Allow for configurable securityContext (#1063)

sjberman · web-flow · commit 2ca026e3f344 · 2023-09-18T11:24:32.000-06:00
Problem: In at least one environment it has been found that the control plane does not have permissions to reload nginx, requiring allowPrivilegeEscalation to be true.

Solution: Keep the same default, but allow this field to be configurable. Added a troubleshooting guide for this issue.
diff --git a/README.md b/README.md
@@ -107,6 +107,10 @@ can run the following command:
 docker buildx imagetools inspect ghcr.io/nginxinc/nginx-kubernetes-gateway:edge --format '{{ json (index .SBOM "linux/amd64").SPDX }}' | grype
 ```
 
+## Troubleshooting
+
+For troubleshooting help, see the [Troubleshooting](/docs/troubleshooting.md) document.
+
 ## Contacts
 
 We’d like to hear your feedback! If you experience issues with our Gateway Controller, please [open a bug][bug] in
diff --git a/deploy/helm-chart/templates/deployment.yaml b/deploy/helm-chart/templates/deployment.yaml
@@ -72,7 +72,7 @@ spec:
           periodSeconds: 1
         {{- end }}
         securityContext:
-          allowPrivilegeEscalation: false
+          allowPrivilegeEscalation: {{ .Values.nginxGateway.securityContext.allowPrivilegeEscalation }}
           capabilities:
             add:
             - KILL
diff --git a/deploy/helm-chart/values.yaml b/deploy/helm-chart/values.yaml
@@ -30,6 +30,10 @@ nginxGateway:
     tag: edge
     pullPolicy: Always
 
+  securityContext:
+    ## Some environments may need this set to true in order for the control plane to successfully reload NGINX.
+    allowPrivilegeEscalation: false
+
 nginx:
   ## The NGINX image to use
   image:
diff --git a/docs/README.md b/docs/README.md
@@ -18,6 +18,7 @@ yourself.
 - [CLI Help](cli-help.md): Describes the commands available in the `gateway` binary of `nginx-kubernetes-gateway`
 container.
 - [Monitoring](monitoring.md): Information on monitoring NGINX Kubernetes Gateway using Prometheus metrics.
+- [Troubleshooting](troubleshooting.md): Troubleshooting guide for common or known issues.
 
 ### Directories
 
diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md
@@ -0,0 +1,11 @@
+# Troubleshooting
+
+This document contains common or known issues and how to troubleshoot them.
+
+## failed to reload NGINX: failed to send the HUP signal to NGINX main: operation not permitted
+
+Depending on your environment's configuration, the control plane may not have the proper permissions to reload
+NGINX. If NGINX configuration is not applied and you see the above error in the `nginx-gateway` logs, you will need
+to set `allowPrivilegeEscalation` to `true`. If using Helm, you can set the
+`nginxGateway.securityContext.allowPrivilegeEscalation` value.
+If using the manifests directly, you can update this field under the `nginx-gateway` container's `securityContext`.
