Skip to content

Commit 2ca026e

Browse files
authored
Allow for configurable securityContext (#1063)
Problem: In at least one environment it has been found that the control plane does not have permissions to reload nginx, requiring allowPrivilegeEscalation to be true. Solution: Keep the same default, but allow this field to be configurable. Added a troubleshooting guide for this issue.
1 parent f6820eb commit 2ca026e

File tree

5 files changed

+21
-1
lines changed

5 files changed

+21
-1
lines changed

README.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -107,6 +107,10 @@ can run the following command:
107107
docker buildx imagetools inspect ghcr.io/nginxinc/nginx-kubernetes-gateway:edge --format '{{ json (index .SBOM "linux/amd64").SPDX }}' | grype
108108
```
109109

110+
## Troubleshooting
111+
112+
For troubleshooting help, see the [Troubleshooting](/docs/troubleshooting.md) document.
113+
110114
## Contacts
111115

112116
We’d like to hear your feedback! If you experience issues with our Gateway Controller, please [open a bug][bug] in

deploy/helm-chart/templates/deployment.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -72,7 +72,7 @@ spec:
7272
periodSeconds: 1
7373
{{- end }}
7474
securityContext:
75-
allowPrivilegeEscalation: false
75+
allowPrivilegeEscalation: {{ .Values.nginxGateway.securityContext.allowPrivilegeEscalation }}
7676
capabilities:
7777
add:
7878
- KILL

deploy/helm-chart/values.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,10 @@ nginxGateway:
3030
tag: edge
3131
pullPolicy: Always
3232

33+
securityContext:
34+
## Some environments may need this set to true in order for the control plane to successfully reload NGINX.
35+
allowPrivilegeEscalation: false
36+
3337
nginx:
3438
## The NGINX image to use
3539
image:

docs/README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ yourself.
1818
- [CLI Help](cli-help.md): Describes the commands available in the `gateway` binary of `nginx-kubernetes-gateway`
1919
container.
2020
- [Monitoring](monitoring.md): Information on monitoring NGINX Kubernetes Gateway using Prometheus metrics.
21+
- [Troubleshooting](troubleshooting.md): Troubleshooting guide for common or known issues.
2122

2223
### Directories
2324

docs/troubleshooting.md

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
# Troubleshooting
2+
3+
This document contains common or known issues and how to troubleshoot them.
4+
5+
## failed to reload NGINX: failed to send the HUP signal to NGINX main: operation not permitted
6+
7+
Depending on your environment's configuration, the control plane may not have the proper permissions to reload
8+
NGINX. If NGINX configuration is not applied and you see the above error in the `nginx-gateway` logs, you will need
9+
to set `allowPrivilegeEscalation` to `true`. If using Helm, you can set the
10+
`nginxGateway.securityContext.allowPrivilegeEscalation` value.
11+
If using the manifests directly, you can update this field under the `nginx-gateway` container's `securityContext`.

0 commit comments

Comments
 (0)