From ac0519c3fc81db1bebdeb90b19c2515bd492dec1 Mon Sep 17 00:00:00 2001
From: Mathieu Benoit <mathieu.benoit@humanitec.com>
Date: Thu, 20 Jun 2024 19:27:57 -0400
Subject: [PATCH 1/5] Update ingress.tf - 4.10.1 + runAsNonRoot

---
 modules/base/ingress.tf | 37 ++++++++++++++++++++++++++++++++++++-
 1 file changed, 36 insertions(+), 1 deletion(-)

diff --git a/modules/base/ingress.tf b/modules/base/ingress.tf
index 27c76d8..7957742 100644
--- a/modules/base/ingress.tf
+++ b/modules/base/ingress.tf
@@ -15,7 +15,7 @@ resource "helm_release" "ingress_nginx" {
   repository       = "https://kubernetes.github.io/ingress-nginx"
 
   chart   = "ingress-nginx"
-  version = "4.10.0"
+  version = "4.10.1"
   wait    = true
   timeout = 600
 
@@ -55,5 +55,40 @@ resource "helm_release" "ingress_nginx" {
     value = var.ingress_nginx_min_unavailable
   }
 
+  set {
+    name  = "controller.containerSecurityContext.runAsUser"
+    value = 101
+  }
+
+  set {
+    name  = "controller.containerSecurityContext.runAsGroup"
+    value = 101
+  }
+
+  set {
+    name  = "controller.containerSecurityContext.allowPrivilegeEscalation"
+    value = false
+  }
+
+  set {
+    name  = "controller.containerSecurityContext.readOnlyRootFilesystem"
+    value = false
+  }
+
+  set {
+    name  = "controller.containerSecurityContext.runAsNonRoot"
+    value = true
+  }
+
+  set_list {
+    name  = "controller.containerSecurityContext.capabilities.drop"
+    value = ["ALL"]
+  }
+
+  set_list {
+    name  = "controller.containerSecurityContext.capabilities.add"
+    value = ["NET_BIND_SERVICE"]
+  }
+
   depends_on = [module.azure_aks.node_resource_group]
 }

From 5d1fd027e01ef754786b1318ed331290babba96f Mon Sep 17 00:00:00 2001
From: Mathieu Benoit <mathieu.benoit@humanitec.com>
Date: Thu, 20 Jun 2024 19:41:16 -0400
Subject: [PATCH 2/5] Update ingress.tf - PSS restricted

---
 modules/base/ingress.tf | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/modules/base/ingress.tf b/modules/base/ingress.tf
index 7957742..940d7f4 100644
--- a/modules/base/ingress.tf
+++ b/modules/base/ingress.tf
@@ -8,10 +8,19 @@ resource "azurerm_public_ip" "ingress" {
 
 # Ingress controller
 
+resource "kubernetes_namespace" "ingress_nginx" {
+  metadata {
+    labels = {
+      "pod-security.kubernetes.io/enforce" = "restricted"
+    }
+
+    name = "ingress-nginx"
+  }
+}
+
 resource "helm_release" "ingress_nginx" {
   name             = "ingress-nginx"
-  namespace        = "ingress-nginx"
-  create_namespace = true
+  namespace        = kubernetes_namespace.ingress_nginx.metadata.0.name
   repository       = "https://kubernetes.github.io/ingress-nginx"
 
   chart   = "ingress-nginx"

From 812a709911de5160462cdd13ca5582a18dc468e1 Mon Sep 17 00:00:00 2001
From: Mathieu Benoit <mathieu.benoit@humanitec.com>
Date: Thu, 20 Jun 2024 19:44:10 -0400
Subject: [PATCH 3/5] Update README.md - k8s_namespace

---
 modules/base/README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/base/README.md b/modules/base/README.md
index 490efdd..3d6b47d 100644
--- a/modules/base/README.md
+++ b/modules/base/README.md
@@ -55,6 +55,7 @@ Module that provides the reference architecture.
 | [humanitec_resource_definition_criteria.default_postgres](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.k8s_cluster_driver](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.k8s_namespace](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [kubernetes_namespace.ingress_nginx](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [random_string.name_suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
 | [azuread_client_config.current](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/client_config) | data source |
 | [azuread_service_principal.aks](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source |

From f4ab1811bcc51511d93fae69cd403101373bf586 Mon Sep 17 00:00:00 2001
From: Mathieu Benoit <mathieu.benoit@humanitec.com>
Date: Thu, 20 Jun 2024 19:46:20 -0400
Subject: [PATCH 4/5] Update ingress.tf - rollback ns for now

---
 modules/base/ingress.tf | 13 ++-----------
 1 file changed, 2 insertions(+), 11 deletions(-)

diff --git a/modules/base/ingress.tf b/modules/base/ingress.tf
index 940d7f4..7957742 100644
--- a/modules/base/ingress.tf
+++ b/modules/base/ingress.tf
@@ -8,19 +8,10 @@ resource "azurerm_public_ip" "ingress" {
 
 # Ingress controller
 
-resource "kubernetes_namespace" "ingress_nginx" {
-  metadata {
-    labels = {
-      "pod-security.kubernetes.io/enforce" = "restricted"
-    }
-
-    name = "ingress-nginx"
-  }
-}
-
 resource "helm_release" "ingress_nginx" {
   name             = "ingress-nginx"
-  namespace        = kubernetes_namespace.ingress_nginx.metadata.0.name
+  namespace        = "ingress-nginx"
+  create_namespace = true
   repository       = "https://kubernetes.github.io/ingress-nginx"
 
   chart   = "ingress-nginx"

From b8c5d1e26487e595927bc848d3b59a0f644da1f4 Mon Sep 17 00:00:00 2001
From: Mathieu Benoit <mathieu.benoit@humanitec.com>
Date: Thu, 20 Jun 2024 19:46:47 -0400
Subject: [PATCH 5/5] Update README.md - rollback ns for now

---
 modules/base/README.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/modules/base/README.md b/modules/base/README.md
index 3d6b47d..490efdd 100644
--- a/modules/base/README.md
+++ b/modules/base/README.md
@@ -55,7 +55,6 @@ Module that provides the reference architecture.
 | [humanitec_resource_definition_criteria.default_postgres](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.k8s_cluster_driver](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.k8s_namespace](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
-| [kubernetes_namespace.ingress_nginx](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [random_string.name_suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
 | [azuread_client_config.current](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/client_config) | data source |
 | [azuread_service_principal.aks](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source |