fix: make nginx able to run as non-root and on a read-only filesystem

wearefrank · Jul 4, 2023 · 70f0690 · 70f0690
1 parent f98eac7
commit 70f0690
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 4 deletions.
diff --git a/charts/zaakbrug/templates/NOTES.txt b/charts/zaakbrug/templates/NOTES.txt
@@ -5,6 +5,11 @@
   http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
   {{- end }}
 {{- end }}
+{{- range $host := .Values.staging.apiProxy.ingress.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+  {{- end }}
+{{- end }}
 {{- else if contains "NodePort" .Values.service.type }}
   export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "zaakbrug.fullname" . }})
   export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")

diff --git a/charts/zaakbrug/templates/configmap-nginx.yaml b/charts/zaakbrug/templates/configmap-nginx.yaml
@@ -13,6 +13,7 @@ data:
       location / {
         proxy_pass http://{{ include "zaakbrug.fullname" . }}:{{ .Values.service.port }}/api/;
         proxy_buffering off;
+        proxy_http_version 1.1;
       }
       location /_health/ {
         access_log off;

diff --git a/charts/zaakbrug/templates/deployment.yaml b/charts/zaakbrug/templates/deployment.yaml
@@ -191,6 +191,7 @@ spec:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
         - name: nginx
+          command: [ "/bin/bash", "-c", "nginx -g 'daemon off;'" ]
           securityContext:
             {{- toYaml .Values.staging.apiProxy.securityContext | nindent 12 }}
           image: "{{ .Values.staging.apiProxy.image.repository }}:{{ .Values.staging.apiProxy.image.tag }}"
@@ -206,11 +207,19 @@ spec:
             {{- toYaml .Values.staging.apiProxy.resources | nindent 12 }}
           volumeMounts:
             - name: nginx-config
-              mountPath: /etc/nginx/conf.d/
+              mountPath: /etc/nginx/conf.d
+            {{- if .Values.staging.apiProxy.securityContext.readOnlyRootFilesystem }}
+            - mountPath: /tmp
+              name: tmpfs
+            {{- end }}
       volumes:
         - name: nginx-config
           configMap:
             name: {{ if .Values.staging.apiProxy.existingConfigmap }}{{ .Values.staging.apiProxy.existingConfigmap  }}{{- else }}{{ include "zaakbrug.nginxFullname" . }}{{- end }}
+        {{- if .Values.staging.apiProxy.securityContext.readOnlyRootFilesystem }}
+        - name: tmpfs
+          emptyDir: {}
+        {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/charts/zaakbrug/values.yaml b/charts/zaakbrug/values.yaml
@@ -244,10 +244,14 @@ staging:
       enabled: false
     replicaCount: 1
     podLabels: {}
-    securityContext: {}
+    securityContext:
+      readOnlyRootFilesystem: true
+      runAsGroup: 1000
+      runAsNonRoot: true
+      runAsUser: 1000
     image:
-      repository: nginx
-      tag: latest
+      repository: nginxinc/nginx-unprivileged
+      tag: stable
       pullPolicy: IfNotPresent
     resources: {}
     existingConfigmap: ''