Custom SecurityContext in Postgresql, OperatorConfiguration CRDs #2244
Conversation
hshmilo
requested review from
sdudoladov,
Jan-M,
FxKu,
jopadi,
idanovinda and
hughcapet
as code owners
|
+1 |
1 similar comment
|
+1 |
|
Hi everyone, any updates regarding this PR? |
|
Hi, any chance to review this MR please? It would be a good addition for cluster security in depth. |
|
+1 on needing this to comply with restricted profiles, as @EmilMunksoe mentioned #2223 (comment) |
|
Hey, this is also a blocker for us since we have strict pod policies for the clusters. Is this something that will be merged soon? |
|
+1 |
1 similar comment
|
+1 |
|
+1 this would allow my team to be able to deploy postgres into our clusters with this operator |
|
Why is this MR (which will make many lives easier) ignored for over a year now? waiting only makes it more complicated to merge and now there are merge conflicts to resolve. |
|
Honestly, the delay on this led me to move from this operator over the CloudNative PostgreSQL Operator, which does everything and is already secure. |
same here :( |
|
+1 |
|
I circumvented the problem with a MutatingWebhookConfiguration and the corresponding controller: https://github.com/mheers/pod-spec-mutator You create a deployment with an env var that specifies how the pod will modified before starting: With this one can easily specify the SecurityContext and have it merged in the starting pods specification on-the-fly. |
I circumvented the problem by moving to the CNPG Operator which does everything securely by default. |
I also checked CNPG and indeed it offers to set the SecurityContext, but I also need to define additional volumes and hostAliases - which is also not supported by CNPG so I sticked with zalando and built the admission-hook. |
|
please merge this PR |
|
I think labeling this PR as Could we please get an acknowledgement or response from the PR reviewers (or other repo maintainers) with current status and/or some steps that community members can take to help it along? Do you need testers, or is there something else you're concerned about that we can help with? Migrating to another Postgres Operator would be a large undertaking for us, but if we can't get these security exceptions resolved, we may be forced to migrate at some point like others already have. |
| @@ -324,8 +328,17 @@ spec: | |||
| type: integer | |||
| spilo_runasgroup: | |||
| type: integer | |||
| spilo_runasnonroot: | |||
There was a problem hiding this comment.
Why do you need this if there is a spilo_runasuser?
There was a problem hiding this comment.
@szuecs such field is required to conform with pod security standards restricted profile
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
There was a problem hiding this comment.
Ok then let's have it!
Please resolve all the comments related with this one.
Thanks for your work!
| @@ -466,8 +466,17 @@ spec: | |||
| type: integer | |||
| spiloRunAsGroup: | |||
| type: integer | |||
| spiloRunAsNonRoot: | |||
There was a problem hiding this comment.
| @@ -196,10 +200,15 @@ configKubernetes: | |||
| # set user and group for the spilo container (required to run Spilo as non-root process) | |||
| # spilo_runasuser: 101 | |||
| # spilo_runasgroup: 103 | |||
| # spilo_runasnonroot: true | |||
There was a problem hiding this comment.
| cluster to access buckets to write WAL-E logs: Workload Identity (recommended) | ||
| or using a GCP Service Account Key (legacy). | ||
|
|
||
| #### Workload Identity setup |
There was a problem hiding this comment.
why is this all dropped?
I have no idea about GCP, but the PR seems to be about CRD change to allow to customize SecurityContext.
Please make sure the focus of the PR stays in line with the changes.
| @@ -78,13 +78,26 @@ These parameters are grouped directly under the `spec` key in the manifest. | |||
| This must be set to run the container without root. By default the container | |||
| runs with root. This option only works for Spilo versions >= 1.6-p3. | |||
|
|
|||
| * **spiloRunAsNonRoot** | |||
There was a problem hiding this comment.
| @@ -453,12 +453,25 @@ configuration they are grouped under the `kubernetes` key. | |||
| This must be set to run the container without root. By default the container | |||
| runs with root. This option only works for Spilo versions >= 1.6-p3. | |||
|
|
|||
| * **spilo_runasnonroot** | |||
There was a problem hiding this comment.
| capabilities: | ||
| drop: | ||
| - ALL | ||
| runAsNonRoot: true |
There was a problem hiding this comment.
| @@ -93,7 +93,11 @@ spec: | |||
| enableShmVolume: true | |||
| # spiloRunAsUser: 101 | |||
| # spiloRunAsGroup: 103 | |||
| # spiloRunAsNonRoot: true | |||
There was a problem hiding this comment.
| # capabilities: | ||
| # drop: | ||
| # - ALL | ||
| # runAsNonRoot: true |
There was a problem hiding this comment.
| @@ -150,7 +151,11 @@ data: | |||
| spilo_allow_privilege_escalation: "true" | |||
| # spilo_runasuser: 101 | |||
| # spilo_runasgroup: 103 | |||
| # spilo_runasnonroot: true | |||
There was a problem hiding this comment.
| @@ -322,8 +326,17 @@ spec: | |||
| type: integer | |||
| spilo_runasgroup: | |||
| type: integer | |||
| spilo_runasnonroot: | |||
There was a problem hiding this comment.
| @@ -100,7 +102,11 @@ configuration: | |||
| spilo_allow_privilege_escalation: true | |||
| # spilo_runasuser: 101 | |||
| # spilo_runasgroup: 103 | |||
| # spilo_runasnonroot: true | |||
There was a problem hiding this comment.
| @@ -464,8 +464,17 @@ spec: | |||
| type: integer | |||
| spiloRunAsGroup: | |||
| type: integer | |||
| spiloRunAsNonRoot: | |||
There was a problem hiding this comment.
| @@ -728,9 +728,23 @@ var PostgresCRDResourceValidation = apiextv1.CustomResourceValidation{ | |||
| "spiloRunAsGroup": { | |||
| Type: "integer", | |||
| }, | |||
| "spiloRunAsNonRoot": { | |||
There was a problem hiding this comment.
| @@ -64,8 +64,11 @@ type KubernetesMetaConfiguration struct { | |||
| SpiloAllowPrivilegeEscalation *bool `json:"spilo_allow_privilege_escalation,omitempty"` | |||
| SpiloRunAsUser *int64 `json:"spilo_runasuser,omitempty"` | |||
| SpiloRunAsGroup *int64 `json:"spilo_runasgroup,omitempty"` | |||
| SpiloRunAsNonRoot *bool `json:"spilo_runasnonroot,omitempty"` | |||
There was a problem hiding this comment.
| @@ -32,12 +32,15 @@ type Resources struct { | |||
| PodTerminateGracePeriod time.Duration `name:"pod_terminate_grace_period" default:"5m"` | |||
| SpiloRunAsUser *int64 `name:"spilo_runasuser"` | |||
| SpiloRunAsGroup *int64 `name:"spilo_runasgroup"` | |||
| SpiloRunAsNonRoot *bool `name:"spilo_runasnonroot"` | |||
There was a problem hiding this comment.
| @@ -2346,6 +2396,8 @@ func (c *Cluster) generateLogicalBackupPodEnvVars() []v1.EnvVar { | |||
| envVars = append(envVars, v1.EnvVar{Name: "AWS_SECRET_ACCESS_KEY", Value: c.OpConfig.LogicalBackup.LogicalBackupS3SecretAccessKey}) | |||
| } | |||
|
|
|||
| c.logger.Debugf("Generated logical backup env vars") | |||
| c.logger.Debugf("%v", envVars) | |||
There was a problem hiding this comment.
hmm, not sure if I would like this as security enhancement
|
I am not part of postgres-operator maintainers, but from kubernetes point of view I have some idea. I hope my questions are fine and help to get some things sorted out. |
This PR extends the Postgresql, OperatorConfiguration CRDs with the following list of properties related to pod/containers SecurityContext.
Postgresql CRD:
OperatorConfiguration CRD:
This PR addresses #2223