Set SCC's RunAsUser as MustRunAsRange

Upstream Helm Chart is removing explicit `runAsUser` value from the Deployment and DaemonSet resources. This practically means the UID will be inherited from image's Dockerfile. Users on vanilla Kubernetes clusters will not observe a change in behavior, unless they have exotic configurations. However, OpenShift does have additional security measures. It suggests using randomized UIDs/GIDs for workloads. To enable this, the custom Security Context Constraint resources are being updated. The `MustRunAsRange` policy is utilized with pre-allocated values (no explicit range min/max), which effectively allows OpenShift to pick its own ranges.
nginxinc · Mar 26, 2024 · 4b7ead3 · 4b7ead3
1 parent 9a168a5
commit 4b7ead3
Show file tree

Hide file tree

Showing 5 changed files with 2 additions and 9 deletions.
diff --git a/helm-charts/nginx-ingress/templates/controller-daemonset.yaml b/helm-charts/nginx-ingress/templates/controller-daemonset.yaml
@@ -100,7 +100,6 @@ spec:
         securityContext:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }}
-          runAsUser: 101 #nginx
           runAsNonRoot: true
           capabilities:
             drop:
@@ -153,7 +152,6 @@ spec:
         securityContext:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
-          runAsUser: 101 #nginx
           runAsNonRoot: true
           capabilities:
             drop:

diff --git a/helm-charts/nginx-ingress/templates/controller-deployment.yaml b/helm-charts/nginx-ingress/templates/controller-deployment.yaml
@@ -109,7 +109,6 @@ spec:
         securityContext:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }}
-          runAsUser: 101 #nginx
           runAsNonRoot: true
           capabilities:
             drop:
@@ -160,7 +159,6 @@ spec:
         securityContext:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
-          runAsUser: 101 #nginx
           runAsNonRoot: true
           capabilities:
             drop:

diff --git a/helm-charts/nginx-ingress/values.yaml b/helm-charts/nginx-ingress/values.yaml
@@ -176,7 +176,6 @@ controller:
   securityContext: {} # Remove curly brackets before adding values
     # allowPrivilegeEscalation: true
     # readOnlyRootFilesystem: true
-    # runAsUser: 101 #nginx
     # runAsNonRoot: true
     # capabilities:
     #   drop:

diff --git a/resources/scc-daemonset.yaml b/resources/scc-daemonset.yaml
@@ -5,8 +5,7 @@ metadata:
   name: nginx-ingress-admin
 allowPrivilegedContainer: false
 runAsUser:
-  type: MustRunAs
-  uid: 101
+  type: MustRunAsRange
 seLinuxContext:
   type: MustRunAs
 fsGroup:

diff --git a/resources/scc.yaml b/resources/scc.yaml
@@ -5,8 +5,7 @@ metadata:
   name: nginx-ingress-admin
 allowPrivilegedContainer: false
 runAsUser:
-  type: MustRunAs
-  uid: 101
+  type: MustRunAsRange
 seLinuxContext:
   type: MustRunAs
 fsGroup: