diff --git a/conformance/provisioner/static-deployment.yaml b/conformance/provisioner/static-deployment.yaml index b5e25bc37b..184fb4c996 100644 --- a/conformance/provisioner/static-deployment.yaml +++ b/conformance/provisioner/static-deployment.yaml @@ -41,11 +41,13 @@ spec: imagePullPolicy: Always name: nginx-gateway securityContext: + allowPrivilegeEscalation: false capabilities: add: - KILL drop: - ALL + readOnlyRootFilesystem: true runAsUser: 102 runAsGroup: 1001 volumeMounts: @@ -69,6 +71,7 @@ spec: - NET_BIND_SERVICE drop: - ALL + readOnlyRootFilesystem: true runAsUser: 101 runAsGroup: 1001 volumeMounts: @@ -78,10 +81,15 @@ spec: mountPath: /etc/nginx/secrets - name: nginx-run mountPath: /var/run/nginx + - name: nginx-cache + mountPath: /var/cache/nginx + - name: nginx-lib + mountPath: /var/lib/nginx serviceAccountName: nginx-gateway shareProcessNamespace: true securityContext: fsGroup: 1001 + runAsNonRoot: true volumes: - name: nginx-conf emptyDir: {} @@ -89,3 +97,7 @@ spec: emptyDir: {} - name: nginx-run emptyDir: {} + - name: nginx-cache + emptyDir: {} + - name: nginx-lib + emptyDir: {} diff --git a/deploy/helm-chart/templates/deployment.yaml b/deploy/helm-chart/templates/deployment.yaml index e89ba7bcb5..d662174283 100644 --- a/deploy/helm-chart/templates/deployment.yaml +++ b/deploy/helm-chart/templates/deployment.yaml @@ -36,11 +36,13 @@ spec: imagePullPolicy: {{ .Values.nginxGateway.image.pullPolicy }} name: nginx-gateway securityContext: + allowPrivilegeEscalation: false capabilities: add: - KILL drop: - ALL + readOnlyRootFilesystem: true runAsUser: 102 runAsGroup: 1001 volumeMounts: @@ -64,6 +66,7 @@ spec: - NET_BIND_SERVICE drop: - ALL + readOnlyRootFilesystem: true runAsUser: 101 runAsGroup: 1001 volumeMounts: @@ -73,10 +76,15 @@ spec: mountPath: /etc/nginx/secrets - name: nginx-run mountPath: /var/run/nginx + - name: nginx-cache + mountPath: /var/cache/nginx + - name: nginx-lib + mountPath: /var/lib/nginx serviceAccountName: {{ include "nginx-gateway.serviceAccountName" . }} shareProcessNamespace: true securityContext: fsGroup: 1001 + runAsNonRoot: true volumes: - name: nginx-conf emptyDir: {} @@ -84,4 +92,8 @@ spec: emptyDir: {} - name: nginx-run emptyDir: {} + - name: nginx-cache + emptyDir: {} + - name: nginx-lib + emptyDir: {} {{- end }} diff --git a/deploy/helm-chart/templates/rbac.yaml b/deploy/helm-chart/templates/rbac.yaml index 6bb156898f..0c245f4ee5 100644 --- a/deploy/helm-chart/templates/rbac.yaml +++ b/deploy/helm-chart/templates/rbac.yaml @@ -48,13 +48,6 @@ rules: verbs: - list - watch -- apiGroups: - - gateway.nginx.org - resources: - - gatewayconfigs - verbs: - - list - - watch - apiGroups: - gateway.networking.k8s.io resources: diff --git a/deploy/manifests/nginx-gateway.yaml b/deploy/manifests/nginx-gateway.yaml index 2036234985..3bd5059ecd 100644 --- a/deploy/manifests/nginx-gateway.yaml +++ b/deploy/manifests/nginx-gateway.yaml @@ -59,13 +59,6 @@ rules: verbs: - list - watch -- apiGroups: - - gateway.nginx.org - resources: - - gatewayconfigs - verbs: - - list - - watch - apiGroups: - gateway.networking.k8s.io resources: @@ -149,11 +142,13 @@ spec: imagePullPolicy: Always name: nginx-gateway securityContext: + allowPrivilegeEscalation: false capabilities: add: - KILL drop: - ALL + readOnlyRootFilesystem: true runAsUser: 102 runAsGroup: 1001 volumeMounts: @@ -177,6 +172,7 @@ spec: - NET_BIND_SERVICE drop: - ALL + readOnlyRootFilesystem: true runAsUser: 101 runAsGroup: 1001 volumeMounts: @@ -186,10 +182,15 @@ spec: mountPath: /etc/nginx/secrets - name: nginx-run mountPath: /var/run/nginx + - name: nginx-cache + mountPath: /var/cache/nginx + - name: nginx-lib + mountPath: /var/lib/nginx serviceAccountName: nginx-gateway shareProcessNamespace: true securityContext: fsGroup: 1001 + runAsNonRoot: true volumes: - name: nginx-conf emptyDir: {} @@ -197,6 +198,10 @@ spec: emptyDir: {} - name: nginx-run emptyDir: {} + - name: nginx-cache + emptyDir: {} + - name: nginx-lib + emptyDir: {} --- # Source: nginx-kubernetes-gateway/templates/gatewayclass.yaml apiVersion: gateway.networking.k8s.io/v1beta1