From 82588a33a787ecde6cf20c3fa895d7cd57aaeea6 Mon Sep 17 00:00:00 2001 From: Laszlo Janosi Date: Sun, 3 May 2020 17:08:42 +0000 Subject: [PATCH 1/2] Add configuration option for the runAsUser parameter of the webhook patch job --- .../admission-webhooks/job-patch/job-createSecret.yaml | 2 +- .../admission-webhooks/job-patch/job-patchWebhook.yaml | 4 ++-- charts/ingress-nginx/values.yaml | 1 + 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml index 3e21b7fedc..966117e5ef 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml @@ -43,5 +43,5 @@ spec: {{- end }} securityContext: runAsNonRoot: true - runAsUser: 2000 + runAsUser: {{ .Values.controller.admissionWebhooks.patch.image.runAsUser }} {{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml index 79d58a7bd8..7ee52c3aed 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml @@ -45,5 +45,5 @@ spec: {{- end }} securityContext: runAsNonRoot: true - runAsUser: 2000 -{{- end }} + runAsUser: {{ .Values.controller.admissionWebhooks.patch.image.runAsUser }} +{{- end }} \ No newline at end of file diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 895a447590..8827ccad45 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -362,6 +362,7 @@ controller: repository: jettech/kube-webhook-certgen tag: v1.2.0 pullPolicy: IfNotPresent + runAsUser: 2000 ## Provide a priority class name to the webhook patching job ## priorityClassName: "" From 5148443ca74de7bfba0ecad36e223341c22f7b8c Mon Sep 17 00:00:00 2001 From: Laszlo Janosi Date: Mon, 4 May 2020 17:50:00 +0000 Subject: [PATCH 2/2] Move webhook runAsUser from patch.image.runAsUser to patch.runAsUser --- .../admission-webhooks/job-patch/job-createSecret.yaml | 2 +- .../admission-webhooks/job-patch/job-patchWebhook.yaml | 2 +- charts/ingress-nginx/values.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml index 966117e5ef..d8e9763a10 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml @@ -43,5 +43,5 @@ spec: {{- end }} securityContext: runAsNonRoot: true - runAsUser: {{ .Values.controller.admissionWebhooks.patch.image.runAsUser }} + runAsUser: {{ .Values.controller.admissionWebhooks.patch.runAsUser }} {{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml index 7ee52c3aed..e5c0b9dbfe 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml @@ -45,5 +45,5 @@ spec: {{- end }} securityContext: runAsNonRoot: true - runAsUser: {{ .Values.controller.admissionWebhooks.patch.image.runAsUser }} + runAsUser: {{ .Values.controller.admissionWebhooks.patch.runAsUser }} {{- end }} \ No newline at end of file diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 8827ccad45..54a97348c2 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -362,12 +362,12 @@ controller: repository: jettech/kube-webhook-certgen tag: v1.2.0 pullPolicy: IfNotPresent - runAsUser: 2000 ## Provide a priority class name to the webhook patching job ## priorityClassName: "" podAnnotations: {} nodeSelector: {} + runAsUser: 2000 metrics: port: 10254