true`. | requests: cpu=100m,memory=128Mi |
 | **controller.replicaCount** | The number of replicas of the Ingress Controller deployment. | 1 |
 | **controller.ingressClass.name** | A class of the Ingress Controller. An IngressClass resource with the name equal to the class must be deployed. Otherwise, the Ingress Controller will fail to start. The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. The Ingress Controller processes all the VirtualServer/VirtualServerRoute/TransportServer resources that do not have the "ingressClassName" field for all versions of Kubernetes. | nginx |
 | **controller.ingressClass.create** | Creates a new IngressClass object with the name `controller.ingressClass.name`. Set to `false` to use an existing ingressClass created using `kubectl` with the same name. If you use `helm upgrade`, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.4.2, do not set the value to false. | true |
@@ -428,7 +431,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
 | **controller.disableIPV6** | Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack. | false |
 | **controller.defaultHTTPListenerPort**  | Sets the port for the HTTP `default_server` listener. | 80 |
 | **controller.defaultHTTPSListenerPort**  | Sets the port for the HTTPS `default_server` listener. | 443 |
-| **controller.readOnlyRootFilesystem** | Configure root filesystem as read-only and add volumes for temporary data. | false |
+| **controller.readOnlyRootFilesystem** | Configure root filesystem as read-only and add volumes for temporary data. Three major releases after 3.5.x this argument will be moved permanently to the `controller.securityContext` section.  | false |
 | **controller.enableSSLDynamicReload** | Enable lazy loading for SSL Certificates. | true |
 | **rbac.create** | Configures RBAC. | true |
 | **prometheus.create** | Expose NGINX or NGINX Plus metrics in the Prometheus format. | true |