SecurityContext configurations are missing for postgres-operator-ui and cluster configurations

zalando / postgres-operator

Postgres operator creates and manages PostgreSQL clusters running in Kubernetes

https://postgres-operator.readthedocs.io/

MIT License

4.11k stars 949 forks source link

SecurityContext configurations are missing for postgres-operator-ui and cluster configurations #2682

Open kndoni opened 4 days ago

kndoni commented 4 days ago

Hello I am trying to set up postgres-operator in kubernetes cluster. I am using latest version v1.12.2 Apparently I can only configure securityContext for postgres-operator with (allow_privilege_escalation and runAsNonRoot). But I can not do the same for postgres-operator-ui or for the cluster configuration itself. So with this issues in place I can not successfully use the operator. I also saw there are a lot of other issues ongoing related with this. Is there someone working on this issue already or do you plan to add this in the future?

Thanks in advance!

yyvess commented 3 days ago

As workaround you can use a kyverno ClusterPolicy

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: postgresql-securitycontext
spec:
  rules:
    - name: mutate-postgresql-sts
      match:
        any:
          - resources:
              kinds:
                - Pod
              selector:
                matchLabels:
                  application: spilo
      mutate:
        patchStrategicMerge:
          spec:
            containers:
              - (name): "*"
                securityContext:
                  allowPrivilegeEscalation: false
                  capabilities:
                    drop:
                      - ALL
                  seccompProfile:
                    type: RuntimeDefault
            securityContext:
              runAsNonRoot: true