Chart: Sync to upstream. (#550)

* Controller: Fix `chroot` mode. * Service: Remove redundant version check. * Vendir: Bump lock.
giantswarm · Oct 18, 2023 · e6c74b3 · e6c74b3
1 parent 53cc07c
commit e6c74b3
Show file tree

Hide file tree

Showing 6 changed files with 18 additions and 8 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,14 @@ and this project's packages adheres to [Semantic Versioning](http://semver.org/s
 
 ## [Unreleased]
 
+### Changed
+
+- Controller: Fix `chroot` mode. ([#550](https://github.com/giantswarm/ingress-nginx-app/pull/550))
+
+### Removed
+
+- Service: Remove redundant version check. ([#550](https://github.com/giantswarm/ingress-nginx-app/pull/550))
+
 ## [3.1.0] - 2023-10-12
 
 ### Added

diff --git a/helm/ingress-nginx/templates/_helpers.tpl b/helm/ingress-nginx/templates/_helpers.tpl
@@ -39,7 +39,7 @@ Controller container security context.
 {{- else -}}
 runAsNonRoot: {{ .Values.controller.image.runAsNonRoot }}
 runAsUser: {{ .Values.controller.image.runAsUser }}
-allowPrivilegeEscalation: {{ .Values.controller.image.allowPrivilegeEscalation }}
+allowPrivilegeEscalation: {{ or .Values.controller.image.allowPrivilegeEscalation .Values.controller.image.chroot }}
 {{- if .Values.controller.image.seccompProfile }}
 seccompProfile: {{ toYaml .Values.controller.image.seccompProfile | nindent 2 }}
 {{- end }}
@@ -49,6 +49,9 @@ capabilities:
   add:
   - NET_BIND_SERVICE
   {{- if .Values.controller.image.chroot }}
+  {{- if .Values.controller.image.seccompProfile }}
+  - SYS_ADMIN
+  {{- end }}
   - SYS_CHROOT
   {{- end }}
 readOnlyRootFilesystem: {{ .Values.controller.image.readOnlyRootFilesystem }}

diff --git a/helm/ingress-nginx/templates/controller-psp.yaml b/helm/ingress-nginx/templates/controller-psp.yaml
@@ -77,12 +77,15 @@ spec:
     ranges:
       - min: 1
         max: 65535
-  allowPrivilegeEscalation: false
+  allowPrivilegeEscalation: {{ or .Values.controller.image.allowPrivilegeEscalation .Values.controller.image.chroot }}
   requiredDropCapabilities:
     - ALL
   allowedCapabilities:
     - NET_BIND_SERVICE
   {{- if .Values.controller.image.chroot }}
+  {{- if .Values.controller.image.seccompProfile }}
+    - SYS_ADMIN
+  {{- end }}
     - SYS_CHROOT
   {{- end }}
   seLinux:

diff --git a/helm/ingress-nginx/templates/controller-service-internal.yaml b/helm/ingress-nginx/templates/controller-service-internal.yaml
@@ -63,8 +63,6 @@ spec:
 {{- if .Values.controller.service.internal.ipFamilyPolicy }}
   ipFamilyPolicy: {{ .Values.controller.service.internal.ipFamilyPolicy }}
 {{- end }}
-{{- end }}
-{{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version -}}
 {{- if .Values.controller.service.internal.ipFamilies }}
   ipFamilies: {{ toYaml .Values.controller.service.internal.ipFamilies | nindent 4 }}
 {{- end }}

diff --git a/helm/ingress-nginx/templates/controller-service.yaml b/helm/ingress-nginx/templates/controller-service.yaml
@@ -67,8 +67,6 @@ spec:
 {{- if .Values.controller.service.ipFamilyPolicy }}
   ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy }}
 {{- end }}
-{{- end }}
-{{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version -}}
 {{- if .Values.controller.service.ipFamilies }}
   ipFamilies: {{ toYaml .Values.controller.service.ipFamilies | nindent 4 }}
 {{- end }}

diff --git a/vendir.lock.yml b/vendir.lock.yml
@@ -2,8 +2,8 @@ apiVersion: vendir.k14s.io/v1alpha1
 directories:
 - contents:
   - git:
-      commitTitle: 'Chart: Tighten `securityContext`s and Pod Security Policies. (#10)...'
-      sha: 34d72522106529a14682fa0449ddc4c0c73b89c0
+      commitTitle: 'Chart: Tighten `securityContext`s and Pod Security Policies....'
+      sha: efcdfe703debd75960486fc0017f61ba48971ae3
     path: ingress-nginx
   path: helm
 kind: LockConfig