Merge branch 'main' into chore/remove_omitted_comment

tataruty · web-flow · commit fb037d4e0866 · 2025-07-02T09:27:52.000+01:00
diff --git a/build/Dockerfile.nginx b/build/Dockerfile.nginx
@@ -16,15 +16,10 @@ RUN --mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk
     printf "%s\n" "https://packages.nginx.org/nginx-agent/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
     && apk add --no-cache nginx-agent=${NGINX_AGENT_VERSION#v}
 
-RUN apk add --no-cache libcap bash \
+RUN apk add --no-cache bash \
     && mkdir -p /usr/lib/nginx/modules \
-    && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \
-    && setcap -v 'cap_net_bind_service=+ep' /usr/sbin/nginx \
-    && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx-debug \
-    && setcap -v 'cap_net_bind_service=+ep' /usr/sbin/nginx-debug \
     # Update packages for CVE-2025-32414 and CVE-2025-32415
     && apk --no-cache upgrade libxml2 \
-    && apk del libcap \
     # forward request and error logs to docker log collector
     && ln -sf /dev/stdout /var/log/nginx/access.log \
     && ln -sf /dev/stderr /var/log/nginx/error.log
diff --git a/build/Dockerfile.nginxplus b/build/Dockerfile.nginxplus
@@ -22,13 +22,8 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \
     && printf "%s\n" "https://pkgs.nginx.com/nginx-agent/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
     && apk add --no-cache nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-agent=${NGINX_AGENT_VERSION#v}
 
-RUN apk add --no-cache libcap bash \
+RUN apk add --no-cache bash \
     && mkdir -p /usr/lib/nginx/modules \
-	&& setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \
-	&& setcap -v 'cap_net_bind_service=+ep' /usr/sbin/nginx \
-    && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx-debug \
-    && setcap -v 'cap_net_bind_service=+ep' /usr/sbin/nginx-debug \
-    && apk del libcap \
     # forward request and error logs to docker log collector
     && ln -sf /dev/stdout /var/log/nginx/access.log \
     && ln -sf /dev/stderr /var/log/nginx/error.log
diff --git a/charts/nginx-gateway-fabric/templates/deployment.yaml b/charts/nginx-gateway-fabric/templates/deployment.yaml
@@ -35,6 +35,7 @@ spec:
         {{- end }}
       {{- end }}
     spec:
+      automountServiceAccountToken: true
       containers:
       - args:
         - controller
diff --git a/charts/nginx-gateway-fabric/templates/scc.yaml b/charts/nginx-gateway-fabric/templates/scc.yaml
@@ -44,6 +44,7 @@ metadata:
   name: {{ include "nginx-gateway.scc-name" . }}-nginx
   labels:
   {{- include "nginx-gateway.labels" . | nindent 4 }}
+allowPrivilegeEscalation: false
 allowHostDirVolumePlugin: false
 allowHostIPC: false
 allowHostNetwork: false
@@ -69,8 +70,6 @@ seLinuxContext:
   type: MustRunAs
 seccompProfiles:
 - runtime/default
-allowedCapabilities:
-- NET_BIND_SERVICE
 requiredDropCapabilities:
 - ALL
 volumes:
diff --git a/charts/nginx-gateway-fabric/templates/serviceaccount.yaml b/charts/nginx-gateway-fabric/templates/serviceaccount.yaml
@@ -7,6 +7,7 @@ metadata:
   {{- include "nginx-gateway.labels" . | nindent 4 }}
   annotations:
     {{- toYaml .Values.nginxGateway.serviceAccount.annotations | nindent 4 }}
+automountServiceAccountToken: false
 {{- if or .Values.nginxGateway.serviceAccount.imagePullSecret .Values.nginxGateway.serviceAccount.imagePullSecrets }}
 imagePullSecrets:
   {{- if .Values.nginxGateway.serviceAccount.imagePullSecret }}
diff --git a/deploy/azure/deploy.yaml b/deploy/azure/deploy.yaml
@@ -4,6 +4,7 @@ metadata:
   name: nginx-gateway
 ---
 apiVersion: v1
+automountServiceAccountToken: false
 kind: ServiceAccount
 metadata:
   labels:
@@ -252,6 +253,7 @@ spec:
         app.kubernetes.io/instance: nginx-gateway
         app.kubernetes.io/name: nginx-gateway
     spec:
+      automountServiceAccountToken: true
       containers:
       - args:
         - controller
diff --git a/deploy/default/deploy.yaml b/deploy/default/deploy.yaml
@@ -4,6 +4,7 @@ metadata:
   name: nginx-gateway
 ---
 apiVersion: v1
+automountServiceAccountToken: false
 kind: ServiceAccount
 metadata:
   labels:
@@ -252,6 +253,7 @@ spec:
         app.kubernetes.io/instance: nginx-gateway
         app.kubernetes.io/name: nginx-gateway
     spec:
+      automountServiceAccountToken: true
       containers:
       - args:
         - controller
diff --git a/deploy/experimental-nginx-plus/deploy.yaml b/deploy/experimental-nginx-plus/deploy.yaml
@@ -4,6 +4,7 @@ metadata:
   name: nginx-gateway
 ---
 apiVersion: v1
+automountServiceAccountToken: false
 kind: ServiceAccount
 metadata:
   labels:
@@ -256,6 +257,7 @@ spec:
         app.kubernetes.io/instance: nginx-gateway
         app.kubernetes.io/name: nginx-gateway
     spec:
+      automountServiceAccountToken: true
       containers:
       - args:
         - controller
diff --git a/deploy/experimental/deploy.yaml b/deploy/experimental/deploy.yaml
@@ -4,6 +4,7 @@ metadata:
   name: nginx-gateway
 ---
 apiVersion: v1
+automountServiceAccountToken: false
 kind: ServiceAccount
 metadata:
   labels:
@@ -256,6 +257,7 @@ spec:
         app.kubernetes.io/instance: nginx-gateway
         app.kubernetes.io/name: nginx-gateway
     spec:
+      automountServiceAccountToken: true
       containers:
       - args:
         - controller
diff --git a/deploy/nginx-plus/deploy.yaml b/deploy/nginx-plus/deploy.yaml
@@ -4,6 +4,7 @@ metadata:
   name: nginx-gateway
 ---
 apiVersion: v1
+automountServiceAccountToken: false
 kind: ServiceAccount
 metadata:
   labels:
@@ -252,6 +253,7 @@ spec:
         app.kubernetes.io/instance: nginx-gateway
         app.kubernetes.io/name: nginx-gateway
     spec:
+      automountServiceAccountToken: true
       containers:
       - args:
         - controller
diff --git a/deploy/nodeport/deploy.yaml b/deploy/nodeport/deploy.yaml
@@ -4,6 +4,7 @@ metadata:
   name: nginx-gateway
 ---
 apiVersion: v1
+automountServiceAccountToken: false
 kind: ServiceAccount
 metadata:
   labels:
@@ -252,6 +253,7 @@ spec:
         app.kubernetes.io/instance: nginx-gateway
         app.kubernetes.io/name: nginx-gateway
     spec:
+      automountServiceAccountToken: true
       containers:
       - args:
         - controller
diff --git a/deploy/openshift/deploy.yaml b/deploy/openshift/deploy.yaml
@@ -4,6 +4,7 @@ metadata:
   name: nginx-gateway
 ---
 apiVersion: v1
+automountServiceAccountToken: false
 kind: ServiceAccount
 metadata:
   labels:
@@ -273,6 +274,7 @@ spec:
         app.kubernetes.io/instance: nginx-gateway
         app.kubernetes.io/name: nginx-gateway
     spec:
+      automountServiceAccountToken: true
       containers:
       - args:
         - controller
@@ -527,9 +529,8 @@ allowHostIPC: false
 allowHostNetwork: false
 allowHostPID: false
 allowHostPorts: false
+allowPrivilegeEscalation: false
 allowPrivilegedContainer: false
-allowedCapabilities:
-- NET_BIND_SERVICE
 apiVersion: security.openshift.io/v1
 fsGroup:
   ranges:
diff --git a/deploy/snippets-filters-nginx-plus/deploy.yaml b/deploy/snippets-filters-nginx-plus/deploy.yaml
@@ -4,6 +4,7 @@ metadata:
   name: nginx-gateway
 ---
 apiVersion: v1
+automountServiceAccountToken: false
 kind: ServiceAccount
 metadata:
   labels:
@@ -254,6 +255,7 @@ spec:
         app.kubernetes.io/instance: nginx-gateway
         app.kubernetes.io/name: nginx-gateway
     spec:
+      automountServiceAccountToken: true
       containers:
       - args:
         - controller
diff --git a/deploy/snippets-filters/deploy.yaml b/deploy/snippets-filters/deploy.yaml
@@ -4,6 +4,7 @@ metadata:
   name: nginx-gateway
 ---
 apiVersion: v1
+automountServiceAccountToken: false
 kind: ServiceAccount
 metadata:
   labels:
@@ -254,6 +255,7 @@ spec:
         app.kubernetes.io/instance: nginx-gateway
         app.kubernetes.io/name: nginx-gateway
     spec:
+      automountServiceAccountToken: true
       containers:
       - args:
         - controller
diff --git a/internal/controller/provisioner/objects.go b/internal/controller/provisioner/objects.go
@@ -117,7 +117,8 @@ func (p *NginxProvisioner) buildNginxResourceObjects(
 	)
 
 	serviceAccount := &corev1.ServiceAccount{
-		ObjectMeta: objectMeta,
+		ObjectMeta:                   objectMeta,
+		AutomountServiceAccountToken: helpers.GetPointer(false),
 	}
 
 	var openshiftObjs []client.Object
@@ -608,15 +609,16 @@ func (p *NginxProvisioner) buildNginxPodTemplateSpec(
 			Annotations: podAnnotations,
 		},
 		Spec: corev1.PodSpec{
+			AutomountServiceAccountToken: helpers.GetPointer(true),
 			Containers: []corev1.Container{
 				{
 					Name:            "nginx",
 					Image:           image,
 					ImagePullPolicy: pullPolicy,
 					Ports:           containerPorts,
 					SecurityContext: &corev1.SecurityContext{
+						AllowPrivilegeEscalation: helpers.GetPointer(false),
 						Capabilities: &corev1.Capabilities{
-							Add:  []corev1.Capability{"NET_BIND_SERVICE"},
 							Drop: []corev1.Capability{"ALL"},
 						},
 						ReadOnlyRootFilesystem: helpers.GetPointer(true),
@@ -689,6 +691,12 @@ func (p *NginxProvisioner) buildNginxPodTemplateSpec(
 			SecurityContext: &corev1.PodSecurityContext{
 				FSGroup:      helpers.GetPointer[int64](1001),
 				RunAsNonRoot: helpers.GetPointer(true),
+				Sysctls: []corev1.Sysctl{
+					{
+						Name:  "net.ipv4.ip_unprivileged_port_start",
+						Value: "0",
+					},
+				},
 			},
 			Volumes: []corev1.Volume{
 				{
