Set default for security Context for postgres (#1069)

Signed-off-by: souravbiswassanto <saurov@appscode.com>

apis/kubedb/v1alpha2/constants.go

@@ -322,20 +322,20 @@ const (
 	MariaDBDataVolumeName                = "data"
 
 	// =========================== PostgreSQL Constants ============================
-	PostgresDatabasePortName         = "db"
-	PostgresPrimaryServicePortName   = "primary"
-	PostgresStandbyServicePortName   = "standby"
-	PostgresDatabasePort             = 5432
-	PostgresPodPrimary               = "primary"
-	PostgresPodStandby               = "standby"
-	EnvPostgresUser                  = "POSTGRES_USER"
-	EnvPostgresPassword              = "POSTGRES_PASSWORD"
-	PostgresRootUser                 = "postgres"
-	PostgresCoordinatorContainerName = "pg-coordinator"
-	PostgresCoordinatorPort          = 2380
-	PostgresCoordinatorPortName      = "coordinator"
-	PostgresContainerName            = ResourceSingularPostgres
-
+	PostgresDatabasePortName          = "db"
+	PostgresPrimaryServicePortName    = "primary"
+	PostgresStandbyServicePortName    = "standby"
+	PostgresDatabasePort              = 5432
+	PostgresPodPrimary                = "primary"
+	PostgresPodStandby                = "standby"
+	EnvPostgresUser                   = "POSTGRES_USER"
+	EnvPostgresPassword               = "POSTGRES_PASSWORD"
+	PostgresRootUser                  = "postgres"
+	PostgresCoordinatorContainerName  = "pg-coordinator"
+	PostgresCoordinatorPort           = 2380
+	PostgresCoordinatorPortName       = "coordinator"
+	PostgresContainerName             = ResourceSingularPostgres
+	PostgresInitContainerName         = "postgres-init-container"
 	PostgresCoordinatorClientPort     = 2379
 	PostgresCoordinatorClientPortName = "coordinatclient"
 

apis/kubedb/v1alpha2/postgres_helpers.go

@@ -240,24 +240,9 @@ func (p *Postgres) SetDefaults(postgresVersion *catalog.PostgresVersion, topolog
 		}
 	}
 
-	if p.Spec.PodTemplate.Spec.ContainerSecurityContext == nil {
-		p.Spec.PodTemplate.Spec.ContainerSecurityContext = &core.SecurityContext{
-			RunAsUser:  postgresVersion.Spec.SecurityContext.RunAsUser,
-			RunAsGroup: postgresVersion.Spec.SecurityContext.RunAsUser,
-			Privileged: pointer.BoolP(false),
-			Capabilities: &core.Capabilities{
-				Add: []core.Capability{"IPC_LOCK", "SYS_RESOURCE"},
-			},
-		}
-	} else {
-		if p.Spec.PodTemplate.Spec.ContainerSecurityContext.RunAsUser == nil {
-			p.Spec.PodTemplate.Spec.ContainerSecurityContext.RunAsUser = postgresVersion.Spec.SecurityContext.RunAsUser
-		}
-		if p.Spec.PodTemplate.Spec.ContainerSecurityContext.RunAsGroup == nil {
-			p.Spec.PodTemplate.Spec.ContainerSecurityContext.RunAsGroup = p.Spec.PodTemplate.Spec.ContainerSecurityContext.RunAsUser
-		}
-	}
-
+	p.setDefaultContainerSecurityContext(&p.Spec.PodTemplate, postgresVersion)
+	p.setDefaultCoordinatorSecurityContext(&p.Spec.Coordinator, postgresVersion)
+	p.setDefaultInitContainerSecurityContext(&p.Spec.PodTemplate, postgresVersion)
 	if p.Spec.PodTemplate.Spec.SecurityContext == nil {
 		p.Spec.PodTemplate.Spec.SecurityContext = &core.PodSecurityContext{
 			RunAsUser:  p.Spec.PodTemplate.Spec.ContainerSecurityContext.RunAsUser,
@@ -283,6 +268,78 @@ func (p *Postgres) SetDefaults(postgresVersion *catalog.PostgresVersion, topolog
 	p.setDefaultAffinity(&p.Spec.PodTemplate, p.OffshootSelectors(), topology)
 }
 
+func (p *Postgres) setDefaultInitContainerSecurityContext(podTemplate *ofst.PodTemplateSpec, pgVersion *catalog.PostgresVersion) {
+	if podTemplate == nil {
+		return
+	}
+	container := core_util.GetContainerByName(p.Spec.PodTemplate.Spec.InitContainers, PostgresInitContainerName)
+	if container == nil {
+		container = &core.Container{
+			Name:            PostgresInitContainerName,
+			SecurityContext: &core.SecurityContext{},
+			Resources: core.ResourceRequirements{
+				Limits: core.ResourceList{
+					core.ResourceCPU:    resource.MustParse(".200"),
+					core.ResourceMemory: resource.MustParse("128Mi"),
+				},
+				Requests: core.ResourceList{
+					core.ResourceCPU:    resource.MustParse(".200"),
+					core.ResourceMemory: resource.MustParse("128Mi"),
+				},
+			},
+		}
+	} else if container.SecurityContext == nil {
+		container.SecurityContext = &core.SecurityContext{}
+	}
+	p.assignDefaultContainerSecurityContext(container.SecurityContext, pgVersion)
+	podTemplate.Spec.InitContainers = core_util.UpsertContainer(podTemplate.Spec.InitContainers, *container)
+}
+
+func (p *Postgres) setDefaultCoordinatorSecurityContext(coordinatorTemplate *CoordinatorSpec, pgVersion *catalog.PostgresVersion) {
+	if coordinatorTemplate == nil {
+		return
+	}
+	if coordinatorTemplate.SecurityContext == nil {
+		coordinatorTemplate.SecurityContext = &core.SecurityContext{}
+	}
+	p.assignDefaultContainerSecurityContext(coordinatorTemplate.SecurityContext, pgVersion)
+}
+
+func (p *Postgres) setDefaultContainerSecurityContext(podTemplate *ofst.PodTemplateSpec, pgVersion *catalog.PostgresVersion) {
+	if podTemplate == nil {
+		return
+	}
+	if podTemplate.Spec.ContainerSecurityContext == nil {
+		podTemplate.Spec.ContainerSecurityContext = &core.SecurityContext{}
+	}
+	p.assignDefaultContainerSecurityContext(podTemplate.Spec.ContainerSecurityContext, pgVersion)
+}
+
+func (p *Postgres) assignDefaultContainerSecurityContext(sc *core.SecurityContext, pgVersion *catalog.PostgresVersion) {
+	if sc.AllowPrivilegeEscalation == nil {
+		sc.AllowPrivilegeEscalation = pointer.BoolP(false)
+	}
+	if sc.Capabilities == nil {
+		sc.Capabilities = &core.Capabilities{
+			Drop: []core.Capability{"ALL"},
+		}
+	}
+	if sc.RunAsNonRoot == nil {
+		sc.RunAsNonRoot = pointer.BoolP(true)
+	}
+	if sc.RunAsUser == nil {
+		sc.RunAsUser = pgVersion.Spec.SecurityContext.RunAsUser
+	}
+	if sc.RunAsGroup == nil {
+		sc.RunAsGroup = pgVersion.Spec.SecurityContext.RunAsUser
+	}
+	if sc.SeccompProfile == nil {
+		sc.SeccompProfile = &core.SeccompProfile{
+			Type: core.SeccompProfileTypeRuntimeDefault,
+		}
+	}
+}
+
 // setDefaultAffinity
 func (p *Postgres) setDefaultAffinity(podTemplate *ofst.PodTemplateSpec, labels map[string]string, topology *core_util.Topology) {
 	if podTemplate == nil {

go.mod

@@ -27,10 +27,10 @@ require (
 	k8s.io/kube-aggregator v0.25.1
 	k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280
 	k8s.io/metrics v0.25.1
-	kmodules.xyz/client-go v0.25.40
+	kmodules.xyz/client-go v0.25.41-0.20231109105455-59549ee68009
 	kmodules.xyz/crd-schema-fuzz v0.25.0
 	kmodules.xyz/custom-resources v0.25.2
-	kmodules.xyz/monitoring-agent-api v0.25.5
+	kmodules.xyz/monitoring-agent-api v0.25.6-0.20231110045141-1198ab298d6e
 	kmodules.xyz/objectstore-api v0.25.1
 	kmodules.xyz/offshoot-api v0.25.4
 	kmodules.xyz/webhook-runtime v0.25.0

go.sum

@@ -1381,14 +1381,14 @@ k8s.io/utils v0.0.0-20221012122500-cfd413dd9e85 h1:cTdVh7LYu82xeClmfzGtgyspNh6Ux
 k8s.io/utils v0.0.0-20221012122500-cfd413dd9e85/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 kmodules.xyz/apiversion v0.2.0 h1:vAQYqZFm4xu4pbB1cAdHbFEPES6EQkcR4wc06xdTOWk=
 kmodules.xyz/apiversion v0.2.0/go.mod h1:oPX8g8LvlPdPX3Yc5YvCzJHQnw3YF/X4/jdW0b1am80=
-kmodules.xyz/client-go v0.25.40 h1:za/YLZRUFWHWfF/EYo3Hz9QFED5Mr/ptRumHb/bqxEI=
-kmodules.xyz/client-go v0.25.40/go.mod h1:ijkpW+0nkrKf8zpK7V/UQQzjWMZpnMX887jfYLHBMIM=
+kmodules.xyz/client-go v0.25.41-0.20231109105455-59549ee68009 h1:TTO66bQKA+/qVjhS1Gm0r8FHfyO3ZY5BFk20fTgEyf8=
+kmodules.xyz/client-go v0.25.41-0.20231109105455-59549ee68009/go.mod h1:ijkpW+0nkrKf8zpK7V/UQQzjWMZpnMX887jfYLHBMIM=
 kmodules.xyz/crd-schema-fuzz v0.25.0 h1:c5ZxNRqJak1bkGhECmyrKpzKGThFMB4088Kynyvngbc=
 kmodules.xyz/crd-schema-fuzz v0.25.0/go.mod h1:VigFz19GwCxMGhb3YjCtlSXmfXb0J/g9du1So6rvqsk=
 kmodules.xyz/custom-resources v0.25.2 h1:+PJgUZvbbSgyNT7EX9gUZ3PIzY2LAW03TDW8cevvXqo=
 kmodules.xyz/custom-resources v0.25.2/go.mod h1:b9XjjKQMZ6KrLHXKqQz7YwV3M3BK8Hwi4KEwu5RadCo=
-kmodules.xyz/monitoring-agent-api v0.25.5 h1:7ULBfJkRy+ROJuNclB2IzFHqesblFihtVo9How0/2LM=
-kmodules.xyz/monitoring-agent-api v0.25.5/go.mod h1:TNJ2Bek2PC07MWU7VXFlfKFwN4IYvLzBEFwl/9XN8lc=
+kmodules.xyz/monitoring-agent-api v0.25.6-0.20231110045141-1198ab298d6e h1:CDVp3f587yIqoh2g9XnRX/In6QO8ZK6uw/fWdpYgOTU=
+kmodules.xyz/monitoring-agent-api v0.25.6-0.20231110045141-1198ab298d6e/go.mod h1:TNJ2Bek2PC07MWU7VXFlfKFwN4IYvLzBEFwl/9XN8lc=
 kmodules.xyz/objectstore-api v0.25.1 h1:lYQlxk+edgZYakhq+OoRBXTbHbZTGKhatGZWnKixgEQ=
 kmodules.xyz/objectstore-api v0.25.1/go.mod h1:6wBtktN7/EXyE429OTCB9nwEe+d0ADaoCtm6+IZnJso=
 kmodules.xyz/offshoot-api v0.25.4 h1:IjJNvkphcdYUG8XO/pBwXpuP8W+jxAWJZ3yH8vgI/as=

vendor/kmodules.xyz/client-go/core/v1/kubernetes.go

@@ -68,6 +68,15 @@ func EnsureContainerDeleted(containers []core.Container, name string) []core.Con
 	return containers
 }
 
+func GetContainerByName(containers []core.Container, name string) *core.Container {
+	for i := range containers {
+		if containers[i].Name == name {
+			return &containers[i]
+		}
+	}
+	return nil
+}
+
 func UpsertContainer(containers []core.Container, upsert core.Container) []core.Container {
 	for i, container := range containers {
 		if container.Name == upsert.Name {
@@ -116,6 +125,15 @@ func DeleteContainer(containers []core.Container, name string) []core.Container
 	return containers
 }
 
+func GetVolumeByName(volumes []core.Volume, name string) *core.Volume {
+	for i := range volumes {
+		if volumes[i].Name == name {
+			return &volumes[i]
+		}
+	}
+	return nil
+}
+
 func UpsertVolume(volumes []core.Volume, nv ...core.Volume) []core.Volume {
 	upsert := func(v core.Volume) {
 		for i, vol := range volumes {
@@ -192,6 +210,15 @@ func EnsureVolumeDeleted(volumes []core.Volume, name string) []core.Volume {
 	return volumes
 }
 
+func GetVolumeMountByName(volumeMounts []core.VolumeMount, name string) *core.VolumeMount {
+	for i := range volumeMounts {
+		if volumeMounts[i].Name == name {
+			return &volumeMounts[i]
+		}
+	}
+	return nil
+}
+
 func UpsertVolumeMount(mounts []core.VolumeMount, nv ...core.VolumeMount) []core.VolumeMount {
 	upsert := func(m core.VolumeMount) {
 		for i, vol := range mounts {
@@ -237,6 +264,15 @@ func EnsureVolumeMountDeletedByPath(mounts []core.VolumeMount, mountPath string)
 	return mounts
 }
 
+func GetEnvByName(envs []core.EnvVar, name string) *core.EnvVar {
+	for i := range envs {
+		if envs[i].Name == name {
+			return &envs[i]
+		}
+	}
+	return nil
+}
+
 func UpsertEnvVars(vars []core.EnvVar, nv ...core.EnvVar) []core.EnvVar {
 	upsert := func(env core.EnvVar) {
 		if env.ValueFrom != nil &&

vendor/kmodules.xyz/monitoring-agent-api/api/v1/helpers.go

@@ -16,7 +16,12 @@ limitations under the License.
 
 package v1
 
-import "fmt"
+import (
+	"fmt"
+
+	"gomodules.xyz/pointer"
+	core "k8s.io/api/core/v1"
+)
 
 func (agent *AgentSpec) SetDefaults() {
 	if agent == nil {
@@ -30,7 +35,32 @@ func (agent *AgentSpec) SetDefaults() {
 		if agent.Prometheus.Exporter.Port == 0 {
 			agent.Prometheus.Exporter.Port = PrometheusExporterPortNumber
 		}
+		agent.SetSecurityContextDefaults()
+	}
+}
+
+func (agent *AgentSpec) SetSecurityContextDefaults() {
+	sc := agent.Prometheus.Exporter.SecurityContext
+	if sc == nil {
+		sc = &core.SecurityContext{}
+	}
+	if sc.AllowPrivilegeEscalation == nil {
+		sc.AllowPrivilegeEscalation = pointer.BoolP(false)
+	}
+	if sc.Capabilities == nil {
+		sc.Capabilities = &core.Capabilities{
+			Drop: []core.Capability{"ALL"},
+		}
+	}
+	if sc.RunAsNonRoot == nil {
+		sc.RunAsNonRoot = pointer.BoolP(true)
+	}
+	if sc.SeccompProfile == nil {
+		sc.SeccompProfile = &core.SeccompProfile{
+			Type: core.SeccompProfileTypeRuntimeDefault,
+		}
 	}
+	agent.Prometheus.Exporter.SecurityContext = sc
 }
 
 func IsKnownAgentType(at AgentType) bool {

vendor/modules.txt

@@ -1370,7 +1370,7 @@ k8s.io/utils/trace
 # kmodules.xyz/apiversion v0.2.0
 ## explicit; go 1.14
 kmodules.xyz/apiversion
-# kmodules.xyz/client-go v0.25.40
+# kmodules.xyz/client-go v0.25.41-0.20231109105455-59549ee68009
 ## explicit; go 1.18
 kmodules.xyz/client-go
 kmodules.xyz/client-go/api/v1
@@ -1414,7 +1414,7 @@ kmodules.xyz/custom-resources/client/listers/appcatalog/v1alpha1
 kmodules.xyz/custom-resources/client/listers/metrics/v1alpha1
 kmodules.xyz/custom-resources/crds
 kmodules.xyz/custom-resources/util/siteinfo
-# kmodules.xyz/monitoring-agent-api v0.25.5
+# kmodules.xyz/monitoring-agent-api v0.25.6-0.20231110045141-1198ab298d6e
 ## explicit; go 1.18
 kmodules.xyz/monitoring-agent-api/api/v1
 # kmodules.xyz/objectstore-api v0.25.1