kubernetes-ingress
kubernetes-ingress copied to clipboard
nginxinc
Support OpenShift's built-in `restricted-v2` Security Context Constraint
Is your feature request related to a problem? Please describe.
Security teams prefer referencing default (built-in) security restrictions. In OpenShift (v4.11+) the restricted-v2 Security Context Constraint is default, and previously (up to v4.10) the restricted SCC was default. Both of these SCCs require that a pod is run as a user in a pre-allocated range of UIDs. This conflicts current Nginx Ingress Controller set-up which uses UID 101.
Describe the solution you'd like
Nginx Ingress Controller should stop specifying explicit UID in securityContext. Deployments in vanilla Kubernetes will inherit container image default UID, retaining existing behavior. Deployments in OpenShift will be allowed to choose any UID. Users with OpenShift, with existing SCC for NIC would also retain existing RunAsUser behavior.
Describe alternatives you've considered
This is an explicit security requirement. Only alternative is WONTFIX - to not comply with OpenShift requirements.
Additional context
- Table 1. Default security context constraints in Managing security context constraints - Authentication and authorization - OpenShift Container Platform 4.15
Hi @sigv thanks for reporting!
Be sure to check out the docs and the Contributing Guidelines while you wait for a human to take a look at this :slightly_smiling_face:
Cheers!
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
@sigv we made an update to our Helm template & values to properties of securityContext to be overridden
The PR for that change is here: https://github.com/nginxinc/kubernetes-ingress/pull/5084
In this case your deployment in Openshift can remove runAsUser without removing it as a default.
Please do let me know if I'm mistaken or overlooking anything here.
Hey @sigv just checking in again. We've got a backlog refinement and grooming meeting on today. This PR and the related issue, https://github.com/nginxinc/kubernetes-ingress/issues/5422, is on our list.
When you get an opportunity, can you confirm if our changes to allow securityContext to be overridden will work for this use case?
Hi @sigv Please let us know if you get a chance to confirm our questions. For now, we're going to close this issue as the changes in https://github.com/nginxinc/kubernetes-ingress/pull/5084 appears to resolve this issue.
Please do re-open this issue, or a new issue if you think that is needed.