Add seccompProfile to securityContext

[atombrella]

Is your feature request related to a problem? Please describe.

I think it'd be nice to have this a default under securityContext for the nginx Deployment resource.

seccompProfile:
  type: RuntimeDefault

https://kubernetes.io/docs/tutorials/security/seccomp/#enable-the-use-of-runtimedefault-as-the-default-seccomp-profile-for-all-workloads

Docker has a list of syscalls that are banned with this https://docs.docker.com/engine/security/seccomp/
The corresponding capability is listed. Note that one of them are "NET_BIND_SERVICE" which is the only one that really appears needed for nginx.

We have currently set this under our deployment. If you use a managed Kubernetes cluster (AWS, Azure, Google or something else), it may be difficult or undesired to create custom more elaborate profiles.

There is a bit more motivation here.
https://www.stigviewer.com/stig/mirantis_kubernetes_engine/2024-06-17/finding/V-260937

https://www.aquasec.com/products/trivy/ This tool will report this as a shortcoming. There is a free/open version of the tool that can be used.

[github-actions]

Hi @atombrella thanks for reporting!

Be sure to check out the docs and the Contributing Guidelines while you wait for a human to take a look at this 🙂

Cheers!

[atombrella]

On a semi-related notice, runAsGroup: 101 #nginx would also be a nice default to include.

[vepatel]

Hi @atombrella thanks for this issue,
re NET_BIND_SERVICE, please see https://github.com/nginx/kubernetes-ingress/blob/main/charts/nginx-ingress/templates/controller-deployment.yaml#L105-L118.
User is free to override securityContext using values file, also seccompProfile defaults to RuntimeDefault in podSecurityContext

[atombrella]

We have added this in our values-file. It's meant as a suggestion, as I don't know how many people that'd actively set this value.