From a7a036d04ee345b013e9136977d7a5f4cf958f32 Mon Sep 17 00:00:00 2001 From: Eleonora Zinchenko Date: Wed, 4 Dec 2024 20:12:20 +0200 Subject: [PATCH] K8SPXC-1456: add tests for initContainer security-context (#1894) * K8SPXC-1456: add security context check * Fix context before init update * Remove extra Context * revert change for pitr * changes for openshift --- ...store-job-restore-pvc-sec-context-k127.yml | 92 ------- ...estore-job-restore-s3-sec-context-k127.yml | 101 ------- ...lset_sec-context-proxysql-changes-k127.yml | 251 ----------------- ...fulset_sec-context-proxysql-changes-oc.yml | 7 + ...atefulset_sec-context-proxysql-changes.yml | 19 +- .../statefulset_sec-context-proxysql-k127.yml | 238 ---------------- .../statefulset_sec-context-proxysql-oc.yml | 3 + .../statefulset_sec-context-proxysql.yml | 13 +- ...atefulset_sec-context-pxc-changes-k127.yml | 256 ------------------ .../statefulset_sec-context-pxc-changes.yml | 5 + .../statefulset_sec-context-pxc-k127.yml | 243 ----------------- .../compare/statefulset_sec-context-pxc.yml | 3 + .../conf/sec-context-changes.yml | 5 + 13 files changed, 52 insertions(+), 1184 deletions(-) delete mode 100644 e2e-tests/security-context/compare/job.batch_restore-job-restore-pvc-sec-context-k127.yml delete mode 100644 e2e-tests/security-context/compare/job.batch_restore-job-restore-s3-sec-context-k127.yml delete mode 100644 e2e-tests/security-context/compare/statefulset_sec-context-proxysql-changes-k127.yml delete mode 100644 e2e-tests/security-context/compare/statefulset_sec-context-proxysql-k127.yml delete mode 100644 e2e-tests/security-context/compare/statefulset_sec-context-pxc-changes-k127.yml delete mode 100644 e2e-tests/security-context/compare/statefulset_sec-context-pxc-k127.yml diff --git a/e2e-tests/security-context/compare/job.batch_restore-job-restore-pvc-sec-context-k127.yml b/e2e-tests/security-context/compare/job.batch_restore-job-restore-pvc-sec-context-k127.yml deleted file mode 100644 index d4f696239..000000000 --- a/e2e-tests/security-context/compare/job.batch_restore-job-restore-pvc-sec-context-k127.yml +++ /dev/null @@ -1,92 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - generation: 1 - labels: - app.kubernetes.io/instance: sec-context - app.kubernetes.io/managed-by: percona-xtradb-cluster-operator - app.kubernetes.io/name: percona-xtradb-cluster - app.kubernetes.io/part-of: percona-xtradb-cluster - percona.com/restore-job-name: restore-job-restore-pvc-sec-context - name: restore-job-restore-pvc-sec-context - ownerReferences: - - controller: true - kind: PerconaXtraDBClusterRestore - name: restore-pvc -spec: - backoffLimit: 4 - completionMode: NonIndexed - completions: 1 - parallelism: 1 - selector: - matchLabels: {} - suspend: false - template: - metadata: - annotations: - openshift.io/scc: privileged - labels: - app.kubernetes.io/instance: sec-context - app.kubernetes.io/managed-by: percona-xtradb-cluster-operator - app.kubernetes.io/name: percona-xtradb-cluster - app.kubernetes.io/part-of: percona-xtradb-cluster - percona.com/restore-job-name: restore-job-restore-pvc-sec-context - spec: - containers: - - command: - - recovery-pvc-joiner.sh - env: - - name: RESTORE_SRC_SERVICE - value: restore-src-restore-pvc-sec-context - - name: XB_USE_MEMORY - value: 100MB - imagePullPolicy: Always - name: xtrabackup - resources: {} - securityContext: - privileged: true - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /datadir - name: datadir - - mountPath: /etc/mysql/vault-keyring-secret - name: vault-keyring-secret - - mountPath: /etc/mysql/ssl - name: ssl - - mountPath: /etc/mysql/ssl-internal - name: ssl-internal - dnsPolicy: ClusterFirst - restartPolicy: Never - schedulerName: default-scheduler - securityContext: - fsGroup: 1001 - runAsUser: 1001 - supplementalGroups: - - 1001 - serviceAccount: percona-xtradb-cluster-operator-workload - serviceAccountName: percona-xtradb-cluster-operator-workload - terminationGracePeriodSeconds: 30 - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: ScheduleAnyway - volumes: - - name: datadir - persistentVolumeClaim: - claimName: datadir-sec-context-pxc-0 - - name: vault-keyring-secret - secret: - defaultMode: 420 - optional: true - secretName: sec-context-vault - - name: ssl-internal - secret: - defaultMode: 420 - optional: true - secretName: some-name-ssl-internal - - name: ssl - secret: - defaultMode: 420 - optional: false - secretName: some-name-ssl diff --git a/e2e-tests/security-context/compare/job.batch_restore-job-restore-s3-sec-context-k127.yml b/e2e-tests/security-context/compare/job.batch_restore-job-restore-s3-sec-context-k127.yml deleted file mode 100644 index 521e2e5c0..000000000 --- a/e2e-tests/security-context/compare/job.batch_restore-job-restore-s3-sec-context-k127.yml +++ /dev/null @@ -1,101 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - generation: 1 - labels: - app.kubernetes.io/instance: sec-context - app.kubernetes.io/managed-by: percona-xtradb-cluster-operator - app.kubernetes.io/name: percona-xtradb-cluster - app.kubernetes.io/part-of: percona-xtradb-cluster - percona.com/restore-job-name: restore-job-restore-s3-sec-context - name: restore-job-restore-s3-sec-context - ownerReferences: - - controller: true - kind: PerconaXtraDBClusterRestore - name: restore-s3 -spec: - backoffLimit: 4 - completionMode: NonIndexed - completions: 1 - parallelism: 1 - selector: - matchLabels: {} - suspend: false - template: - metadata: - annotations: - openshift.io/scc: privileged - labels: - app.kubernetes.io/instance: sec-context - app.kubernetes.io/managed-by: percona-xtradb-cluster-operator - app.kubernetes.io/name: percona-xtradb-cluster - app.kubernetes.io/part-of: percona-xtradb-cluster - percona.com/restore-job-name: restore-job-restore-s3-sec-context - spec: - containers: - - command: - - recovery-cloud.sh - env: - - name: PXC_SERVICE - value: sec-context-pxc - - name: PXC_USER - value: xtrabackup - - name: PXC_PASS - valueFrom: - secretKeyRef: - key: xtrabackup - name: my-cluster-secrets - - name: VERIFY_TLS - value: "true" - - name: ENDPOINT - value: http://minio-service.namespace:9000/ - - name: DEFAULT_REGION - value: us-east-1 - - name: ACCESS_KEY_ID - valueFrom: - secretKeyRef: - key: AWS_ACCESS_KEY_ID - name: minio-secret - - name: SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - key: AWS_SECRET_ACCESS_KEY - name: minio-secret - - name: XB_USE_MEMORY - value: 100MB - imagePullPolicy: Always - name: xtrabackup - resources: {} - securityContext: - privileged: true - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /datadir - name: datadir - - mountPath: /etc/mysql/vault-keyring-secret - name: vault-keyring-secret - dnsPolicy: ClusterFirst - restartPolicy: Never - schedulerName: default-scheduler - securityContext: - fsGroup: 1001 - runAsUser: 1001 - supplementalGroups: - - 1001 - serviceAccount: percona-xtradb-cluster-operator-workload - serviceAccountName: percona-xtradb-cluster-operator-workload - terminationGracePeriodSeconds: 30 - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: ScheduleAnyway - volumes: - - name: datadir - persistentVolumeClaim: - claimName: datadir-sec-context-pxc-0 - - name: vault-keyring-secret - secret: - defaultMode: 420 - optional: true - secretName: sec-context-vault diff --git a/e2e-tests/security-context/compare/statefulset_sec-context-proxysql-changes-k127.yml b/e2e-tests/security-context/compare/statefulset_sec-context-proxysql-changes-k127.yml deleted file mode 100644 index 0d9ae745d..000000000 --- a/e2e-tests/security-context/compare/statefulset_sec-context-proxysql-changes-k127.yml +++ /dev/null @@ -1,251 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - generation: 2 - name: sec-context-proxysql - ownerReferences: - - controller: true - kind: PerconaXtraDBCluster - name: sec-context -spec: - persistentVolumeClaimRetentionPolicy: - whenDeleted: Retain - whenScaled: Retain - podManagementPolicy: OrderedReady - replicas: 2 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/component: proxysql - app.kubernetes.io/instance: sec-context - app.kubernetes.io/managed-by: percona-xtradb-cluster-operator - app.kubernetes.io/name: percona-xtradb-cluster - app.kubernetes.io/part-of: percona-xtradb-cluster - serviceName: sec-context-proxysql-unready - template: - metadata: - labels: - app.kubernetes.io/component: proxysql - app.kubernetes.io/instance: sec-context - app.kubernetes.io/managed-by: percona-xtradb-cluster-operator - app.kubernetes.io/name: percona-xtradb-cluster - app.kubernetes.io/part-of: percona-xtradb-cluster - spec: - containers: - - args: - - proxysql - - -f - - -c - - /etc/proxysql/proxysql.cnf - - --reload - command: - - /opt/percona/proxysql-entrypoint.sh - env: - - name: PXC_SERVICE - value: sec-context-pxc - - name: OPERATOR_PASSWORD - valueFrom: - secretKeyRef: - key: operator - name: internal-sec-context - - name: PROXY_ADMIN_USER - value: proxyadmin - - name: PROXY_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - key: proxyadmin - name: internal-sec-context - - name: MONITOR_PASSWORD - valueFrom: - secretKeyRef: - key: monitor - name: internal-sec-context - envFrom: - - secretRef: - name: sec-context-env-vars-proxysql - optional: true - imagePullPolicy: Always - name: proxysql - ports: - - containerPort: 3306 - name: mysql - protocol: TCP - - containerPort: 6032 - name: proxyadm - protocol: TCP - resources: - requests: - cpu: 100m - memory: 100M - securityContext: - privileged: true - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /var/lib/proxysql - name: proxydata - - mountPath: /etc/proxysql/ssl - name: ssl - - mountPath: /etc/proxysql/ssl-internal - name: ssl-internal - - mountPath: /opt/percona - name: bin - - args: - - /opt/percona/peer-list - - -on-change=/opt/percona/proxysql_add_pxc_nodes.sh - - -service=$(PXC_SERVICE) - env: - - name: PXC_SERVICE - value: sec-context-pxc - - name: OPERATOR_PASSWORD - valueFrom: - secretKeyRef: - key: operator - name: internal-sec-context - - name: PROXY_ADMIN_USER - value: proxyadmin - - name: PROXY_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - key: proxyadmin - name: internal-sec-context - - name: MONITOR_PASSWORD - valueFrom: - secretKeyRef: - key: monitor - name: internal-sec-context - envFrom: - - secretRef: - name: sec-context-env-vars-proxysql - optional: true - imagePullPolicy: Always - name: pxc-monit - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /opt/percona - name: bin - - args: - - /opt/percona/peer-list - - -on-change=/opt/percona/proxysql_add_proxysql_nodes.sh - - -service=$(PROXYSQL_SERVICE) - env: - - name: PROXYSQL_SERVICE - value: sec-context-proxysql-unready - - name: OPERATOR_PASSWORD - valueFrom: - secretKeyRef: - key: operator - name: internal-sec-context - - name: PROXY_ADMIN_USER - value: proxyadmin - - name: PROXY_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - key: proxyadmin - name: internal-sec-context - - name: MONITOR_PASSWORD - valueFrom: - secretKeyRef: - key: monitor - name: internal-sec-context - envFrom: - - secretRef: - name: sec-context-env-vars-proxysql - optional: true - imagePullPolicy: Always - name: proxysql-monit - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /opt/percona - name: bin - dnsPolicy: ClusterFirst - initContainers: - - command: - - /pxc-init-entrypoint.sh - imagePullPolicy: Always - name: pxc-init - resources: - limits: - cpu: 50m - memory: 50M - securityContext: - privileged: true - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /var/lib/mysql - name: bin - - command: - - /proxysql-init-entrypoint.sh - imagePullPolicy: Always - name: proxysql-init - resources: - limits: - cpu: 50m - memory: 50M - securityContext: - privileged: true - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /opt/percona - name: bin - restartPolicy: Always - schedulerName: default-scheduler - securityContext: - runAsGroup: 1001 - runAsUser: 1001 - supplementalGroups: - - 1001 - serviceAccount: percona-xtradb-cluster-operator-workload - serviceAccountName: percona-xtradb-cluster-operator-workload - terminationGracePeriodSeconds: 30 - topologySpreadConstraints: - - labelSelector: - matchLabels: - app.kubernetes.io/component: proxysql - app.kubernetes.io/instance: sec-context - app.kubernetes.io/managed-by: percona-xtradb-cluster-operator - app.kubernetes.io/name: percona-xtradb-cluster - app.kubernetes.io/part-of: percona-xtradb-cluster - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: ScheduleAnyway - volumes: - - name: ssl-internal - secret: - defaultMode: 420 - optional: true - secretName: some-name-ssl-internal - - name: ssl - secret: - defaultMode: 420 - optional: false - secretName: some-name-ssl - - emptyDir: {} - name: bin - updateStrategy: - rollingUpdate: - partition: 0 - type: RollingUpdate - volumeClaimTemplates: - - metadata: - labels: - app.kubernetes.io/component: proxysql - app.kubernetes.io/instance: sec-context - app.kubernetes.io/managed-by: percona-xtradb-cluster-operator - app.kubernetes.io/name: percona-xtradb-cluster - app.kubernetes.io/part-of: percona-xtradb-cluster - name: proxydata - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 6Gi - status: - phase: Pending diff --git a/e2e-tests/security-context/compare/statefulset_sec-context-proxysql-changes-oc.yml b/e2e-tests/security-context/compare/statefulset_sec-context-proxysql-changes-oc.yml index d4f5c84c4..cee9bb735 100644 --- a/e2e-tests/security-context/compare/statefulset_sec-context-proxysql-changes-oc.yml +++ b/e2e-tests/security-context/compare/statefulset_sec-context-proxysql-changes-oc.yml @@ -8,6 +8,9 @@ metadata: kind: PerconaXtraDBCluster name: sec-context spec: + persistentVolumeClaimRetentionPolicy: + whenDeleted: Retain + whenScaled: Retain podManagementPolicy: OrderedReady replicas: 2 revisionHistoryLimit: 10 @@ -171,6 +174,8 @@ spec: memory: 50M securityContext: privileged: true + runAsGroup: 1001 + runAsUser: 1001 terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: @@ -186,6 +191,8 @@ spec: memory: 50M securityContext: privileged: true + runAsGroup: 1001 + runAsUser: 1001 terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: diff --git a/e2e-tests/security-context/compare/statefulset_sec-context-proxysql-changes.yml b/e2e-tests/security-context/compare/statefulset_sec-context-proxysql-changes.yml index 39c6df263..cee9bb735 100644 --- a/e2e-tests/security-context/compare/statefulset_sec-context-proxysql-changes.yml +++ b/e2e-tests/security-context/compare/statefulset_sec-context-proxysql-changes.yml @@ -8,6 +8,9 @@ metadata: kind: PerconaXtraDBCluster name: sec-context spec: + persistentVolumeClaimRetentionPolicy: + whenDeleted: Retain + whenScaled: Retain podManagementPolicy: OrderedReady replicas: 2 revisionHistoryLimit: 10 @@ -29,7 +32,15 @@ spec: app.kubernetes.io/part-of: percona-xtradb-cluster spec: containers: - - env: + - args: + - proxysql + - -f + - -c + - /etc/proxysql/proxysql.cnf + - --reload + command: + - /opt/percona/proxysql-entrypoint.sh + env: - name: PXC_SERVICE value: sec-context-pxc - name: OPERATOR_PASSWORD @@ -163,6 +174,8 @@ spec: memory: 50M securityContext: privileged: true + runAsGroup: 1001 + runAsUser: 1001 terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: @@ -177,7 +190,9 @@ spec: cpu: 50m memory: 50M securityContext: - privileged: false + privileged: true + runAsGroup: 1001 + runAsUser: 1001 terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: diff --git a/e2e-tests/security-context/compare/statefulset_sec-context-proxysql-k127.yml b/e2e-tests/security-context/compare/statefulset_sec-context-proxysql-k127.yml deleted file mode 100644 index 3ff6b9b4c..000000000 --- a/e2e-tests/security-context/compare/statefulset_sec-context-proxysql-k127.yml +++ /dev/null @@ -1,238 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - generation: 1 - name: sec-context-proxysql - ownerReferences: - - controller: true - kind: PerconaXtraDBCluster - name: sec-context -spec: - persistentVolumeClaimRetentionPolicy: - whenDeleted: Retain - whenScaled: Retain - podManagementPolicy: OrderedReady - replicas: 2 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/component: proxysql - app.kubernetes.io/instance: sec-context - app.kubernetes.io/managed-by: percona-xtradb-cluster-operator - app.kubernetes.io/name: percona-xtradb-cluster - app.kubernetes.io/part-of: percona-xtradb-cluster - serviceName: sec-context-proxysql-unready - template: - metadata: - labels: - app.kubernetes.io/component: proxysql - app.kubernetes.io/instance: sec-context - app.kubernetes.io/managed-by: percona-xtradb-cluster-operator - app.kubernetes.io/name: percona-xtradb-cluster - app.kubernetes.io/part-of: percona-xtradb-cluster - spec: - containers: - - args: - - proxysql - - -f - - -c - - /etc/proxysql/proxysql.cnf - - --reload - command: - - /opt/percona/proxysql-entrypoint.sh - env: - - name: PXC_SERVICE - value: sec-context-pxc - - name: OPERATOR_PASSWORD - valueFrom: - secretKeyRef: - key: operator - name: internal-sec-context - - name: PROXY_ADMIN_USER - value: proxyadmin - - name: PROXY_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - key: proxyadmin - name: internal-sec-context - - name: MONITOR_PASSWORD - valueFrom: - secretKeyRef: - key: monitor - name: internal-sec-context - envFrom: - - secretRef: - name: sec-context-env-vars-proxysql - optional: true - imagePullPolicy: Always - name: proxysql - ports: - - containerPort: 3306 - name: mysql - protocol: TCP - - containerPort: 6032 - name: proxyadm - protocol: TCP - resources: - requests: - cpu: 100m - memory: 100M - securityContext: - privileged: false - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /var/lib/proxysql - name: proxydata - - mountPath: /etc/proxysql/ssl - name: ssl - - mountPath: /etc/proxysql/ssl-internal - name: ssl-internal - - mountPath: /opt/percona - name: bin - - args: - - /opt/percona/peer-list - - -on-change=/opt/percona/proxysql_add_pxc_nodes.sh - - -service=$(PXC_SERVICE) - env: - - name: PXC_SERVICE - value: sec-context-pxc - - name: OPERATOR_PASSWORD - valueFrom: - secretKeyRef: - key: operator - name: internal-sec-context - - name: PROXY_ADMIN_USER - value: proxyadmin - - name: PROXY_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - key: proxyadmin - name: internal-sec-context - - name: MONITOR_PASSWORD - valueFrom: - secretKeyRef: - key: monitor - name: internal-sec-context - envFrom: - - secretRef: - name: sec-context-env-vars-proxysql - optional: true - imagePullPolicy: Always - name: pxc-monit - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /opt/percona - name: bin - - args: - - /opt/percona/peer-list - - -on-change=/opt/percona/proxysql_add_proxysql_nodes.sh - - -service=$(PROXYSQL_SERVICE) - env: - - name: PROXYSQL_SERVICE - value: sec-context-proxysql-unready - - name: OPERATOR_PASSWORD - valueFrom: - secretKeyRef: - key: operator - name: internal-sec-context - - name: PROXY_ADMIN_USER - value: proxyadmin - - name: PROXY_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - key: proxyadmin - name: internal-sec-context - - name: MONITOR_PASSWORD - valueFrom: - secretKeyRef: - key: monitor - name: internal-sec-context - envFrom: - - secretRef: - name: sec-context-env-vars-proxysql - optional: true - imagePullPolicy: Always - name: proxysql-monit - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /opt/percona - name: bin - dnsPolicy: ClusterFirst - initContainers: - - command: - - /pxc-init-entrypoint.sh - imagePullPolicy: Always - name: pxc-init - resources: - limits: - cpu: 50m - memory: 50M - securityContext: - privileged: false - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /var/lib/mysql - name: bin - - command: - - /proxysql-init-entrypoint.sh - imagePullPolicy: Always - name: proxysql-init - resources: - limits: - cpu: 50m - memory: 50M - securityContext: - privileged: false - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /opt/percona - name: bin - restartPolicy: Always - schedulerName: default-scheduler - securityContext: - fsGroup: 1001 - runAsUser: 1001 - serviceAccount: percona-xtradb-cluster-operator-workload - serviceAccountName: percona-xtradb-cluster-operator-workload - terminationGracePeriodSeconds: 30 - volumes: - - name: ssl-internal - secret: - defaultMode: 420 - optional: true - secretName: some-name-ssl-internal - - name: ssl - secret: - defaultMode: 420 - optional: false - secretName: some-name-ssl - - emptyDir: {} - name: bin - updateStrategy: - rollingUpdate: - partition: 0 - type: RollingUpdate - volumeClaimTemplates: - - metadata: - labels: - app.kubernetes.io/component: proxysql - app.kubernetes.io/instance: sec-context - app.kubernetes.io/managed-by: percona-xtradb-cluster-operator - app.kubernetes.io/name: percona-xtradb-cluster - app.kubernetes.io/part-of: percona-xtradb-cluster - name: proxydata - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 6Gi - status: - phase: Pending diff --git a/e2e-tests/security-context/compare/statefulset_sec-context-proxysql-oc.yml b/e2e-tests/security-context/compare/statefulset_sec-context-proxysql-oc.yml index 5a7aac1b6..3ff6b9b4c 100644 --- a/e2e-tests/security-context/compare/statefulset_sec-context-proxysql-oc.yml +++ b/e2e-tests/security-context/compare/statefulset_sec-context-proxysql-oc.yml @@ -8,6 +8,9 @@ metadata: kind: PerconaXtraDBCluster name: sec-context spec: + persistentVolumeClaimRetentionPolicy: + whenDeleted: Retain + whenScaled: Retain podManagementPolicy: OrderedReady replicas: 2 revisionHistoryLimit: 10 diff --git a/e2e-tests/security-context/compare/statefulset_sec-context-proxysql.yml b/e2e-tests/security-context/compare/statefulset_sec-context-proxysql.yml index 36decd413..3ff6b9b4c 100644 --- a/e2e-tests/security-context/compare/statefulset_sec-context-proxysql.yml +++ b/e2e-tests/security-context/compare/statefulset_sec-context-proxysql.yml @@ -8,6 +8,9 @@ metadata: kind: PerconaXtraDBCluster name: sec-context spec: + persistentVolumeClaimRetentionPolicy: + whenDeleted: Retain + whenScaled: Retain podManagementPolicy: OrderedReady replicas: 2 revisionHistoryLimit: 10 @@ -29,7 +32,15 @@ spec: app.kubernetes.io/part-of: percona-xtradb-cluster spec: containers: - - env: + - args: + - proxysql + - -f + - -c + - /etc/proxysql/proxysql.cnf + - --reload + command: + - /opt/percona/proxysql-entrypoint.sh + env: - name: PXC_SERVICE value: sec-context-pxc - name: OPERATOR_PASSWORD diff --git a/e2e-tests/security-context/compare/statefulset_sec-context-pxc-changes-k127.yml b/e2e-tests/security-context/compare/statefulset_sec-context-pxc-changes-k127.yml deleted file mode 100644 index ddcf3101f..000000000 --- a/e2e-tests/security-context/compare/statefulset_sec-context-pxc-changes-k127.yml +++ /dev/null @@ -1,256 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - generation: 2 - name: sec-context-pxc - ownerReferences: - - controller: true - kind: PerconaXtraDBCluster - name: sec-context -spec: - persistentVolumeClaimRetentionPolicy: - whenDeleted: Retain - whenScaled: Retain - podManagementPolicy: OrderedReady - replicas: 3 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/component: pxc - app.kubernetes.io/instance: sec-context - app.kubernetes.io/managed-by: percona-xtradb-cluster-operator - app.kubernetes.io/name: percona-xtradb-cluster - app.kubernetes.io/part-of: percona-xtradb-cluster - serviceName: sec-context-pxc - template: - metadata: - annotations: - openshift.io/scc: privileged - labels: - app.kubernetes.io/component: pxc - app.kubernetes.io/instance: sec-context - app.kubernetes.io/managed-by: percona-xtradb-cluster-operator - app.kubernetes.io/name: percona-xtradb-cluster - app.kubernetes.io/part-of: percona-xtradb-cluster - spec: - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app.kubernetes.io/component: pxc - app.kubernetes.io/instance: sec-context - app.kubernetes.io/managed-by: percona-xtradb-cluster-operator - app.kubernetes.io/name: percona-xtradb-cluster - app.kubernetes.io/part-of: percona-xtradb-cluster - topologyKey: kubernetes.io/hostname - containers: - - args: - - mysqld - command: - - /var/lib/mysql/pxc-entrypoint.sh - env: - - name: PXC_SERVICE - value: sec-context-pxc-unready - - name: MONITOR_HOST - value: '%' - - name: MYSQL_ROOT_PASSWORD - valueFrom: - secretKeyRef: - key: root - name: internal-sec-context - - name: XTRABACKUP_PASSWORD - valueFrom: - secretKeyRef: - key: xtrabackup - name: internal-sec-context - - name: MONITOR_PASSWORD - valueFrom: - secretKeyRef: - key: monitor - name: internal-sec-context - - name: OPERATOR_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - key: operator - name: internal-sec-context - - name: LIVENESS_CHECK_TIMEOUT - value: "5" - - name: READINESS_CHECK_TIMEOUT - value: "15" - - name: DEFAULT_AUTHENTICATION_PLUGIN - value: mysql_native_password - - name: NOTIFY_SOCKET - value: /var/lib/mysql/notify.sock - - name: MYSQL_STATE_FILE - value: /var/lib/mysql/mysql.state - envFrom: - - secretRef: - name: sec-context-env-vars-pxc - optional: true - imagePullPolicy: Always - livenessProbe: - exec: - command: - - /var/lib/mysql/liveness-check.sh - failureThreshold: 3 - initialDelaySeconds: 300 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - name: pxc - ports: - - containerPort: 3306 - name: mysql - protocol: TCP - - containerPort: 4444 - name: sst - protocol: TCP - - containerPort: 4567 - name: write-set - protocol: TCP - - containerPort: 4568 - name: ist - protocol: TCP - - containerPort: 33062 - name: mysql-admin - protocol: TCP - - containerPort: 33060 - name: mysqlx - protocol: TCP - readinessProbe: - exec: - command: - - /var/lib/mysql/readiness-check.sh - failureThreshold: 5 - initialDelaySeconds: 15 - periodSeconds: 30 - successThreshold: 1 - timeoutSeconds: 15 - resources: - limits: - cpu: "1" - memory: 1G - requests: - cpu: 100m - memory: 100M - securityContext: - privileged: true - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /var/lib/mysql - name: datadir - - mountPath: /etc/percona-xtradb-cluster.conf.d - name: config - - mountPath: /tmp - name: tmp - - mountPath: /etc/mysql/ssl - name: ssl - - mountPath: /etc/mysql/ssl-internal - name: ssl-internal - - mountPath: /etc/mysql/mysql-users-secret - name: mysql-users-secret-file - - mountPath: /etc/my.cnf.d - name: auto-config - - mountPath: /etc/mysql/vault-keyring-secret - name: vault-keyring-secret - - mountPath: /etc/mysql/init-file - name: mysql-init-file - dnsPolicy: ClusterFirst - initContainers: - - command: - - /pxc-init-entrypoint.sh - imagePullPolicy: Always - name: pxc-init - resources: - limits: - cpu: 50m - memory: 50M - securityContext: - privileged: true - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /var/lib/mysql - name: datadir - restartPolicy: Always - schedulerName: default-scheduler - securityContext: - fsGroup: 1001 - runAsUser: 1001 - supplementalGroups: - - 1001 - serviceAccount: percona-xtradb-cluster-operator-workload - serviceAccountName: percona-xtradb-cluster-operator-workload - terminationGracePeriodSeconds: 600 - topologySpreadConstraints: - - labelSelector: - matchLabels: - app.kubernetes.io/component: pxc - app.kubernetes.io/instance: sec-context - app.kubernetes.io/managed-by: percona-xtradb-cluster-operator - app.kubernetes.io/name: percona-xtradb-cluster - app.kubernetes.io/part-of: percona-xtradb-cluster - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: ScheduleAnyway - volumes: - - emptyDir: {} - name: tmp - - configMap: - defaultMode: 420 - name: sec-context-pxc - optional: true - name: config - - name: ssl-internal - secret: - defaultMode: 420 - optional: true - secretName: some-name-ssl-internal - - name: ssl - secret: - defaultMode: 420 - optional: false - secretName: some-name-ssl - - configMap: - defaultMode: 420 - name: auto-sec-context-pxc - optional: true - name: auto-config - - name: vault-keyring-secret - secret: - defaultMode: 420 - optional: true - secretName: sec-context-vault - - name: mysql-users-secret-file - secret: - defaultMode: 420 - optional: false - secretName: internal-sec-context - - name: mysql-init-file - secret: - defaultMode: 420 - optional: true - secretName: sec-context-mysql-init - updateStrategy: - rollingUpdate: - partition: 0 - type: RollingUpdate - volumeClaimTemplates: - - metadata: - labels: - app.kubernetes.io/component: pxc - app.kubernetes.io/instance: sec-context - app.kubernetes.io/managed-by: percona-xtradb-cluster-operator - app.kubernetes.io/name: percona-xtradb-cluster - app.kubernetes.io/part-of: percona-xtradb-cluster - name: datadir - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 2Gi - status: - phase: Pending diff --git a/e2e-tests/security-context/compare/statefulset_sec-context-pxc-changes.yml b/e2e-tests/security-context/compare/statefulset_sec-context-pxc-changes.yml index edb925f12..bf4c6d724 100644 --- a/e2e-tests/security-context/compare/statefulset_sec-context-pxc-changes.yml +++ b/e2e-tests/security-context/compare/statefulset_sec-context-pxc-changes.yml @@ -8,6 +8,9 @@ metadata: kind: PerconaXtraDBCluster name: sec-context spec: + persistentVolumeClaimRetentionPolicy: + whenDeleted: Retain + whenScaled: Retain podManagementPolicy: OrderedReady replicas: 3 revisionHistoryLimit: 10 @@ -166,6 +169,8 @@ spec: memory: 50M securityContext: privileged: true + runAsGroup: 1001 + runAsUser: 1001 terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: diff --git a/e2e-tests/security-context/compare/statefulset_sec-context-pxc-k127.yml b/e2e-tests/security-context/compare/statefulset_sec-context-pxc-k127.yml deleted file mode 100644 index b7eccb73b..000000000 --- a/e2e-tests/security-context/compare/statefulset_sec-context-pxc-k127.yml +++ /dev/null @@ -1,243 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - generation: 1 - name: sec-context-pxc - ownerReferences: - - controller: true - kind: PerconaXtraDBCluster - name: sec-context -spec: - persistentVolumeClaimRetentionPolicy: - whenDeleted: Retain - whenScaled: Retain - podManagementPolicy: OrderedReady - replicas: 3 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/component: pxc - app.kubernetes.io/instance: sec-context - app.kubernetes.io/managed-by: percona-xtradb-cluster-operator - app.kubernetes.io/name: percona-xtradb-cluster - app.kubernetes.io/part-of: percona-xtradb-cluster - serviceName: sec-context-pxc - template: - metadata: - annotations: - openshift.io/scc: privileged - labels: - app.kubernetes.io/component: pxc - app.kubernetes.io/instance: sec-context - app.kubernetes.io/managed-by: percona-xtradb-cluster-operator - app.kubernetes.io/name: percona-xtradb-cluster - app.kubernetes.io/part-of: percona-xtradb-cluster - spec: - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app.kubernetes.io/component: pxc - app.kubernetes.io/instance: sec-context - app.kubernetes.io/managed-by: percona-xtradb-cluster-operator - app.kubernetes.io/name: percona-xtradb-cluster - app.kubernetes.io/part-of: percona-xtradb-cluster - topologyKey: kubernetes.io/hostname - containers: - - args: - - mysqld - command: - - /var/lib/mysql/pxc-entrypoint.sh - env: - - name: PXC_SERVICE - value: sec-context-pxc-unready - - name: MONITOR_HOST - value: '%' - - name: MYSQL_ROOT_PASSWORD - valueFrom: - secretKeyRef: - key: root - name: internal-sec-context - - name: XTRABACKUP_PASSWORD - valueFrom: - secretKeyRef: - key: xtrabackup - name: internal-sec-context - - name: MONITOR_PASSWORD - valueFrom: - secretKeyRef: - key: monitor - name: internal-sec-context - - name: OPERATOR_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - key: operator - name: internal-sec-context - - name: LIVENESS_CHECK_TIMEOUT - value: "5" - - name: READINESS_CHECK_TIMEOUT - value: "15" - - name: DEFAULT_AUTHENTICATION_PLUGIN - value: mysql_native_password - - name: NOTIFY_SOCKET - value: /var/lib/mysql/notify.sock - - name: MYSQL_STATE_FILE - value: /var/lib/mysql/mysql.state - envFrom: - - secretRef: - name: sec-context-env-vars-pxc - optional: true - imagePullPolicy: Always - livenessProbe: - exec: - command: - - /var/lib/mysql/liveness-check.sh - failureThreshold: 3 - initialDelaySeconds: 300 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - name: pxc - ports: - - containerPort: 3306 - name: mysql - protocol: TCP - - containerPort: 4444 - name: sst - protocol: TCP - - containerPort: 4567 - name: write-set - protocol: TCP - - containerPort: 4568 - name: ist - protocol: TCP - - containerPort: 33062 - name: mysql-admin - protocol: TCP - - containerPort: 33060 - name: mysqlx - protocol: TCP - readinessProbe: - exec: - command: - - /var/lib/mysql/readiness-check.sh - failureThreshold: 5 - initialDelaySeconds: 15 - periodSeconds: 30 - successThreshold: 1 - timeoutSeconds: 15 - resources: - limits: - cpu: "1" - memory: 1G - requests: - cpu: 100m - memory: 100M - securityContext: - privileged: false - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /var/lib/mysql - name: datadir - - mountPath: /etc/percona-xtradb-cluster.conf.d - name: config - - mountPath: /tmp - name: tmp - - mountPath: /etc/mysql/ssl - name: ssl - - mountPath: /etc/mysql/ssl-internal - name: ssl-internal - - mountPath: /etc/mysql/mysql-users-secret - name: mysql-users-secret-file - - mountPath: /etc/my.cnf.d - name: auto-config - - mountPath: /etc/mysql/vault-keyring-secret - name: vault-keyring-secret - - mountPath: /etc/mysql/init-file - name: mysql-init-file - dnsPolicy: ClusterFirst - initContainers: - - command: - - /pxc-init-entrypoint.sh - imagePullPolicy: Always - name: pxc-init - resources: - limits: - cpu: 50m - memory: 50M - securityContext: - privileged: false - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /var/lib/mysql - name: datadir - restartPolicy: Always - schedulerName: default-scheduler - securityContext: - fsGroup: 1001 - runAsUser: 1001 - serviceAccount: percona-xtradb-cluster-operator-workload - serviceAccountName: percona-xtradb-cluster-operator-workload - terminationGracePeriodSeconds: 600 - volumes: - - emptyDir: {} - name: tmp - - configMap: - defaultMode: 420 - name: sec-context-pxc - optional: true - name: config - - name: ssl-internal - secret: - defaultMode: 420 - optional: true - secretName: some-name-ssl-internal - - name: ssl - secret: - defaultMode: 420 - optional: false - secretName: some-name-ssl - - configMap: - defaultMode: 420 - name: auto-sec-context-pxc - optional: true - name: auto-config - - name: vault-keyring-secret - secret: - defaultMode: 420 - optional: true - secretName: sec-context-vault - - name: mysql-users-secret-file - secret: - defaultMode: 420 - optional: false - secretName: internal-sec-context - - name: mysql-init-file - secret: - defaultMode: 420 - optional: true - secretName: sec-context-mysql-init - updateStrategy: - rollingUpdate: - partition: 0 - type: RollingUpdate - volumeClaimTemplates: - - metadata: - labels: - app.kubernetes.io/component: pxc - app.kubernetes.io/instance: sec-context - app.kubernetes.io/managed-by: percona-xtradb-cluster-operator - app.kubernetes.io/name: percona-xtradb-cluster - app.kubernetes.io/part-of: percona-xtradb-cluster - name: datadir - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 2Gi - status: - phase: Pending diff --git a/e2e-tests/security-context/compare/statefulset_sec-context-pxc.yml b/e2e-tests/security-context/compare/statefulset_sec-context-pxc.yml index 3c8b459fb..b7eccb73b 100644 --- a/e2e-tests/security-context/compare/statefulset_sec-context-pxc.yml +++ b/e2e-tests/security-context/compare/statefulset_sec-context-pxc.yml @@ -8,6 +8,9 @@ metadata: kind: PerconaXtraDBCluster name: sec-context spec: + persistentVolumeClaimRetentionPolicy: + whenDeleted: Retain + whenScaled: Retain podManagementPolicy: OrderedReady replicas: 3 revisionHistoryLimit: 10 diff --git a/e2e-tests/security-context/conf/sec-context-changes.yml b/e2e-tests/security-context/conf/sec-context-changes.yml index ff904c9f3..9d2819781 100644 --- a/e2e-tests/security-context/conf/sec-context-changes.yml +++ b/e2e-tests/security-context/conf/sec-context-changes.yml @@ -8,6 +8,11 @@ spec: secretsName: my-cluster-secrets sslSecretName: some-name-ssl sslInternalSecretName: some-name-ssl-internal + initContainer: + containerSecurityContext: + privileged: true + runAsUser: 1001 + runAsGroup: 1001 pxc: annotations: openshift.io/scc: privileged