CP/DP Split: Openshift support (#3278)

Problem: Now that we have additional pods in the new architecture, we need the proper SecurityContextConstraints for running in Openshift.

Solution: Create an SCC for the cert-generator and an SCC for nginx data plane pods on startup. A Role and RoleBinding are created when deploying nginx to link to the SCC.

Author: sjberman

charts/nginx-gateway-fabric/README.md

@@ -115,12 +115,6 @@ To use a NodePort Service instead:
 helm install ngf oci://ghcr.io/nginx/charts/nginx-gateway-fabric --create-namespace -n nginx-gateway --set nginx.service.type=NodePort
 ```
 
-To disable the creation of a Service:
-
-```shell
-helm install ngf oci://ghcr.io/nginx/charts/nginx-gateway-fabric --create-namespace -n nginx-gateway --set nginx.service.create=false
-```
-
 ## Upgrading the Chart
 
 > [!NOTE]

charts/nginx-gateway-fabric/README.md.gotmpl

@@ -113,12 +113,6 @@ To use a NodePort Service instead:
 helm install ngf oci://ghcr.io/nginx/charts/nginx-gateway-fabric --create-namespace -n nginx-gateway --set nginx.service.type=NodePort
 ```
 
-To disable the creation of a Service:
-
-```shell
-helm install ngf oci://ghcr.io/nginx/charts/nginx-gateway-fabric --create-namespace -n nginx-gateway --set nginx.service.create=false
-```
-
 ## Upgrading the Chart
 
 > [!NOTE]

charts/nginx-gateway-fabric/templates/certs-job.yaml

@@ -56,6 +56,50 @@ subjects:
   name: {{ include "nginx-gateway.fullname" . }}-cert-generator
   namespace: {{ .Release.Namespace }}
 ---
+{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints" }}
+kind: SecurityContextConstraints
+apiVersion: security.openshift.io/v1
+metadata:
+  name: {{ include "nginx-gateway.scc-name" . }}-cert-generator
+  labels:
+  {{- include "nginx-gateway.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook-weight": "-1"
+    "helm.sh/hook": pre-install
+allowPrivilegeEscalation: false
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegedContainer: false
+readOnlyRootFilesystem: true
+runAsUser:
+  type: MustRunAsRange
+  uidRangeMin: 101
+  uidRangeMax: 101
+fsGroup:
+  type: MustRunAs
+  ranges:
+  - min: 1001
+    max: 1001
+supplementalGroups:
+  type: MustRunAs
+  ranges:
+  - min: 1001
+    max: 1001
+seLinuxContext:
+  type: MustRunAs
+seccompProfiles:
+- runtime/default
+users:
+- {{ printf "system:serviceaccount:%s:%s-cert-generator" .Release.Namespace (include "nginx-gateway.fullname" .) }}
+requiredDropCapabilities:
+- ALL
+volumes:
+- projected
+---
+{{- end }}
 apiVersion: batch/v1
 kind: Job
 metadata:

charts/nginx-gateway-fabric/templates/clusterrole.yaml

@@ -150,8 +150,19 @@ rules:
   - securitycontextconstraints
   resourceNames:
   - {{ include "nginx-gateway.scc-name" . }}
+  - {{ include "nginx-gateway.scc-name" . }}-nginx
   verbs:
   - use
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - roles
+  - rolebindings
+  verbs:
   - create
+  - update
+  - delete
+  - list
+  - get
   - watch
 {{- end }}

charts/nginx-gateway-fabric/templates/deployment.yaml

@@ -93,6 +93,9 @@ spec:
         {{- if .Values.nginxGateway.snippetsFilters.enable }}
         - --snippets-filters
         {{- end }}
+        {{- if .Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints" }}
+        - --nginx-scc={{ include "nginx-gateway.scc-name" . }}-nginx
+        {{- end}}
         env:
         - name: POD_NAMESPACE
           valueFrom:

charts/nginx-gateway-fabric/templates/scc.yaml

@@ -1,9 +1,10 @@
-# TODO(sberman): will need an SCC for nginx ServiceAccounts as well.
 {{- if .Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints" }}
 kind: SecurityContextConstraints
 apiVersion: security.openshift.io/v1
 metadata:
   name: {{ include "nginx-gateway.scc-name" . }}
+  labels:
+  {{- include "nginx-gateway.labels" . | nindent 4 }}
 allowPrivilegeEscalation: false
 allowHostDirVolumePlugin: false
 allowHostIPC: false
@@ -36,4 +37,45 @@ requiredDropCapabilities:
 - ALL
 volumes:
 - secret
+---
+kind: SecurityContextConstraints
+apiVersion: security.openshift.io/v1
+metadata:
+  name: {{ include "nginx-gateway.scc-name" . }}-nginx
+  labels:
+  {{- include "nginx-gateway.labels" . | nindent 4 }}
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegedContainer: false
+readOnlyRootFilesystem: true
+runAsUser:
+  type: MustRunAsRange
+  uidRangeMin: 101
+  uidRangeMax: 101
+fsGroup:
+  type: MustRunAs
+  ranges:
+  - min: 1001
+    max: 1001
+supplementalGroups:
+  type: MustRunAs
+  ranges:
+  - min: 1001
+    max: 1001
+seLinuxContext:
+  type: MustRunAs
+seccompProfiles:
+- runtime/default
+allowedCapabilities:
+- NET_BIND_SERVICE
+requiredDropCapabilities:
+- ALL
+volumes:
+- emptyDir
+- secret
+- configMap
+- projected
 {{- end }}

cmd/gateway/commands.go

@@ -81,6 +81,7 @@ func createControllerCommand() *cobra.Command {
 		usageReportClientSSLSecretFlag = "usage-report-client-ssl-secret" //nolint:gosec // not credentials
 		usageReportCASecretFlag        = "usage-report-ca-secret"         //nolint:gosec // not credentials
 		snippetsFiltersFlag            = "snippets-filters"
+		nginxSCCFlag                   = "nginx-scc"
 	)
 
 	// flag values
@@ -105,6 +106,9 @@ func createControllerCommand() *cobra.Command {
 			validator: validateResourceName,
 			value:     agentTLSSecret,
 		}
+		nginxSCCName = stringValidatingValue{
+			validator: validateResourceName,
+		}
 		disableMetrics    bool
 		metricsSecure     bool
 		metricsListenPort = intValidatingValue{
@@ -264,6 +268,7 @@ func createControllerCommand() *cobra.Command {
 				SnippetsFilters:        snippetsFilters,
 				NginxDockerSecretNames: nginxDockerSecrets.values,
 				AgentTLSSecretName:     agentTLSSecretName.value,
+				NGINXSCCName:           nginxSCCName.value,
 			}
 
 			if err := static.StartManager(conf); err != nil {
@@ -457,6 +462,13 @@ func createControllerCommand() *cobra.Command {
 			"generated NGINX config for HTTPRoute and GRPCRoute resources.",
 	)
 
+	cmd.Flags().Var(
+		&nginxSCCName,
+		nginxSCCFlag,
+		`The name of the SecurityContextConstraints to be used with the NGINX data plane Pods.`+
+			` Only applicable in OpenShift.`,
+	)
+
 	return cmd
 }
 

cmd/gateway/commands_test.go

@@ -158,6 +158,7 @@ func TestControllerCmdFlagValidation(t *testing.T) {
 				"--usage-report-ca-secret=ca-secret",
 				"--usage-report-client-ssl-secret=client-secret",
 				"--snippets-filters",
+				"--nginx-scc=nginx-sscc-name",
 			},
 			wantErr: false,
 		},
@@ -445,6 +446,22 @@ func TestControllerCmdFlagValidation(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "nginx-scc is set to empty string",
+			args: []string{
+				"--nginx-scc=",
+			},
+			wantErr:           true,
+			expectedErrPrefix: `invalid argument "" for "--nginx-scc" flag: must be set`,
+		},
+		{
+			name: "nginx-scc is invalid",
+			args: []string{
+				"--nginx-scc=!@#$",
+			},
+			wantErr:           true,
+			expectedErrPrefix: `invalid argument "!@#$" for "--nginx-scc" flag: invalid format: `,
+		},
 	}
 
 	// common flags validation is tested separately

deploy/openshift/deploy.yaml

@@ -175,11 +175,22 @@ rules:
   - security.openshift.io
   resourceNames:
   - nginx-gateway-scc
+  - nginx-gateway-scc-nginx
   resources:
   - securitycontextconstraints
   verbs:
   - use
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - roles
+  - rolebindings
+  verbs:
   - create
+  - update
+  - delete
+  - list
+  - get
   - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -272,6 +283,7 @@ spec:
         - --metrics-port=9113
         - --health-port=8081
         - --leader-election-lock-name=nginx-gateway-leader-election
+        - --nginx-scc=nginx-gateway-scc-nginx
         env:
         - name: POD_NAMESPACE
           valueFrom:
@@ -442,6 +454,10 @@ fsGroup:
   type: MustRunAs
 kind: SecurityContextConstraints
 metadata:
+  labels:
+    app.kubernetes.io/instance: nginx-gateway
+    app.kubernetes.io/name: nginx-gateway
+    app.kubernetes.io/version: edge
   name: nginx-gateway-scc
 readOnlyRootFilesystem: true
 requiredDropCapabilities:
@@ -463,3 +479,87 @@ users:
 - system:serviceaccount:nginx-gateway:nginx-gateway
 volumes:
 - secret
+---
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: false
+allowPrivilegedContainer: false
+apiVersion: security.openshift.io/v1
+fsGroup:
+  ranges:
+  - max: 1001
+    min: 1001
+  type: MustRunAs
+kind: SecurityContextConstraints
+metadata:
+  labels:
+    app.kubernetes.io/instance: nginx-gateway
+    app.kubernetes.io/name: nginx-gateway
+    app.kubernetes.io/version: edge
+  name: nginx-gateway-scc-cert-generator
+readOnlyRootFilesystem: true
+requiredDropCapabilities:
+- ALL
+runAsUser:
+  type: MustRunAsRange
+  uidRangeMax: 101
+  uidRangeMin: 101
+seLinuxContext:
+  type: MustRunAs
+seccompProfiles:
+- runtime/default
+supplementalGroups:
+  ranges:
+  - max: 1001
+    min: 1001
+  type: MustRunAs
+users:
+- system:serviceaccount:nginx-gateway:nginx-gateway-cert-generator
+volumes:
+- projected
+---
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegedContainer: false
+allowedCapabilities:
+- NET_BIND_SERVICE
+apiVersion: security.openshift.io/v1
+fsGroup:
+  ranges:
+  - max: 1001
+    min: 1001
+  type: MustRunAs
+kind: SecurityContextConstraints
+metadata:
+  labels:
+    app.kubernetes.io/instance: nginx-gateway
+    app.kubernetes.io/name: nginx-gateway
+    app.kubernetes.io/version: edge
+  name: nginx-gateway-scc-nginx
+readOnlyRootFilesystem: true
+requiredDropCapabilities:
+- ALL
+runAsUser:
+  type: MustRunAsRange
+  uidRangeMax: 101
+  uidRangeMin: 101
+seLinuxContext:
+  type: MustRunAs
+seccompProfiles:
+- runtime/default
+supplementalGroups:
+  ranges:
+  - max: 1001
+    min: 1001
+  type: MustRunAs
+volumes:
+- emptyDir
+- secret
+- configMap
+- projected

internal/mode/static/config/config.go

@@ -34,6 +34,8 @@ type Config struct {
 	GatewayClassName string
 	// AgentTLSSecretName is the name of the TLS Secret used by NGINX Agent to communicate with the control plane.
 	AgentTLSSecretName string
+	// NGINXSCCName is the name of the SecurityContextConstraints for the NGINX Pods. Only applicable in OpenShift.
+	NGINXSCCName string
 	// NginxDockerSecretNames are the names of any Docker registry Secrets for the NGINX container.
 	NginxDockerSecretNames []string
 	// LeaderElection contains the configuration for leader election.

internal/mode/static/manager.go

@@ -14,6 +14,7 @@ import (
 	authv1 "k8s.io/api/authentication/v1"
 	apiv1 "k8s.io/api/core/v1"
 	discoveryV1 "k8s.io/api/discovery/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
 	apiext "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -93,6 +94,7 @@ func init() {
 	utilruntime.Must(apiext.AddToScheme(scheme))
 	utilruntime.Must(appsv1.AddToScheme(scheme))
 	utilruntime.Must(authv1.AddToScheme(scheme))
+	utilruntime.Must(rbacv1.AddToScheme(scheme))
 }
 
 func StartManager(cfg config.Config) error {
@@ -216,6 +218,7 @@ func StartManager(cfg config.Config) error {
 			GatewayPodConfig:       &cfg.GatewayPodConfig,
 			GCName:                 cfg.GatewayClassName,
 			AgentTLSSecretName:     cfg.AgentTLSSecretName,
+			NGINXSCCName:           cfg.NGINXSCCName,
 			Plus:                   cfg.Plus,
 			NginxDockerSecretNames: cfg.NginxDockerSecretNames,
 			PlusUsageConfig:        &cfg.UsageReportConfig,