SecurityContext for Postgres Pods

[BobyMCbobs]

Issue

Postgres shouldn't need to run as root in most cases and also doesn't need to have a writable filesystem.

What is the likelihood of running the Spilo and Pooler Pods with a Pod SecurityContext something like:

podSecurityContext:
  readOnlyRootFilesystem: true
  runAsUser: 101
  runAsGroup: 103
  allowPrivilegeEscalation: false

This will minimize on various risks of the Pod's lifecycle

[Jan-M]

Check manifest and docs, pretty sure this is already supported.

[BobyMCbobs]

Check manifest and docs, pretty sure this is already supported.

@Jan-M, I've taken a look in the docs a few times and haven't been able to see it.

Am I looking in the correct place?
https://postgres-operator.readthedocs.io/en/latest/reference/operator_parameters/#kubernetes-resources

[Jan-M]

https://github.com/zalando/postgres-operator/blob/master/manifests/complete-postgres-manifest.yaml#L71

All we have is this right now. That seems to solve half your problem.

[Jan-M]

As far as privilege escalation goes, dynamic resize may need more privileges to run resize2fs until K8s solves this.

[joschi36]

This should solve the problem, right? #1083
But that didn't get any attention by the maintainers till now. @Jan-M maybe you can have look at the PR and tell us if this is the right way?

[Jan-M]

The PR looks almost good, just added a few comments as I see a risk in that the default is modified for non fsGroup users.

[BobyMCbobs]

The PR #1083 is looking good!

[BobyMCbobs]

Any possibility for also making the filesystem read only as well?

[apeschel]

https://github.com/zalando/postgres-operator/blob/master/manifests/complete-postgres-manifest.yaml#L71

All we have is this right now. That seems to solve half your problem.

Here's the line with the correct commit:

postgres-operator/manifests/complete-postgres-manifest.yaml

Line 71 in 03437b6

# spiloFSGroup: 103