kubernetes · JJotah · Oct 15, 2022 · Oct 15, 2022 · Oct 15, 2022 · Oct 15, 2022
diff --git a/charts/ingress-nginx/CHANGELOG.md b/charts/ingress-nginx/CHANGELOG.md
@@ -2,6 +2,9 @@
 
 This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
 
+### 4.4.0
+- Update Default Backend due TLS < 1.2 Security Issue
+
 ### 4.3.0 
 - Support for Kubernetes v.1.25.0 was added and support for endpoint slices
 - Support for Kubernetes v1.20.0 was removed

diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: ingress-nginx
 # When the version is modified, make sure the artifacthub.io/changes list is updated
 # Also update CHANGELOG.md
-version: 4.3.0
-appVersion: 1.4.0
+version: 4.4.0
+appVersion: 1.5.0
 home: https://github.com/kubernetes/ingress-nginx
 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
 icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png

diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md
@@ -2,7 +2,7 @@
 
 [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
 
-![Version: 4.3.0](https://img.shields.io/badge/Version-4.3.0-informational?style=flat-square) ![AppVersion: 1.4.0](https://img.shields.io/badge/AppVersion-1.4.0-informational?style=flat-square)
+![Version: 4.4.0](https://img.shields.io/badge/Version-4.4.0-informational?style=flat-square) ![AppVersion: 1.5.0](https://img.shields.io/badge/AppVersion-1.5.0-informational?style=flat-square)
 
 To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.
 
@@ -435,20 +435,20 @@ Kubernetes: `>=1.20.0-0`
 | defaultBackend.autoscaling.targetCPUUtilizationPercentage | int | `50` |  |
 | defaultBackend.autoscaling.targetMemoryUtilizationPercentage | int | `50` |  |
 | defaultBackend.containerSecurityContext | object | `{}` | Security Context policies for controller main container. See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls # |
-| defaultBackend.enabled | bool | `false` |  |
+| defaultBackend.defaultBackendMessage | string | `"Default Backend - 404"` |  |
+| defaultBackend.enabled | bool | `true` |  |
 | defaultBackend.existingPsp | string | `""` | Use an existing PSP instead of creating one |
 | defaultBackend.extraArgs | object | `{}` |  |
 | defaultBackend.extraEnvs | list | `[]` | Additional environment variables to set for defaultBackend pods |
-| defaultBackend.extraVolumeMounts | list | `[]` |  |
-| defaultBackend.extraVolumes | list | `[]` |  |
-| defaultBackend.image.allowPrivilegeEscalation | bool | `false` |  |
-| defaultBackend.image.image | string | `"defaultbackend-amd64"` |  |
+| defaultBackend.extraVolumeMounts[0].mountPath | string | `"/usr/share/nginx/html/index.html"` |  |
+| defaultBackend.extraVolumeMounts[0].name | string | `"config"` |  |
+| defaultBackend.extraVolumeMounts[0].readOnly | bool | `true` |  |
+| defaultBackend.extraVolumeMounts[0].subPath | string | `"index.html"` |  |
+| defaultBackend.extraVolumes[0].configMap.name | string | `"default-backend-message-configmap"` |  |
+| defaultBackend.extraVolumes[0].name | string | `"config"` |  |
 | defaultBackend.image.pullPolicy | string | `"IfNotPresent"` |  |
-| defaultBackend.image.readOnlyRootFilesystem | bool | `true` |  |
-| defaultBackend.image.registry | string | `"registry.k8s.io"` |  |
-| defaultBackend.image.runAsNonRoot | bool | `true` |  |
-| defaultBackend.image.runAsUser | int | `65534` |  |
-| defaultBackend.image.tag | string | `"1.5"` |  |
+| defaultBackend.image.repository | string | `"nginx"` |  |
+| defaultBackend.image.tag | string | `"alpine"` |  |
 | defaultBackend.labels | object | `{}` | Labels to be added to the default backend resources |
 | defaultBackend.livenessProbe.failureThreshold | int | `3` |  |
 | defaultBackend.livenessProbe.initialDelaySeconds | int | `30` |  |
@@ -461,7 +461,7 @@ Kubernetes: `>=1.20.0-0`
 | defaultBackend.podAnnotations | object | `{}` | Annotations to be added to default backend pods # |
 | defaultBackend.podLabels | object | `{}` | Labels to add to the pod container metadata |
 | defaultBackend.podSecurityContext | object | `{}` | Security Context policies for controller pods See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls # |
-| defaultBackend.port | int | `8080` |  |
+| defaultBackend.port | int | `80` |  |
 | defaultBackend.priorityClassName | string | `""` |  |
 | defaultBackend.readinessProbe.failureThreshold | int | `6` |  |
 | defaultBackend.readinessProbe.initialDelaySeconds | int | `0` |  |

diff --git a/charts/ingress-nginx/templates/default-backend-configmap.yaml b/charts/ingress-nginx/templates/default-backend-configmap.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+data:
+  index.html: |
+    <h1>{{ .Values.defaultBackend.defaultBackendMessage }}</h1>
+kind: ConfigMap
+metadata:
+  labels:
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
+  name: default-backend-message-configmap
+  namespace: {{ .Release.Namespace }}
diff --git a/charts/ingress-nginx/templates/default-backend-deployment.yaml b/charts/ingress-nginx/templates/default-backend-deployment.yaml
@@ -61,9 +61,6 @@ spec:
           {{- end }}
         {{- end }}
           securityContext:
-            capabilities:
-              drop:
-              - ALL
             runAsUser: {{ .Values.defaultBackend.image.runAsUser }}
             runAsNonRoot: {{ .Values.defaultBackend.image.runAsNonRoot }}
             allowPrivilegeEscalation: {{ .Values.defaultBackend.image.allowPrivilegeEscalation }}
@@ -73,7 +70,7 @@ spec:
         {{- end }}
           livenessProbe:
             httpGet:
-              path: /healthz
+              path: /
               port: {{ .Values.defaultBackend.port }}
               scheme: HTTP
             initialDelaySeconds: {{ .Values.defaultBackend.livenessProbe.initialDelaySeconds }}
@@ -83,7 +80,7 @@ spec:
             failureThreshold: {{ .Values.defaultBackend.livenessProbe.failureThreshold }}
           readinessProbe:
             httpGet:
-              path: /healthz
+              path: /
               port: {{ .Values.defaultBackend.port }}
               scheme: HTTP
             initialDelaySeconds: {{ .Values.defaultBackend.readinessProbe.initialDelaySeconds }}

diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
@@ -768,22 +768,24 @@ revisionHistoryLimit: 10
 ##
 defaultBackend:
   ##
-  enabled: false
+  enabled: true
 
   name: defaultbackend
   image:
-    registry: registry.k8s.io
-    image: defaultbackend-amd64
+    repository: nginx
+    tag: alpine
     ## for backwards compatibility consider setting the full image url via the repository value below
     ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
     ## repository:
-    tag: "1.5"
     pullPolicy: IfNotPresent
     # nobody user -> uid 65534
-    runAsUser: 65534
-    runAsNonRoot: true
-    readOnlyRootFilesystem: true
-    allowPrivilegeEscalation: false
+    # runAsUser: 65534
+    # runAsNonRoot: true
+    # readOnlyRootFilesystem: true
+    # allowPrivilegeEscalation: false
+
+  # Default Backend Message to show
+  defaultBackendMessage: "Default Backend - 404"
 
   # -- Use an existing PSP instead of creating one
   existingPsp: ""
@@ -797,7 +799,7 @@ defaultBackend:
   # -- Additional environment variables to set for defaultBackend pods
   extraEnvs: []
 
-  port: 8080
+  port: 80
 
   ## Readiness and liveness probes for default backend
   ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
@@ -814,7 +816,6 @@ defaultBackend:
     periodSeconds: 5
     successThreshold: 1
     timeoutSeconds: 5
-
   # -- Node tolerations for server scheduling to nodes with taints
   ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
   ##
@@ -864,12 +865,19 @@ defaultBackend:
   #   cpu: 10m
   #   memory: 20Mi
 
-  extraVolumeMounts: []
+  extraVolumeMounts:
+    - name: config
+      mountPath: "/usr/share/nginx/html/index.html"
+      subPath: index.html
+      readOnly: true
   ## Additional volumeMounts to the default backend container.
   #  - name: copy-portal-skins
   #   mountPath: /var/lib/lemonldap-ng/portal/skins
 
-  extraVolumes: []
+  extraVolumes:
+    - name: config
+      configMap:
+        name: default-backend-message-configmap
   ## Additional volumes to the default backend pod.
   #  - name: copy-portal-skins
   #    emptyDir: {}