Allow NGF to run on OpenShift (nginx#1976)

Add SecurityContextConstraints for NGF and documentation on additional steps when installing NGF on an OpenShift environment.

Problem: NGF fails to deploy on OpenShift.

Solution: Add SecurityContextConstraints for NGF, giving NGF to correct permissions to deploy on OpenShift.

Testing: Manual deployment of NGF with NGINX and NGINX+. Also set up the cafe example and ensured traffic flowed.

Makefile

@@ -132,6 +132,7 @@ generate-manifests: ## Generate manifests using Helm.
 	helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) -n nginx-gateway -s templates/service.yaml > $(strip $(MANIFEST_DIR))/service/loadbalancer.yaml
 	helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) --set service.annotations.'service\.beta\.kubernetes\.io\/aws-load-balancer-type'="nlb" -n nginx-gateway -s templates/service.yaml > $(strip $(MANIFEST_DIR))/service/loadbalancer-aws-nlb.yaml
 	helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) --set service.type=NodePort --set service.externalTrafficPolicy="" -n nginx-gateway -s templates/service.yaml > $(strip $(MANIFEST_DIR))/service/nodeport.yaml
+	helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) $(HELM_TEMPLATE_EXTRA_ARGS_FOR_ALL_MANIFESTS_FILE) -n nginx-gateway --api-versions security.openshift.io/v1/SecurityContextConstraints -s templates/scc.yaml > $(strip $(MANIFEST_DIR))/scc.yaml
 
 .PHONY: clean
 clean: ## Clean the build

charts/nginx-gateway-fabric/templates/_helpers.tpl

@@ -39,6 +39,14 @@ Create data plane config name.
 {{- printf "%s-proxy-config" $name | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
+{{/*
+Create security context constraints name.
+*/}}
+{{- define "nginx-gateway.scc-name" -}}
+{{- $name := default .Release.Name .Values.nameOverride }}
+{{- printf "%s-scc" $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
 {{/*
 Create chart name and version as used by the chart label.
 */}}

charts/nginx-gateway-fabric/templates/rbac.yaml

@@ -149,6 +149,16 @@ rules:
   verbs:
   - list
   - watch
+{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints" }}
+- apiGroups:
+  - security.openshift.io
+  resources:
+  - securitycontextconstraints
+  resourceNames:
+  - {{ include "nginx-gateway.scc-name" . }}
+  verbs:
+  - use
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

charts/nginx-gateway-fabric/templates/scc.yaml

@@ -0,0 +1,40 @@
+{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints" }}
+kind: SecurityContextConstraints
+apiVersion: security.openshift.io/v1
+metadata:
+  name: {{ include "nginx-gateway.scc-name" . }}
+allowPrivilegeEscalation: {{ .Values.nginxGateway.securityContext.allowPrivilegeEscalation }}
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegedContainer: false
+readOnlyRootFilesystem: true
+runAsUser:
+  type: MustRunAsRange
+  uidRangeMin: 101
+  uidRangeMax: 102
+fsGroup:
+  type: MustRunAs
+  ranges:
+  - min: 1001
+    max: 1001
+supplementalGroups:
+  type: MustRunAs
+  ranges:
+  - min: 1001
+    max: 1001
+seLinuxContext:
+  type: MustRunAs
+volumes:
+- emptyDir
+- secret
+users:
+- {{ printf "system:serviceaccount:%s:%s" .Release.Namespace (include "nginx-gateway.serviceAccountName" .) }}
+allowedCapabilities:
+- NET_BIND_SERVICE
+- KILL
+requiredDropCapabilities:
+- ALL
+{{- end }}

charts/nginx-gateway-fabric/values.yaml

@@ -106,7 +106,7 @@ terminationGracePeriodSeconds: 30
 ## Tolerations for the NGINX Gateway Fabric pod.
 tolerations: []
 
-##  The nodeSelector of the NGINX Gateway Fabric pod.
+## The nodeSelector of the NGINX Gateway Fabric pod.
 nodeSelector: {}
 
 ## The affinity of the NGINX Gateway Fabric pod.

deploy/manifests/scc.yaml

@@ -0,0 +1,40 @@
+---
+# Source: nginx-gateway-fabric/templates/scc.yaml
+kind: SecurityContextConstraints
+apiVersion: security.openshift.io/v1
+metadata:
+  name: nginx-gateway-scc
+allowPrivilegeEscalation: false
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegedContainer: false
+readOnlyRootFilesystem: true
+runAsUser:
+  type: MustRunAsRange
+  uidRangeMin: 101
+  uidRangeMax: 102
+fsGroup:
+  type: MustRunAs
+  ranges:
+  - min: 1001
+    max: 1001
+supplementalGroups:
+  type: MustRunAs
+  ranges:
+  - min: 1001
+    max: 1001
+seLinuxContext:
+  type: MustRunAs
+volumes:
+- emptyDir
+- secret
+users:
+- system:serviceaccount:nginx-gateway:nginx-gateway
+allowedCapabilities:
+- NET_BIND_SERVICE
+- KILL
+requiredDropCapabilities:
+- ALL

site/content/installation/installing-ngf/manifests.md

@@ -45,6 +45,23 @@ kubectl apply -f https://raw.githubusercontent.com/nginxinc/nginx-gateway-fabric
 
 {{<note>}}By default, NGINX Gateway Fabric is installed in the **nginx-gateway** namespace. You can deploy in another namespace by modifying the manifest files.{{</note>}}
 
+{{<note>}}If you are deploying NGINX Gateway Fabric on OpenShift, we've supplied a baseline [SecurityContextConstraints](https://raw.githubusercontent.com/nginxinc/nginx-gateway-fabric/v1.2.0/deploy/manifests/scc.yaml) manifest that you can download, modify if needed, and apply. You will also need to make sure the SecurityContextConstraints resource is added to the ClusterRole RBAC:
+
+```yaml
+. . .
+- apiGroups:
+  - security.openshift.io
+  resources:
+  - securitycontextconstraints
+  resourceNames:
+  -  nginx-gateway-scc
+  verbs:
+  - use
+ ```
+
+Alternatively, use [helm]({{< relref "installation/installing-ngf/helm.md" >}}), which will automatically configure the mentioned resources on OpenShift.
+{{</note>}}
+
 #### Stable release
 
 ##### For NGINX