RELEASE/MAJOR: kubernetes-ingress: Tag release 1.34.0

dkorunic · dkorunic · commit 5404ee69a4fe · 2023-11-03T16:07:25.000+01:00
Changes in kubernetes-ingress:
- Use Ingress Controller 1.10.9 version for base image
- Set allowPrivilegeEscalation to false by default

Signed-off-by: Dinko Korunic &lt;dkorunic@haproxy.com&gt;
diff --git a/kubernetes-ingress/Chart.yaml b/kubernetes-ingress/Chart.yaml
@@ -16,8 +16,8 @@ apiVersion: v2
 name: kubernetes-ingress
 description: A Helm chart for HAProxy Kubernetes Ingress Controller
 type: application
-version: 1.33.1
-appVersion: 1.10.8
+version: 1.34.0
+appVersion: 1.10.9
 kubeVersion: ">=1.22.0-0"
 keywords:
   - ingress
@@ -32,4 +32,5 @@ maintainers:
 engine: gotpl
 annotations:
   artifacthub.io/changes: |
-    - Use Ingress Controller 1.10.8 version for base image
+    - Use Ingress Controller 1.10.9 version for base image
+    - Set allowPrivilegeEscalation to false by default
diff --git a/kubernetes-ingress/templates/controller-daemonset.yaml b/kubernetes-ingress/templates/controller-daemonset.yaml
@@ -123,7 +123,7 @@ spec:
             runAsNonRoot: true
             runAsUser:  1000
             runAsGroup: 1000
-            allowPrivilegeEscalation: true
+            allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }}
             capabilities:
               drop:
                 - ALL
diff --git a/kubernetes-ingress/templates/controller-deployment.yaml b/kubernetes-ingress/templates/controller-deployment.yaml
@@ -124,7 +124,7 @@ spec:
             runAsNonRoot: true
             runAsUser:  1000
             runAsGroup: 1000
-            allowPrivilegeEscalation: true
+            allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }}
             capabilities:
               drop:
                 - ALL
diff --git a/kubernetes-ingress/templates/controller-podsecuritypolicy.yaml b/kubernetes-ingress/templates/controller-podsecuritypolicy.yaml
@@ -43,7 +43,7 @@ metadata:
     seccomp.security.alpha.kubernetes.io/defaultProfileName:  'runtime/default'
     apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
 spec:
-  allowPrivilegeEscalation: true
+  allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }}
   allowedCapabilities:
     - NET_BIND_SERVICE
   defaultAllowPrivilegeEscalation: false
diff --git a/kubernetes-ingress/values.yaml b/kubernetes-ingress/values.yaml
@@ -81,6 +81,10 @@ controller:
   ## ref: https://kubernetes.io/docs/tutorials/security/seccomp/
   enableRuntimeDefaultSeccompProfile: true
 
+  ## Privilege escalation
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+  allowPrivilegeEscalation: false
+
   ## Init Containers
   ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
   initContainers: []
@@ -107,6 +111,7 @@ controller:
 
   ## Controller Container listener port configuration
   ## ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/
+  ## Note: If binding to privileged ports, allowPrivilegeEscalation will be required for NET_BIND_SERVICE to apply
   containerPort:
     http: 8080
     https: 8443
