OCI images for NGINX Ingress Controller built using rockcraft.
Images are meant to be drop-in replacements for the following upstream images:
- registry.k8s.io/ingress-nginx/controller
- registry.k8s.io/ingress-nginx/kube-webhook-certgen
controller ROCKs must be run as root,
both because the ROCKs must ldconfig some dynamic libs on startup (which is
automatically handled by an entrypoint script), as well as rockcraft not
currently being able to preserve file capabilities via extended attributes
(see canonical/rockcraft#683).
In order to use it with the upstream Helm chart or similar setups, please ensure you set the proper securityContext settings as follows:
helm install ingress-nginx \
# Relevant individual settings:
--set controller.image.runAsUser=0 \
--set controller.image.runAsGroup=0 \
--set controller.image.runAsNonRoot=false \
--set controller.image.readOnlyRootFilesystem=false \
# Required by the `kube-webhook-certgen` rock, as Pebble writes to '/var/lib/pebble':
--set controller.admissionWebhooks.createSecretJob.securityContext.readOnlyRootFilesystem=false \
--set controller.admissionWebhooks.patchWebhookJob.securityContext.readOnlyRootFilesystem=false \
# Required security context for controller. Of special note is `capabilities: null`:
--set-json controller.containerSecurityContext='{"runAsNonRoot":false,"runAsUser":0,"runAsGroup":0,"allowPrivilegeEscalation":false,"capabilities":null,"readOnlyRootFilesystem":false}'