diff --git a/charts/nginx-gateway-fabric/templates/deployment.yaml b/charts/nginx-gateway-fabric/templates/deployment.yaml index a9bb0cd6ef..7a254a3bf6 100644 --- a/charts/nginx-gateway-fabric/templates/deployment.yaml +++ b/charts/nginx-gateway-fabric/templates/deployment.yaml @@ -139,6 +139,7 @@ spec: capabilities: drop: - ALL + allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsUser: 101 runAsGroup: 1001 diff --git a/charts/nginx-gateway-fabric/templates/scc.yaml b/charts/nginx-gateway-fabric/templates/scc.yaml index 3d3574cd4f..6ab7dc92c1 100644 --- a/charts/nginx-gateway-fabric/templates/scc.yaml +++ b/charts/nginx-gateway-fabric/templates/scc.yaml @@ -15,7 +15,7 @@ readOnlyRootFilesystem: true runAsUser: type: MustRunAsRange uidRangeMin: 101 - uidRangeMax: 102 + uidRangeMax: 101 fsGroup: type: MustRunAs ranges: @@ -30,16 +30,8 @@ seLinuxContext: type: MustRunAs seccompProfiles: - runtime/default -volumes: -- emptyDir -- secret -- configMap -- projected users: - {{ printf "system:serviceaccount:%s:%s" .Release.Namespace (include "nginx-gateway.serviceAccountName" .) }} -allowedCapabilities: -- NET_BIND_SERVICE -- KILL requiredDropCapabilities: - ALL {{- end }} diff --git a/config/tests/static-deployment.yaml b/config/tests/static-deployment.yaml index 135576dcec..35fb3d8ad2 100644 --- a/config/tests/static-deployment.yaml +++ b/config/tests/static-deployment.yaml @@ -69,6 +69,7 @@ spec: capabilities: drop: - ALL + allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsUser: 101 runAsGroup: 1001 diff --git a/deploy/aws-nlb/deploy.yaml b/deploy/aws-nlb/deploy.yaml index 4157f950ea..dba4bc53d0 100644 --- a/deploy/aws-nlb/deploy.yaml +++ b/deploy/aws-nlb/deploy.yaml @@ -292,6 +292,7 @@ spec: initialDelaySeconds: 3 periodSeconds: 1 securityContext: + allowPrivilegeEscalation: false capabilities: drop: - ALL diff --git a/deploy/azure/deploy.yaml b/deploy/azure/deploy.yaml index b0c50f3938..c5557b11b1 100644 --- a/deploy/azure/deploy.yaml +++ b/deploy/azure/deploy.yaml @@ -289,6 +289,7 @@ spec: initialDelaySeconds: 3 periodSeconds: 1 securityContext: + allowPrivilegeEscalation: false capabilities: drop: - ALL diff --git a/deploy/default/deploy.yaml b/deploy/default/deploy.yaml index 6de6f83c6c..6b90c66690 100644 --- a/deploy/default/deploy.yaml +++ b/deploy/default/deploy.yaml @@ -289,6 +289,7 @@ spec: initialDelaySeconds: 3 periodSeconds: 1 securityContext: + allowPrivilegeEscalation: false capabilities: drop: - ALL diff --git a/deploy/experimental-nginx-plus/deploy.yaml b/deploy/experimental-nginx-plus/deploy.yaml index e30d3aa26c..a6964b19f2 100644 --- a/deploy/experimental-nginx-plus/deploy.yaml +++ b/deploy/experimental-nginx-plus/deploy.yaml @@ -304,6 +304,7 @@ spec: initialDelaySeconds: 3 periodSeconds: 1 securityContext: + allowPrivilegeEscalation: false capabilities: drop: - ALL diff --git a/deploy/experimental/deploy.yaml b/deploy/experimental/deploy.yaml index d5522e4359..6116b0991f 100644 --- a/deploy/experimental/deploy.yaml +++ b/deploy/experimental/deploy.yaml @@ -295,6 +295,7 @@ spec: initialDelaySeconds: 3 periodSeconds: 1 securityContext: + allowPrivilegeEscalation: false capabilities: drop: - ALL diff --git a/deploy/nginx-plus/deploy.yaml b/deploy/nginx-plus/deploy.yaml index 16145ce02d..8274bbc7e8 100644 --- a/deploy/nginx-plus/deploy.yaml +++ b/deploy/nginx-plus/deploy.yaml @@ -298,6 +298,7 @@ spec: initialDelaySeconds: 3 periodSeconds: 1 securityContext: + allowPrivilegeEscalation: false capabilities: drop: - ALL diff --git a/deploy/nodeport/deploy.yaml b/deploy/nodeport/deploy.yaml index 1c3aee8971..e5cdc5997b 100644 --- a/deploy/nodeport/deploy.yaml +++ b/deploy/nodeport/deploy.yaml @@ -289,6 +289,7 @@ spec: initialDelaySeconds: 3 periodSeconds: 1 securityContext: + allowPrivilegeEscalation: false capabilities: drop: - ALL diff --git a/deploy/openshift/deploy.yaml b/deploy/openshift/deploy.yaml index fba8e3acfd..f32825a7be 100644 --- a/deploy/openshift/deploy.yaml +++ b/deploy/openshift/deploy.yaml @@ -297,6 +297,7 @@ spec: initialDelaySeconds: 3 periodSeconds: 1 securityContext: + allowPrivilegeEscalation: false capabilities: drop: - ALL @@ -458,9 +459,6 @@ allowHostPID: false allowHostPorts: false allowPrivilegeEscalation: false allowPrivilegedContainer: false -allowedCapabilities: -- NET_BIND_SERVICE -- KILL apiVersion: security.openshift.io/v1 fsGroup: ranges: @@ -475,7 +473,7 @@ requiredDropCapabilities: - ALL runAsUser: type: MustRunAsRange - uidRangeMax: 102 + uidRangeMax: 101 uidRangeMin: 101 seLinuxContext: type: MustRunAs @@ -488,8 +486,3 @@ supplementalGroups: type: MustRunAs users: - system:serviceaccount:nginx-gateway:nginx-gateway -volumes: -- emptyDir -- secret -- configMap -- projected diff --git a/deploy/snippets-filters-nginx-plus/deploy.yaml b/deploy/snippets-filters-nginx-plus/deploy.yaml index 13a3cff9cd..5a5d69827e 100644 --- a/deploy/snippets-filters-nginx-plus/deploy.yaml +++ b/deploy/snippets-filters-nginx-plus/deploy.yaml @@ -301,6 +301,7 @@ spec: initialDelaySeconds: 3 periodSeconds: 1 securityContext: + allowPrivilegeEscalation: false capabilities: drop: - ALL diff --git a/deploy/snippets-filters/deploy.yaml b/deploy/snippets-filters/deploy.yaml index e283641930..910256fb77 100644 --- a/deploy/snippets-filters/deploy.yaml +++ b/deploy/snippets-filters/deploy.yaml @@ -292,6 +292,7 @@ spec: initialDelaySeconds: 3 periodSeconds: 1 securityContext: + allowPrivilegeEscalation: false capabilities: drop: - ALL