search

mongodb / helm-charts

Apache License 2.0
99 stars 92 forks source link

Can not make MongoDB community instances to be compliant with PSA restricted #323

Closed alinalex1392 closed 5 months ago

alinalex1392 commented 5 months ago

What did you do to encounter the bug? I am trying to make mongoDB instance compliant with PSA, meaning that I need to set different securityContext settings on the instances. In the PSA restricted level there is a rule to drop all the container capabilities. In order to do that I need to have a field exposed in the community CR so that I can configure the capabilities on container level:

kubectl label --dry-run=server --overwrite ns mongodb pod-security.kubernetes.io/enforce=restricted
Warning: existing pods in namespace "mongodb" violate the new PodSecurity enforce level "restricted:latest"
Warning: rs-1-0: unrestricted capabilities

Instance Example:

  rs:
    spec:
      members: 1
      type: ReplicaSet
      version: "5.0.26"
      security:
        authentication:
          modes: ["SCRAM"]
      containerSecurityContext:
        capabilities:
          drop:
            - ALL
      statefulSet:
        spec:
          template:
            spec:
              securityContext:
                runAsNonRoot: true
                fsGroup: 10000
                runAsUser: 10000
                runAsGroup: 10000
                seccompProfile:
                  type: RuntimeDefault   
              imagePullSecrets:
                - name: "mongodb-pull-secret"
      users:
        - name: my-user
          db: admin
          passwordSecretRef: # a reference to the secret that will be used to generate the user's password
            name: my-user-password
          roles:
            - name: clusterAdmin
              db: admin
            - name: userAdminAnyDatabase
              db: admin
            - name: dbOwner
              db: admin
          scramCredentialsSecretName: my-scram
      additionalMongodConfig:
        storage.wiredTiger.engineConfig.journalCompressor: zlib

What did you expect? I want a new CR field to be created in order to control securityContext at container level

      containerSecurityContext:
        capabilities:
          drop:
            - ALL

What happened instead? No method exposed to overwrite container level security context