feat: define pod/container security contexts in separate package

k-web-s · Mar 19, 2024 · c8d1a2e · c8d1a2e
1 parent bc9948c
commit c8d1a2e
Show file tree

Hide file tree

Showing 6 changed files with 61 additions and 28 deletions.
diff --git a/private/controllers/statefulset/statefulset.go b/private/controllers/statefulset/statefulset.go
@@ -36,14 +36,14 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
-	"k8s.io/utils/pointer"
 
 	"github.com/k-web-s/patroni-postgres-operator/api/v1alpha1"
 	"github.com/k-web-s/patroni-postgres-operator/private/context"
 	"github.com/k-web-s/patroni-postgres-operator/private/controllers/pvc"
 	"github.com/k-web-s/patroni-postgres-operator/private/controllers/rbac"
 	"github.com/k-web-s/patroni-postgres-operator/private/controllers/secret"
 	"github.com/k-web-s/patroni-postgres-operator/private/controllers/service"
+	"github.com/k-web-s/patroni-postgres-operator/private/security"
 )
 
 const (
@@ -58,23 +58,6 @@ const (
 	DataVolumeMountPath = "/var/lib/postgresql"
 )
 
-var (
-	user                = int64(15432)
-	fsGroupChangePolicy = corev1.FSGroupChangeOnRootMismatch
-
-	PodSecurityContext = &corev1.PodSecurityContext{
-		RunAsUser:           &user,
-		RunAsGroup:          &user,
-		FSGroup:             &user,
-		RunAsNonRoot:        pointer.Bool(true),
-		FSGroupChangePolicy: &fsGroupChangePolicy,
-	}
-
-	SecurityContext = &corev1.SecurityContext{
-		AllowPrivilegeEscalation: pointer.Bool(false),
-	}
-)
-
 // +kubebuilder:rbac:groups="apps",resources=statefulsets,verbs=get;list;watch;create;update;delete
 
 func ReconcileSts(ctx context.Context, p *v1alpha1.PatroniPostgres) (sts *appsv1.StatefulSet, err error) {
@@ -271,10 +254,10 @@ func ReconcileSts(ctx context.Context, p *v1alpha1.PatroniPostgres) (sts *appsv1
 								MountPath: DataVolumeMountPath,
 							},
 						},
-						SecurityContext: SecurityContext,
+						SecurityContext: security.ContainerSecurityContext,
 					},
 				},
-				SecurityContext:  PodSecurityContext,
+				SecurityContext:  security.DatabasePodSecurityContext,
 				ImagePullSecrets: p.Spec.ImagePullSecrets,
 				NodeSelector:     p.Spec.NodeSelector,
 				Tolerations:      p.Spec.Tolerations,

diff --git a/private/security/security.go b/private/security/security.go
@@ -0,0 +1,46 @@
+package security
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/utils/pointer"
+)
+
+const (
+	databaseUserId = 15432
+)
+
+var (
+	fsGroupChangePolicy = corev1.FSGroupChangeOnRootMismatch
+
+	// Generic container security contexts
+	ContainerSecurityContext = &corev1.SecurityContext{
+		AllowPrivilegeEscalation: pointer.Bool(false),
+		Capabilities: &corev1.Capabilities{
+			Drop: []corev1.Capability{
+				"ALL",
+			},
+		},
+	}
+
+	// GenericPodSecurityContext defines pod level security context
+	// for generic/other workloads (e.g. pre/post-upgrade jobs)
+	GenericPodSecurityContext = &corev1.PodSecurityContext{
+		RunAsNonRoot: pointer.Bool(true),
+		SeccompProfile: &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		},
+	}
+
+	// DatabasePodSecurityContext defines pod level security context
+	// for database workloads
+	DatabasePodSecurityContext = &corev1.PodSecurityContext{
+		RunAsNonRoot:        pointer.Bool(true),
+		RunAsUser:           pointer.Int64(databaseUserId),
+		RunAsGroup:          pointer.Int64(databaseUserId),
+		FSGroup:             pointer.Int64(databaseUserId),
+		FSGroupChangePolicy: &fsGroupChangePolicy,
+		SeccompProfile: &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		},
+	}
+)
diff --git a/private/upgrade/common.go b/private/upgrade/common.go
@@ -37,6 +37,7 @@ import (
 	pcontext "github.com/k-web-s/patroni-postgres-operator/private/context"
 	"github.com/k-web-s/patroni-postgres-operator/private/controllers/secret"
 	"github.com/k-web-s/patroni-postgres-operator/private/controllers/statefulset"
+	"github.com/k-web-s/patroni-postgres-operator/private/security"
 )
 
 const (
@@ -98,11 +99,11 @@ func createUpgradeJob(ctx pcontext.Context, p *v1alpha1.PatroniPostgres, mode st
 									v1.ResourceMemory: resource.MustParse("64Mi"),
 								},
 							},
-							SecurityContext: statefulset.SecurityContext,
+							SecurityContext: security.ContainerSecurityContext,
 						},
 					},
 					RestartPolicy:   v1.RestartPolicyOnFailure,
-					SecurityContext: statefulset.PodSecurityContext,
+					SecurityContext: security.GenericPodSecurityContext,
 				},
 			},
 		},

diff --git a/private/upgrade/primary.go b/private/upgrade/primary.go
@@ -45,6 +45,7 @@ import (
 	"github.com/k-web-s/patroni-postgres-operator/private/controllers/configmap"
 	"github.com/k-web-s/patroni-postgres-operator/private/controllers/pvc"
 	"github.com/k-web-s/patroni-postgres-operator/private/controllers/statefulset"
+	"github.com/k-web-s/patroni-postgres-operator/private/security"
 	"github.com/k-web-s/patroni-postgres-operator/private/upgrade/preupgrade"
 )
 
@@ -141,7 +142,7 @@ func (primaryUpgradeHandler) handle(ctx pcontext.Context, p *v1alpha1.PatroniPos
 								Resources: v1.ResourceRequirements{
 									Requests: p.Spec.Resources.Requests,
 								},
-								SecurityContext: statefulset.SecurityContext,
+								SecurityContext: security.ContainerSecurityContext,
 							},
 						},
 						Volumes: []v1.Volume{
@@ -155,7 +156,7 @@ func (primaryUpgradeHandler) handle(ctx pcontext.Context, p *v1alpha1.PatroniPos
 							},
 						},
 						RestartPolicy:   v1.RestartPolicyOnFailure,
-						SecurityContext: statefulset.PodSecurityContext,
+						SecurityContext: security.DatabasePodSecurityContext,
 					},
 				},
 			},

diff --git a/private/upgrade/secondary-client.go b/private/upgrade/secondary-client.go
@@ -40,6 +40,7 @@ import (
 	pcontext "github.com/k-web-s/patroni-postgres-operator/private/context"
 	"github.com/k-web-s/patroni-postgres-operator/private/controllers/pvc"
 	"github.com/k-web-s/patroni-postgres-operator/private/controllers/statefulset"
+	"github.com/k-web-s/patroni-postgres-operator/private/security"
 )
 
 var (
@@ -95,7 +96,7 @@ func upgradeSecondariesEnsureseclients(ctx pcontext.Context, p *v1alpha1.Patroni
 									Resources: v1.ResourceRequirements{
 										Requests: p.Spec.Resources.Requests,
 									},
-									SecurityContext: statefulset.SecurityContext,
+									SecurityContext: security.ContainerSecurityContext,
 								},
 							},
 							Volumes: []v1.Volume{
@@ -109,7 +110,7 @@ func upgradeSecondariesEnsureseclients(ctx pcontext.Context, p *v1alpha1.Patroni
 								},
 							},
 							RestartPolicy:   v1.RestartPolicyOnFailure,
-							SecurityContext: statefulset.PodSecurityContext,
+							SecurityContext: security.DatabasePodSecurityContext,
 						},
 					},
 				},

diff --git a/private/upgrade/secondary-stream.go b/private/upgrade/secondary-stream.go
@@ -41,6 +41,7 @@ import (
 	pcontext "github.com/k-web-s/patroni-postgres-operator/private/context"
 	"github.com/k-web-s/patroni-postgres-operator/private/controllers/pvc"
 	"github.com/k-web-s/patroni-postgres-operator/private/controllers/statefulset"
+	"github.com/k-web-s/patroni-postgres-operator/private/security"
 )
 
 var (
@@ -104,7 +105,7 @@ func upgradeSecondariesEnsurestreamer(ctx pcontext.Context, p *v1alpha1.PatroniP
 								Resources: v1.ResourceRequirements{
 									Requests: p.Spec.Resources.Requests,
 								},
-								SecurityContext: statefulset.SecurityContext,
+								SecurityContext: security.ContainerSecurityContext,
 							},
 						},
 						Volumes: []v1.Volume{
@@ -117,7 +118,7 @@ func upgradeSecondariesEnsurestreamer(ctx pcontext.Context, p *v1alpha1.PatroniP
 								},
 							},
 						},
-						SecurityContext: statefulset.PodSecurityContext,
+						SecurityContext: security.DatabasePodSecurityContext,
 					},
 				},
 			},