search

zalando / postgres-operator

Postgres operator creates and manages PostgreSQL clusters running in Kubernetes
https://postgres-operator.readthedocs.io/
MIT License
4.26k stars 970 forks source link

Feature Request: Non-Privilege-Escalation Support for Certificate Rotation & Backups #1730

Open haslersn opened 2 years ago

haslersn commented 2 years ago

Feature request: Support certificate rotation & backups without privilege escalation.

According to this documentation, enabling spilo_allow_privilege_escalation is required for certificate rotation & backups to work. However, this breaks those features when running under the Restricted policy of Pod Security Standards where privilege escalation must not be enabled. Therefore I request those features to work without privilege escalation.

Workaround

Currently the following (more insecure) workaround is required in every namespace where a PostgreSQL cluster is deployed (the non-namespaced ClusterRole is of course only needed once).

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: psp-baseline
rules:
  - apiGroups: [policy]
    resources: [podsecuritypolicies]
    verbs: [use]
    resourceNames: [baseline]

---
# Workaround for https://github.com/zalando/postgres-operator/issues/1730
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: psp-baseline
roleRef:
  kind: ClusterRole
  name: psp-baseline
  apiGroup: rbac.authorization.k8s.io
subjects:
  - kind: Group
    # Match all ServiceAccounts in this namespace. ServiceAccounts in other
    # namespaces are not affected, because this is a (namespaced) RoleBinding.
    name: system:serviceaccounts
    apiGroup: rbac.authorization.k8s.io
haslersn commented 2 years ago

@FxKu can we perhaps use supercronic instead of cron?

haslersn commented 2 years ago

I think since https://github.com/zalando/spilo/commit/4a45ac42fcce5a96b10bb394330037f36a1d66bc this issue is solved. But the postgres-operator documentation (here) needs to be updated accordingly. Currently it still says:

spilo_allow_privilege_escalation Controls whether a process can gain more privileges than its parent process. Required by cron which needs setuid. Without this parameter, certification rotation & backups will not be done. The default is true.

This is parameter is no longer needed for certification rotation & backups, right?

haslersn commented 2 years ago

@CyberDem0n pinging you, since you authored https://github.com/zalando/spilo/commit/4a45ac42fcce5a96b10bb394330037f36a1d66bc

haslersn commented 6 months ago

@CyberDem0n do you have time to fix the documentation (as mentioned in https://github.com/zalando/postgres-operator/issues/1730#issuecomment-1172871922) and then close this issue?