search

reactive-tech / kubegres

Kubegres is a Kubernetes operator allowing to deploy one or many clusters of PostgreSql instances and manage databases replication, failover and backup.
https://www.kubegres.io
Apache License 2.0
1.31k stars 74 forks source link

Setting securityContext works for spec.securityContext but not for spec.container.securityContext #176

Closed CasperGN closed 6 months ago

CasperGN commented 6 months ago

Referencing #52 I understand that the intention was to allow for running with the following labels on the namespace level:

Labels: pod-security.kubernetes.io/enforce=restricted                                                                                                                                                            
        pod-security.kubernetes.io/enforce-version=latest

However, this requires further securityContext settings than just the PodsecurityContext it also requires the ContainerSecurityContext as well. For us to be able to run in a namespace with the above labels we have the following deployment.yaml:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: postgres-deployment
  namespace: pgns
spec:
  template:
    metadata:
      labels:
        app: postgres
    spec:
      containers:
        - name: postgres
          image: postgres:16.2@sha256:f58300ac8d393b2e3b09d36ea12d7d24ee9440440e421472a300e929ddb63460
          imagePullPolicy: 'Always'
          securityContext:
            allowPrivilegeEscalation: false
            runAsNonRoot: true
            capabilities:
              drop:
                - ALL
            seccompProfile:
              type: RuntimeDefault
            readOnlyRootFilesystem: true
            privileged: false
      securityContext:
        runAsUser: 70
        runAsGroup: 70
        fsGroup: 70
        runAsNonRoot: true
        seccompProfile:
          type: RuntimeDefault

Above cut slim for simplicity.

By allowing the kubegres object to input to spec.containers.securityContext we'd be able to run on enforced Pod Security Standards.

An example of an input file could look as follows:

apiVersion: kubegres.reactive-tech.io/v1
kind: Kubegres
metadata:
  name: postgres
  namespace: pgns
  labels:
    some.labels.here
spec:
  replicas: 3
  image: postgres:16.2@sha256:f58300ac8d393b2e3b09d36ea12d7d24ee9440440e421472a300e929ddb63460
  port: 5432
  database:
    size: 4Gi
    storageClassName: postgres-retain
    volumeMount: /var/lib/postgresql/data
  resources:
    requests:
      memory: "2Gi"
      cpu: "1"
    limits:
      memory: "4Gi"
      cpu: "1"
  securityContext:
    runAsUser: 1001
    runAsGroup: 1001
    fsGroup: 1001
    runAsNonRoot: true
    seccompProfile: 
      type: RuntimeDefault
# This is the addition
  containers:
    securityContext:
      runAsNonRoot: true
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      privileged: false
      seccompProfile: 
        type: RuntimeDefault
      capabilities:
        drop:
          - ALL
# addition end
  env:
  - name: POSTGRES_USER
    valueFrom:
      secretKeyRef:
        name: postgres-secrets
        key: POSTGRES_USER
  - name: POSTGRES_PASSWORD
    valueFrom:
      secretKeyRef:
        name: postgres-secrets
        key: POSTGRES_PASSWORD
  - name: POSTGRES_SUPERUSER_PASSWORD
    valueFrom:
      secretKeyRef:
        name: postgres-secrets
        key: POSTGRES_SUPERUSER_PASSWORD
  - name: POSTGRES_REPLICATION_PASSWORD
    valueFrom:
      secretKeyRef:
        name: postgres-secrets
        key: POSTGRES_REPLICATION_PASSWORD

If I can have a pointer on where to look at implementing I wouldn't mind taking a stab at implementing this over the weekend.

alex-arica commented 6 months ago

Hi, thanks for your comments. Looking in the Kubernetes docs, my understanding is "The security settings that you specify for a Pod apply to all Containers in the Pod."
Currently Kubegres allows configuring security context on pod level. This should apply to the containers too.

Are you suggesting that you would like to also be able to define security context for container which can be different to the security context which apply for the pod?

CasperGN commented 6 months ago

Hi @alex-arica,

There's a difference in the spec of a SecurityContext and the PodSecurityContext:

SecurityContext defines the security options the container should be run with. If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.

The PodSecurityContext is lacking some of the options required by Pod Security Standards enforced on the latest version which is:

I've made the Pull Request #178 which implements the above.

alex-arica commented 6 months ago

ok, I am going to review the changes and keep you posted

CasperGN commented 6 months ago

Closing after merge of the PR.

alex-arica commented 6 months ago

Changes available with Kubegres 1.18