From c4d559ad3663a3c64cf2bf5aa4001c75383a7ddc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Juan=20Jos=C3=A9=20Ruiz=20Romero?= Date: Sat, 15 Oct 2022 11:24:11 +0000 Subject: [PATCH 01/20] Add configmap for custom message in default backend --- .../templates/default-backend-configmap.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 charts/ingress-nginx/templates/default-backend-configmap.yaml diff --git a/charts/ingress-nginx/templates/default-backend-configmap.yaml b/charts/ingress-nginx/templates/default-backend-configmap.yaml new file mode 100644 index 0000000000..a7a477fc94 --- /dev/null +++ b/charts/ingress-nginx/templates/default-backend-configmap.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + index.html: | +

{{ .Values.defaultBackend.defaultBackendMessage }}

+kind: ConfigMap +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + name: default-backend-message-configmap + namespace: {{ .Release.Namespace }} From d3f8f06730cebb08998cd1e7c50a8a21b0aa367b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Juan=20Jos=C3=A9=20Ruiz=20Romero?= Date: Sat, 15 Oct 2022 11:24:53 +0000 Subject: [PATCH 02/20] Updating default-backend-deployment to use the new configmap and images --- .../templates/default-backend-deployment.yaml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/charts/ingress-nginx/templates/default-backend-deployment.yaml b/charts/ingress-nginx/templates/default-backend-deployment.yaml index fd3e96e9ef..1a84ea0a6f 100644 --- a/charts/ingress-nginx/templates/default-backend-deployment.yaml +++ b/charts/ingress-nginx/templates/default-backend-deployment.yaml @@ -61,9 +61,6 @@ spec: {{- end }} {{- end }} securityContext: - capabilities: - drop: - - ALL runAsUser: {{ .Values.defaultBackend.image.runAsUser }} runAsNonRoot: {{ .Values.defaultBackend.image.runAsNonRoot }} allowPrivilegeEscalation: {{ .Values.defaultBackend.image.allowPrivilegeEscalation }} @@ -73,7 +70,7 @@ spec: {{- end }} livenessProbe: httpGet: - path: /healthz + path: / port: {{ .Values.defaultBackend.port }} scheme: HTTP initialDelaySeconds: {{ .Values.defaultBackend.livenessProbe.initialDelaySeconds }} @@ -83,7 +80,7 @@ spec: failureThreshold: {{ .Values.defaultBackend.livenessProbe.failureThreshold }} readinessProbe: httpGet: - path: /healthz + path: / port: {{ .Values.defaultBackend.port }} scheme: HTTP initialDelaySeconds: {{ .Values.defaultBackend.readinessProbe.initialDelaySeconds }} From 8e9c000a9ad32eaa142f8dae22607ecbce33f81c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Juan=20Jos=C3=A9=20Ruiz=20Romero?= Date: Sat, 15 Oct 2022 11:25:13 +0000 Subject: [PATCH 03/20] Update values yaml file due security reasons in default backend --- charts/ingress-nginx/values.yaml | 33 +++++++++++++++++++------------- 1 file changed, 20 insertions(+), 13 deletions(-) diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 622244a115..d346451617 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -451,7 +451,11 @@ controller: ## appProtocol: true - annotations: {} + annotations: + load-balancer.hetzner.cloud/name: test-default-backend + load-balancer.hetzner.cloud/hostname: test-default-backend + load-balancer.hetzner.cloud/network-zone: eu-central + load-balancer.hetzner.cloud/use-private-ip: "true" labels: {} # clusterIP: "" @@ -768,22 +772,19 @@ revisionHistoryLimit: 10 ## defaultBackend: ## - enabled: false + enabled: true name: defaultbackend image: - registry: registry.k8s.io - image: defaultbackend-amd64 + repository: nginx + tag: alpine ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: - tag: "1.5" pullPolicy: IfNotPresent # nobody user -> uid 65534 - runAsUser: 65534 - runAsNonRoot: true - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false + + defaultBackendMessage: "Default Backend - 404 LOL" # -- Use an existing PSP instead of creating one existingPsp: "" @@ -797,7 +798,7 @@ defaultBackend: # -- Additional environment variables to set for defaultBackend pods extraEnvs: [] - port: 8080 + port: 80 ## Readiness and liveness probes for default backend ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ @@ -814,7 +815,6 @@ defaultBackend: periodSeconds: 5 successThreshold: 1 timeoutSeconds: 5 - # -- Node tolerations for server scheduling to nodes with taints ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ ## @@ -864,12 +864,19 @@ defaultBackend: # cpu: 10m # memory: 20Mi - extraVolumeMounts: [] + extraVolumeMounts: + - name: config + mountPath: "/usr/share/nginx/html/index.html" + subPath: index.html + readOnly: true ## Additional volumeMounts to the default backend container. # - name: copy-portal-skins # mountPath: /var/lib/lemonldap-ng/portal/skins - extraVolumes: [] + extraVolumes: + - name: config + configMap: + name: default-backend-message-configmap ## Additional volumes to the default backend pod. # - name: copy-portal-skins # emptyDir: {} From 10e3e6f4a3cfbc48c36ec03c07e81abaa5e50da0 Mon Sep 17 00:00:00 2001 From: jjotah Date: Sat, 15 Oct 2022 13:39:52 +0200 Subject: [PATCH 04/20] Update chart.yaml with new changes --- charts/ingress-nginx/Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml index 9cf62ecf9b..793f027df9 100644 --- a/charts/ingress-nginx/Chart.yaml +++ b/charts/ingress-nginx/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: ingress-nginx # When the version is modified, make sure the artifacthub.io/changes list is updated # Also update CHANGELOG.md -version: 4.3.0 -appVersion: 1.4.0 +version: 4.4.0 +appVersion: 1.5.0 home: https://github.com/kubernetes/ingress-nginx description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png From 80b5022e3ef0dce8f16d909ff0728368426e08ef Mon Sep 17 00:00:00 2001 From: jjotah Date: Sat, 15 Oct 2022 13:40:15 +0200 Subject: [PATCH 05/20] Update values.yaml file with the new changes --- charts/ingress-nginx/values.yaml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index d346451617..4b041c5e3c 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -451,11 +451,7 @@ controller: ## appProtocol: true - annotations: - load-balancer.hetzner.cloud/name: test-default-backend - load-balancer.hetzner.cloud/hostname: test-default-backend - load-balancer.hetzner.cloud/network-zone: eu-central - load-balancer.hetzner.cloud/use-private-ip: "true" + annotations: {} labels: {} # clusterIP: "" @@ -783,8 +779,14 @@ defaultBackend: ## repository: pullPolicy: IfNotPresent # nobody user -> uid 65534 + #runAsUser: 65534 + #runAsNonRoot: true + #readOnlyRootFilesystem: true + #allowPrivilegeEscalation: false + - defaultBackendMessage: "Default Backend - 404 LOL" + # Default Backend Message to show + defaultBackendMessage: "Default Backend - 404" # -- Use an existing PSP instead of creating one existingPsp: "" From d9ed1c41af100c0b248716a6b7630bebe8f00ac7 Mon Sep 17 00:00:00 2001 From: jjotah Date: Sat, 15 Oct 2022 13:40:35 +0200 Subject: [PATCH 06/20] Update Changelog due security issue TLS < 1.2 --- charts/ingress-nginx/CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/charts/ingress-nginx/CHANGELOG.md b/charts/ingress-nginx/CHANGELOG.md index 3c3404ffda..0051389f72 100644 --- a/charts/ingress-nginx/CHANGELOG.md +++ b/charts/ingress-nginx/CHANGELOG.md @@ -2,6 +2,9 @@ This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). +### 4.4.0 +- Update Default Backend due TLS < 1.2 Security Issue + ### 4.3.0 - Support for Kubernetes v.1.25.0 was added and support for endpoint slices - Support for Kubernetes v1.20.0 was removed From ad869333332280f808824bfc21105879b3d8da05 Mon Sep 17 00:00:00 2001 From: jjotah Date: Sat, 15 Oct 2022 16:19:57 +0200 Subject: [PATCH 07/20] update values with new conf for lint --- charts/ingress-nginx/values.yaml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 4b041c5e3c..c4feb6e635 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -779,12 +779,11 @@ defaultBackend: ## repository: pullPolicy: IfNotPresent # nobody user -> uid 65534 - #runAsUser: 65534 - #runAsNonRoot: true - #readOnlyRootFilesystem: true - #allowPrivilegeEscalation: false + # runAsUser: 65534 + # runAsNonRoot: true + # readOnlyRootFilesystem: true + # allowPrivilegeEscalation: false - # Default Backend Message to show defaultBackendMessage: "Default Backend - 404" From 794bc39cd150f89347a80f3d849d1b8c9761b600 Mon Sep 17 00:00:00 2001 From: jjotah Date: Sat, 15 Oct 2022 16:45:17 +0200 Subject: [PATCH 08/20] Update README with helm-docs --- charts/ingress-nginx/README.md | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 06db4d991b..c16779cf51 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -2,7 +2,7 @@ [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer -![Version: 4.3.0](https://img.shields.io/badge/Version-4.3.0-informational?style=flat-square) ![AppVersion: 1.4.0](https://img.shields.io/badge/AppVersion-1.4.0-informational?style=flat-square) +![Version: 4.4.0](https://img.shields.io/badge/Version-4.4.0-informational?style=flat-square) ![AppVersion: 1.5.0](https://img.shields.io/badge/AppVersion-1.5.0-informational?style=flat-square) To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources. @@ -435,20 +435,20 @@ Kubernetes: `>=1.20.0-0` | defaultBackend.autoscaling.targetCPUUtilizationPercentage | int | `50` | | | defaultBackend.autoscaling.targetMemoryUtilizationPercentage | int | `50` | | | defaultBackend.containerSecurityContext | object | `{}` | Security Context policies for controller main container. See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls # | -| defaultBackend.enabled | bool | `false` | | +| defaultBackend.defaultBackendMessage | string | `"Default Backend - 404"` | | +| defaultBackend.enabled | bool | `true` | | | defaultBackend.existingPsp | string | `""` | Use an existing PSP instead of creating one | | defaultBackend.extraArgs | object | `{}` | | | defaultBackend.extraEnvs | list | `[]` | Additional environment variables to set for defaultBackend pods | -| defaultBackend.extraVolumeMounts | list | `[]` | | -| defaultBackend.extraVolumes | list | `[]` | | -| defaultBackend.image.allowPrivilegeEscalation | bool | `false` | | -| defaultBackend.image.image | string | `"defaultbackend-amd64"` | | +| defaultBackend.extraVolumeMounts[0].mountPath | string | `"/usr/share/nginx/html/index.html"` | | +| defaultBackend.extraVolumeMounts[0].name | string | `"config"` | | +| defaultBackend.extraVolumeMounts[0].readOnly | bool | `true` | | +| defaultBackend.extraVolumeMounts[0].subPath | string | `"index.html"` | | +| defaultBackend.extraVolumes[0].configMap.name | string | `"default-backend-message-configmap"` | | +| defaultBackend.extraVolumes[0].name | string | `"config"` | | | defaultBackend.image.pullPolicy | string | `"IfNotPresent"` | | -| defaultBackend.image.readOnlyRootFilesystem | bool | `true` | | -| defaultBackend.image.registry | string | `"registry.k8s.io"` | | -| defaultBackend.image.runAsNonRoot | bool | `true` | | -| defaultBackend.image.runAsUser | int | `65534` | | -| defaultBackend.image.tag | string | `"1.5"` | | +| defaultBackend.image.repository | string | `"nginx"` | | +| defaultBackend.image.tag | string | `"alpine"` | | | defaultBackend.labels | object | `{}` | Labels to be added to the default backend resources | | defaultBackend.livenessProbe.failureThreshold | int | `3` | | | defaultBackend.livenessProbe.initialDelaySeconds | int | `30` | | @@ -461,7 +461,7 @@ Kubernetes: `>=1.20.0-0` | defaultBackend.podAnnotations | object | `{}` | Annotations to be added to default backend pods # | | defaultBackend.podLabels | object | `{}` | Labels to add to the pod container metadata | | defaultBackend.podSecurityContext | object | `{}` | Security Context policies for controller pods See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls # | -| defaultBackend.port | int | `8080` | | +| defaultBackend.port | int | `80` | | | defaultBackend.priorityClassName | string | `""` | | | defaultBackend.readinessProbe.failureThreshold | int | `6` | | | defaultBackend.readinessProbe.initialDelaySeconds | int | `0` | | From cf4dfe326713c8c22dbf3d8ad866410f3f0909b9 Mon Sep 17 00:00:00 2001 From: jjotah Date: Tue, 18 Oct 2022 13:04:10 +0200 Subject: [PATCH 09/20] Update Chart.yaml file --- charts/ingress-nginx/Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml index 793f027df9..9cf62ecf9b 100644 --- a/charts/ingress-nginx/Chart.yaml +++ b/charts/ingress-nginx/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: ingress-nginx # When the version is modified, make sure the artifacthub.io/changes list is updated # Also update CHANGELOG.md -version: 4.4.0 -appVersion: 1.5.0 +version: 4.3.0 +appVersion: 1.4.0 home: https://github.com/kubernetes/ingress-nginx description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png From cad63128956de3e95c75c7e38eb9abbff946992d Mon Sep 17 00:00:00 2001 From: jjotah Date: Tue, 18 Oct 2022 13:04:26 +0200 Subject: [PATCH 10/20] Update README with helm-docs --- charts/ingress-nginx/README.md | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index c16779cf51..d16d2ef9da 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -2,7 +2,7 @@ [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer -![Version: 4.4.0](https://img.shields.io/badge/Version-4.4.0-informational?style=flat-square) ![AppVersion: 1.5.0](https://img.shields.io/badge/AppVersion-1.5.0-informational?style=flat-square) +![Version: 4.3.0](https://img.shields.io/badge/Version-4.3.0-informational?style=flat-square) ![AppVersion: 1.4.0](https://img.shields.io/badge/AppVersion-1.4.0-informational?style=flat-square) To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources. @@ -444,11 +444,28 @@ Kubernetes: `>=1.20.0-0` | defaultBackend.extraVolumeMounts[0].name | string | `"config"` | | | defaultBackend.extraVolumeMounts[0].readOnly | bool | `true` | | | defaultBackend.extraVolumeMounts[0].subPath | string | `"index.html"` | | +| defaultBackend.extraVolumeMounts[1].mountPath | string | `"/var/cache/nginx/"` | | +| defaultBackend.extraVolumeMounts[1].name | string | `"nginx-empty"` | | +| defaultBackend.extraVolumeMounts[2].mountPath | string | `"/var/run/"` | | +| defaultBackend.extraVolumeMounts[2].name | string | `"nginx-run"` | | +| defaultBackend.extraVolumeMounts[3].mountPath | string | `"/etc/nginx/conf.d/default.conf"` | | +| defaultBackend.extraVolumeMounts[3].name | string | `"nginx-conf"` | | +| defaultBackend.extraVolumeMounts[3].subPath | string | `"default.conf"` | | | defaultBackend.extraVolumes[0].configMap.name | string | `"default-backend-message-configmap"` | | | defaultBackend.extraVolumes[0].name | string | `"config"` | | +| defaultBackend.extraVolumes[1].emptyDir | object | `{}` | | +| defaultBackend.extraVolumes[1].name | string | `"nginx-empty"` | | +| defaultBackend.extraVolumes[2].emptyDir | object | `{}` | | +| defaultBackend.extraVolumes[2].name | string | `"nginx-run"` | | +| defaultBackend.extraVolumes[3].configMap.name | string | `"default-backend-nginx-conf-configmap"` | | +| defaultBackend.extraVolumes[3].name | string | `"nginx-conf"` | | +| defaultBackend.image.allowPrivilegeEscalation | bool | `false` | | | defaultBackend.image.pullPolicy | string | `"IfNotPresent"` | | +| defaultBackend.image.readOnlyRootFilesystem | bool | `true` | | | defaultBackend.image.repository | string | `"nginx"` | | -| defaultBackend.image.tag | string | `"alpine"` | | +| defaultBackend.image.runAsNonRoot | bool | `true` | | +| defaultBackend.image.runAsUser | int | `65534` | | +| defaultBackend.image.tag | string | `"1.23.1-alpine"` | | | defaultBackend.labels | object | `{}` | Labels to be added to the default backend resources | | defaultBackend.livenessProbe.failureThreshold | int | `3` | | | defaultBackend.livenessProbe.initialDelaySeconds | int | `30` | | @@ -461,7 +478,7 @@ Kubernetes: `>=1.20.0-0` | defaultBackend.podAnnotations | object | `{}` | Annotations to be added to default backend pods # | | defaultBackend.podLabels | object | `{}` | Labels to add to the pod container metadata | | defaultBackend.podSecurityContext | object | `{}` | Security Context policies for controller pods See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls # | -| defaultBackend.port | int | `80` | | +| defaultBackend.port | int | `8080` | | | defaultBackend.priorityClassName | string | `""` | | | defaultBackend.readinessProbe.failureThreshold | int | `6` | | | defaultBackend.readinessProbe.initialDelaySeconds | int | `0` | | From 57abe3d4d0c17bcf41936967b9484d641a8a7258 Mon Sep 17 00:00:00 2001 From: jjotah Date: Tue, 18 Oct 2022 13:05:09 +0200 Subject: [PATCH 11/20] Updating default-backend-deployment to make it sure in security terms --- charts/ingress-nginx/templates/default-backend-deployment.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/charts/ingress-nginx/templates/default-backend-deployment.yaml b/charts/ingress-nginx/templates/default-backend-deployment.yaml index 1a84ea0a6f..491c63af41 100644 --- a/charts/ingress-nginx/templates/default-backend-deployment.yaml +++ b/charts/ingress-nginx/templates/default-backend-deployment.yaml @@ -61,6 +61,9 @@ spec: {{- end }} {{- end }} securityContext: + capabilities: + drop: + - ALL runAsUser: {{ .Values.defaultBackend.image.runAsUser }} runAsNonRoot: {{ .Values.defaultBackend.image.runAsNonRoot }} allowPrivilegeEscalation: {{ .Values.defaultBackend.image.allowPrivilegeEscalation }} From 343fee0f7b01ea78159d648f13f437025ae62d07 Mon Sep 17 00:00:00 2001 From: jjotah Date: Tue, 18 Oct 2022 13:05:55 +0200 Subject: [PATCH 12/20] Update default-backend-service with new non-root port --- charts/ingress-nginx/templates/default-backend-service.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/ingress-nginx/templates/default-backend-service.yaml b/charts/ingress-nginx/templates/default-backend-service.yaml index 5f1d09a954..e758af004e 100644 --- a/charts/ingress-nginx/templates/default-backend-service.yaml +++ b/charts/ingress-nginx/templates/default-backend-service.yaml @@ -31,7 +31,7 @@ spec: - name: http port: {{ .Values.defaultBackend.service.servicePort }} protocol: TCP - targetPort: http + targetPort: {{ .Values.defaultBackend.port }} {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }} appProtocol: http {{- end }} From a790354aeec9060bfad9a462e778712fbf866e19 Mon Sep 17 00:00:00 2001 From: jjotah Date: Tue, 18 Oct 2022 13:06:09 +0200 Subject: [PATCH 13/20] Update default values file --- charts/ingress-nginx/values.yaml | 30 ++++++++++++++++++++++++------ 1 file changed, 24 insertions(+), 6 deletions(-) diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index c4feb6e635..252e423b05 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -773,16 +773,16 @@ defaultBackend: name: defaultbackend image: repository: nginx - tag: alpine + tag: 1.23.1-alpine ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: pullPolicy: IfNotPresent # nobody user -> uid 65534 - # runAsUser: 65534 - # runAsNonRoot: true - # readOnlyRootFilesystem: true - # allowPrivilegeEscalation: false + runAsUser: 65534 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false # Default Backend Message to show defaultBackendMessage: "Default Backend - 404" @@ -799,7 +799,8 @@ defaultBackend: # -- Additional environment variables to set for defaultBackend pods extraEnvs: [] - port: 80 + # Port to Open in the Default Backend Container > 1000 (NON ROOT PORT) + port: 8080 ## Readiness and liveness probes for default backend ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ @@ -870,6 +871,15 @@ defaultBackend: mountPath: "/usr/share/nginx/html/index.html" subPath: index.html readOnly: true + - mountPath: /var/cache/nginx/ + name: nginx-empty + - mountPath: /var/run/ + name: nginx-run + - name: nginx-conf + mountPath: "/etc/nginx/conf.d/default.conf" + subPath: default.conf + + ## Additional volumeMounts to the default backend container. # - name: copy-portal-skins # mountPath: /var/lib/lemonldap-ng/portal/skins @@ -878,6 +888,14 @@ defaultBackend: - name: config configMap: name: default-backend-message-configmap + - name: nginx-empty + emptyDir: {} + - name: nginx-run + emptyDir: {} + - name: nginx-conf + configMap: + name: default-backend-nginx-conf-configmap + ## Additional volumes to the default backend pod. # - name: copy-portal-skins # emptyDir: {} From 6f5782f499973769aa4a62e2aa3024b85d6877fc Mon Sep 17 00:00:00 2001 From: jjotah Date: Tue, 18 Oct 2022 13:07:21 +0200 Subject: [PATCH 14/20] Add new conf for non-root user in default-backend pod --- .../default-backend-configmap-nginxconf.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 charts/ingress-nginx/templates/default-backend-configmap-nginxconf.yaml diff --git a/charts/ingress-nginx/templates/default-backend-configmap-nginxconf.yaml b/charts/ingress-nginx/templates/default-backend-configmap-nginxconf.yaml new file mode 100644 index 0000000000..49c57afab0 --- /dev/null +++ b/charts/ingress-nginx/templates/default-backend-configmap-nginxconf.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +data: + default.conf: | + server { + listen {{ .Values.defaultBackend.port }}; + listen [::]:{{ .Values.defaultBackend.port }}; + server_name localhost; + location / { + root /usr/share/nginx/html; + index index.html index.htm; + } + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + } +kind: ConfigMap +metadata: + name: default-backend-nginx-conf-configmap From 13af0ccc2b023e51ff2bcac0a066231ef6ebc263 Mon Sep 17 00:00:00 2001 From: jjotah Date: Tue, 18 Oct 2022 13:23:26 +0200 Subject: [PATCH 15/20] Update default values.yaml file --- charts/ingress-nginx/values.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 252e423b05..56e410631b 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -878,7 +878,6 @@ defaultBackend: - name: nginx-conf mountPath: "/etc/nginx/conf.d/default.conf" subPath: default.conf - ## Additional volumeMounts to the default backend container. # - name: copy-portal-skins From 65847da52808822180dff24fbfa9eaf8e7367c1a Mon Sep 17 00:00:00 2001 From: jjotah Date: Wed, 19 Oct 2022 19:47:59 +0200 Subject: [PATCH 16/20] Update changelog because is not needed by release notes --- charts/ingress-nginx/CHANGELOG.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/charts/ingress-nginx/CHANGELOG.md b/charts/ingress-nginx/CHANGELOG.md index 0051389f72..3c3404ffda 100644 --- a/charts/ingress-nginx/CHANGELOG.md +++ b/charts/ingress-nginx/CHANGELOG.md @@ -2,9 +2,6 @@ This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). -### 4.4.0 -- Update Default Backend due TLS < 1.2 Security Issue - ### 4.3.0 - Support for Kubernetes v.1.25.0 was added and support for endpoint slices - Support for Kubernetes v1.20.0 was removed From 5dce39105591fb467f57c7cdb0752742c8bc9793 Mon Sep 17 00:00:00 2001 From: jjotah Date: Wed, 19 Oct 2022 19:48:40 +0200 Subject: [PATCH 17/20] Use same version that were using for ingress --- charts/ingress-nginx/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 56e410631b..c196071738 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -773,7 +773,7 @@ defaultBackend: name: defaultbackend image: repository: nginx - tag: 1.23.1-alpine + tag: 1.19.10-alpine ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: From bec234e69235c724d072c47576879b7355d5e6a1 Mon Sep 17 00:00:00 2001 From: jjotah Date: Wed, 19 Oct 2022 19:54:32 +0200 Subject: [PATCH 18/20] Update README due nginx version --- charts/ingress-nginx/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index d16d2ef9da..0d54f5e4ae 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -465,7 +465,7 @@ Kubernetes: `>=1.20.0-0` | defaultBackend.image.repository | string | `"nginx"` | | | defaultBackend.image.runAsNonRoot | bool | `true` | | | defaultBackend.image.runAsUser | int | `65534` | | -| defaultBackend.image.tag | string | `"1.23.1-alpine"` | | +| defaultBackend.image.tag | string | `"1.19.10-alpine"` | | | defaultBackend.labels | object | `{}` | Labels to be added to the default backend resources | | defaultBackend.livenessProbe.failureThreshold | int | `3` | | | defaultBackend.livenessProbe.initialDelaySeconds | int | `30` | | From 67d528384a2a7e939cb08a6a5c5eec73a4135fe7 Mon Sep 17 00:00:00 2001 From: jjotah Date: Wed, 19 Oct 2022 21:48:21 +0200 Subject: [PATCH 19/20] Set as false the DefaultBackend by default --- charts/ingress-nginx/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index c196071738..47c25990d4 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -768,7 +768,7 @@ revisionHistoryLimit: 10 ## defaultBackend: ## - enabled: true + enabled: false name: defaultbackend image: From 687e5ffe3ca9730d1cb911d29aebb7067b4faf7a Mon Sep 17 00:00:00 2001 From: jjotah Date: Wed, 19 Oct 2022 22:02:16 +0200 Subject: [PATCH 20/20] Update README due values defaultBackend to false --- charts/ingress-nginx/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 0d54f5e4ae..c9237b10a1 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -436,7 +436,7 @@ Kubernetes: `>=1.20.0-0` | defaultBackend.autoscaling.targetMemoryUtilizationPercentage | int | `50` | | | defaultBackend.containerSecurityContext | object | `{}` | Security Context policies for controller main container. See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls # | | defaultBackend.defaultBackendMessage | string | `"Default Backend - 404"` | | -| defaultBackend.enabled | bool | `true` | | +| defaultBackend.enabled | bool | `false` | | | defaultBackend.existingPsp | string | `""` | Use an existing PSP instead of creating one | | defaultBackend.extraArgs | object | `{}` | | | defaultBackend.extraEnvs | list | `[]` | Additional environment variables to set for defaultBackend pods |