From c8d1a2eb6f740891162e72519fce72cc44548d5b Mon Sep 17 00:00:00 2001
From: Richard Kojedzinszky <richard@kojedz.in>
Date: Tue, 19 Mar 2024 09:26:15 +0100
Subject: [PATCH] feat: define pod/container security contexts in separate
 package

---
 .../controllers/statefulset/statefulset.go    | 23 ++--------
 private/security/security.go                  | 46 +++++++++++++++++++
 private/upgrade/common.go                     |  5 +-
 private/upgrade/primary.go                    |  5 +-
 private/upgrade/secondary-client.go           |  5 +-
 private/upgrade/secondary-stream.go           |  5 +-
 6 files changed, 61 insertions(+), 28 deletions(-)
 create mode 100644 private/security/security.go

diff --git a/private/controllers/statefulset/statefulset.go b/private/controllers/statefulset/statefulset.go
index 5301feb..a820477 100644
--- a/private/controllers/statefulset/statefulset.go
+++ b/private/controllers/statefulset/statefulset.go
@@ -36,7 +36,6 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
-	"k8s.io/utils/pointer"
 
 	"github.com/k-web-s/patroni-postgres-operator/api/v1alpha1"
 	"github.com/k-web-s/patroni-postgres-operator/private/context"
@@ -44,6 +43,7 @@ import (
 	"github.com/k-web-s/patroni-postgres-operator/private/controllers/rbac"
 	"github.com/k-web-s/patroni-postgres-operator/private/controllers/secret"
 	"github.com/k-web-s/patroni-postgres-operator/private/controllers/service"
+	"github.com/k-web-s/patroni-postgres-operator/private/security"
 )
 
 const (
@@ -58,23 +58,6 @@ const (
 	DataVolumeMountPath = "/var/lib/postgresql"
 )
 
-var (
-	user                = int64(15432)
-	fsGroupChangePolicy = corev1.FSGroupChangeOnRootMismatch
-
-	PodSecurityContext = &corev1.PodSecurityContext{
-		RunAsUser:           &user,
-		RunAsGroup:          &user,
-		FSGroup:             &user,
-		RunAsNonRoot:        pointer.Bool(true),
-		FSGroupChangePolicy: &fsGroupChangePolicy,
-	}
-
-	SecurityContext = &corev1.SecurityContext{
-		AllowPrivilegeEscalation: pointer.Bool(false),
-	}
-)
-
 // +kubebuilder:rbac:groups="apps",resources=statefulsets,verbs=get;list;watch;create;update;delete
 
 func ReconcileSts(ctx context.Context, p *v1alpha1.PatroniPostgres) (sts *appsv1.StatefulSet, err error) {
@@ -271,10 +254,10 @@ func ReconcileSts(ctx context.Context, p *v1alpha1.PatroniPostgres) (sts *appsv1
 								MountPath: DataVolumeMountPath,
 							},
 						},
-						SecurityContext: SecurityContext,
+						SecurityContext: security.ContainerSecurityContext,
 					},
 				},
-				SecurityContext:  PodSecurityContext,
+				SecurityContext:  security.DatabasePodSecurityContext,
 				ImagePullSecrets: p.Spec.ImagePullSecrets,
 				NodeSelector:     p.Spec.NodeSelector,
 				Tolerations:      p.Spec.Tolerations,
diff --git a/private/security/security.go b/private/security/security.go
new file mode 100644
index 0000000..0ec16b0
--- /dev/null
+++ b/private/security/security.go
@@ -0,0 +1,46 @@
+package security
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/utils/pointer"
+)
+
+const (
+	databaseUserId = 15432
+)
+
+var (
+	fsGroupChangePolicy = corev1.FSGroupChangeOnRootMismatch
+
+	// Generic container security contexts
+	ContainerSecurityContext = &corev1.SecurityContext{
+		AllowPrivilegeEscalation: pointer.Bool(false),
+		Capabilities: &corev1.Capabilities{
+			Drop: []corev1.Capability{
+				"ALL",
+			},
+		},
+	}
+
+	// GenericPodSecurityContext defines pod level security context
+	// for generic/other workloads (e.g. pre/post-upgrade jobs)
+	GenericPodSecurityContext = &corev1.PodSecurityContext{
+		RunAsNonRoot: pointer.Bool(true),
+		SeccompProfile: &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		},
+	}
+
+	// DatabasePodSecurityContext defines pod level security context
+	// for database workloads
+	DatabasePodSecurityContext = &corev1.PodSecurityContext{
+		RunAsNonRoot:        pointer.Bool(true),
+		RunAsUser:           pointer.Int64(databaseUserId),
+		RunAsGroup:          pointer.Int64(databaseUserId),
+		FSGroup:             pointer.Int64(databaseUserId),
+		FSGroupChangePolicy: &fsGroupChangePolicy,
+		SeccompProfile: &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		},
+	}
+)
diff --git a/private/upgrade/common.go b/private/upgrade/common.go
index 822b918..ad7c94e 100644
--- a/private/upgrade/common.go
+++ b/private/upgrade/common.go
@@ -37,6 +37,7 @@ import (
 	pcontext "github.com/k-web-s/patroni-postgres-operator/private/context"
 	"github.com/k-web-s/patroni-postgres-operator/private/controllers/secret"
 	"github.com/k-web-s/patroni-postgres-operator/private/controllers/statefulset"
+	"github.com/k-web-s/patroni-postgres-operator/private/security"
 )
 
 const (
@@ -98,11 +99,11 @@ func createUpgradeJob(ctx pcontext.Context, p *v1alpha1.PatroniPostgres, mode st
 									v1.ResourceMemory: resource.MustParse("64Mi"),
 								},
 							},
-							SecurityContext: statefulset.SecurityContext,
+							SecurityContext: security.ContainerSecurityContext,
 						},
 					},
 					RestartPolicy:   v1.RestartPolicyOnFailure,
-					SecurityContext: statefulset.PodSecurityContext,
+					SecurityContext: security.GenericPodSecurityContext,
 				},
 			},
 		},
diff --git a/private/upgrade/primary.go b/private/upgrade/primary.go
index bf6de53..408a4b1 100644
--- a/private/upgrade/primary.go
+++ b/private/upgrade/primary.go
@@ -45,6 +45,7 @@ import (
 	"github.com/k-web-s/patroni-postgres-operator/private/controllers/configmap"
 	"github.com/k-web-s/patroni-postgres-operator/private/controllers/pvc"
 	"github.com/k-web-s/patroni-postgres-operator/private/controllers/statefulset"
+	"github.com/k-web-s/patroni-postgres-operator/private/security"
 	"github.com/k-web-s/patroni-postgres-operator/private/upgrade/preupgrade"
 )
 
@@ -141,7 +142,7 @@ func (primaryUpgradeHandler) handle(ctx pcontext.Context, p *v1alpha1.PatroniPos
 								Resources: v1.ResourceRequirements{
 									Requests: p.Spec.Resources.Requests,
 								},
-								SecurityContext: statefulset.SecurityContext,
+								SecurityContext: security.ContainerSecurityContext,
 							},
 						},
 						Volumes: []v1.Volume{
@@ -155,7 +156,7 @@ func (primaryUpgradeHandler) handle(ctx pcontext.Context, p *v1alpha1.PatroniPos
 							},
 						},
 						RestartPolicy:   v1.RestartPolicyOnFailure,
-						SecurityContext: statefulset.PodSecurityContext,
+						SecurityContext: security.DatabasePodSecurityContext,
 					},
 				},
 			},
diff --git a/private/upgrade/secondary-client.go b/private/upgrade/secondary-client.go
index a3a57b8..d31ff1e 100644
--- a/private/upgrade/secondary-client.go
+++ b/private/upgrade/secondary-client.go
@@ -40,6 +40,7 @@ import (
 	pcontext "github.com/k-web-s/patroni-postgres-operator/private/context"
 	"github.com/k-web-s/patroni-postgres-operator/private/controllers/pvc"
 	"github.com/k-web-s/patroni-postgres-operator/private/controllers/statefulset"
+	"github.com/k-web-s/patroni-postgres-operator/private/security"
 )
 
 var (
@@ -95,7 +96,7 @@ func upgradeSecondariesEnsureseclients(ctx pcontext.Context, p *v1alpha1.Patroni
 									Resources: v1.ResourceRequirements{
 										Requests: p.Spec.Resources.Requests,
 									},
-									SecurityContext: statefulset.SecurityContext,
+									SecurityContext: security.ContainerSecurityContext,
 								},
 							},
 							Volumes: []v1.Volume{
@@ -109,7 +110,7 @@ func upgradeSecondariesEnsureseclients(ctx pcontext.Context, p *v1alpha1.Patroni
 								},
 							},
 							RestartPolicy:   v1.RestartPolicyOnFailure,
-							SecurityContext: statefulset.PodSecurityContext,
+							SecurityContext: security.DatabasePodSecurityContext,
 						},
 					},
 				},
diff --git a/private/upgrade/secondary-stream.go b/private/upgrade/secondary-stream.go
index fdd7788..98ec306 100644
--- a/private/upgrade/secondary-stream.go
+++ b/private/upgrade/secondary-stream.go
@@ -41,6 +41,7 @@ import (
 	pcontext "github.com/k-web-s/patroni-postgres-operator/private/context"
 	"github.com/k-web-s/patroni-postgres-operator/private/controllers/pvc"
 	"github.com/k-web-s/patroni-postgres-operator/private/controllers/statefulset"
+	"github.com/k-web-s/patroni-postgres-operator/private/security"
 )
 
 var (
@@ -104,7 +105,7 @@ func upgradeSecondariesEnsurestreamer(ctx pcontext.Context, p *v1alpha1.PatroniP
 								Resources: v1.ResourceRequirements{
 									Requests: p.Spec.Resources.Requests,
 								},
-								SecurityContext: statefulset.SecurityContext,
+								SecurityContext: security.ContainerSecurityContext,
 							},
 						},
 						Volumes: []v1.Volume{
@@ -117,7 +118,7 @@ func upgradeSecondariesEnsurestreamer(ctx pcontext.Context, p *v1alpha1.PatroniP
 								},
 							},
 						},
-						SecurityContext: statefulset.PodSecurityContext,
+						SecurityContext: security.DatabasePodSecurityContext,
 					},
 				},
 			},