Merge pull request #178 from CasperGN/ContainerSecurityContext

Add support for Container SecurityContext to enable Kubegres to run in pod security standard enforced namespace

Author: alex-arica

Diff for: api/v1/kubegres_types.go

@@ -62,21 +62,22 @@ type Probe struct {
 }
 
 type KubegresSpec struct {
-	Replicas           *int32                    `json:"replicas,omitempty"`
-	Image              string                    `json:"image,omitempty"`
-	Port               int32                     `json:"port,omitempty"`
-	ImagePullSecrets   []v1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
-	CustomConfig       string                    `json:"customConfig,omitempty"`
-	Database           KubegresDatabase          `json:"database,omitempty"`
-	Failover           KubegresFailover          `json:"failover,omitempty"`
-	Backup             KubegresBackUp            `json:"backup,omitempty"`
-	Env                []v1.EnvVar               `json:"env,omitempty"`
-	Scheduler          KubegresScheduler         `json:"scheduler,omitempty"`
-	Resources          v1.ResourceRequirements   `json:"resources,omitempty"`
-	Volume             Volume                    `json:"volume,omitempty"`
-	SecurityContext    *v1.PodSecurityContext    `json:"securityContext,omitempty"`
-	Probe              Probe                     `json:"probe,omitempty"`
-	ServiceAccountName string                    `json:"serviceAccountName,omitempty"`
+	Replicas                 *int32                    `json:"replicas,omitempty"`
+	Image                    string                    `json:"image,omitempty"`
+	Port                     int32                     `json:"port,omitempty"`
+	ImagePullSecrets         []v1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
+	CustomConfig             string                    `json:"customConfig,omitempty"`
+	Database                 KubegresDatabase          `json:"database,omitempty"`
+	Failover                 KubegresFailover          `json:"failover,omitempty"`
+	Backup                   KubegresBackUp            `json:"backup,omitempty"`
+	Env                      []v1.EnvVar               `json:"env,omitempty"`
+	Scheduler                KubegresScheduler         `json:"scheduler,omitempty"`
+	Resources                v1.ResourceRequirements   `json:"resources,omitempty"`
+	Volume                   Volume                    `json:"volume,omitempty"`
+	SecurityContext          *v1.PodSecurityContext    `json:"securityContext,omitempty"`
+	ContainerSecurityContext *v1.SecurityContext       `json:"containerSecurityContext,omitempty"`
+	Probe                    Probe                     `json:"probe,omitempty"`
+	ServiceAccountName       string                    `json:"serviceAccountName,omitempty"`
 }
 
 // ----------------------- STATUS -----------------------------------------

Diff for: config/crd/bases/kubegres.reactive-tech.io_kubegres.yaml

@@ -28,6 +28,23 @@ spec:
   #  pvcName: backup
   #  volumeMount: /tmp/mypostgres
 
+  #containerSecurityContext:
+  #  allowPrivilegeEscalation: false
+  #  capabilities:
+  #    drop:
+  #      - ALL
+  #  seccompProfile:
+  #    type: RuntimeDefault
+  #  runAsNonRoot: true
+  #  readOnlyRootFilesystem: false
+  #  privileged: false
+
+  #securityContext:
+  #  runAsUser: 1001
+  #  runAsGroup: 1001
+  #  fsGroup: 1001
+  #  runAsNonRoot: true
+
   env:
     - name: POSTGRES_PASSWORD
       valueFrom:

Diff for: config/localresource/custom-namespace/kubegres.yaml

@@ -2,3 +2,6 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: custom
+  #labels:
+  #  pod-security.kubernetes.io/enforce: restricted
+  #  pod-security.kubernetes.io/enforce-version: latest    

Diff for: config/localresource/custom-namespace/namespace.yaml

@@ -7,8 +7,10 @@ require (
 	github.com/lib/pq v1.10.9
 	github.com/onsi/ginkgo/v2 v2.11.0
 	github.com/onsi/gomega v1.27.10
+	k8s.io/api v0.28.0
 	k8s.io/apimachinery v0.28.0
 	k8s.io/client-go v0.28.0
+	k8s.io/utils v0.0.0-20230406110748-d93618cff8a2
 	sigs.k8s.io/controller-runtime v0.16.0
 )
 
@@ -62,12 +64,10 @@ require (
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/api v0.28.0 // indirect
 	k8s.io/apiextensions-apiserver v0.28.0 // indirect
 	k8s.io/component-base v0.28.0 // indirect
 	k8s.io/klog/v2 v2.100.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect
-	k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect

Diff for: go.mod

@@ -164,6 +164,7 @@ func addStatefulSetSpecEnforcers(rc *ResourcesContext) {
 	tolerationsSpecEnforcer := statefulset_spec2.CreateTolerationsSpecEnforcer(rc.KubegresContext)
 	resourcesSpecEnforcer := statefulset_spec2.CreateResourcesSpecEnforcer(rc.KubegresContext)
 	volumeSpecEnforcer := statefulset_spec2.CreateVolumeSpecEnforcer(rc.KubegresContext)
+	containerSecurityContextSpecEnforcer := statefulset_spec2.CreateContainerSecurityContextSpecEnforcer(rc.KubegresContext)
 	securityContextSpecEnforcer := statefulset_spec2.CreateSecurityContextSpecEnforcer(rc.KubegresContext)
 	livenessProbeSpecEnforcer := statefulset_spec2.CreateLivenessProbeSpecEnforcer(rc.KubegresContext)
 	readinessProbeSpecEnforcer := statefulset_spec2.CreateReadinessProbeSpecEnforcer(rc.KubegresContext)
@@ -178,6 +179,7 @@ func addStatefulSetSpecEnforcers(rc *ResourcesContext) {
 	rc.StatefulSetsSpecsEnforcer.AddSpecEnforcer(&tolerationsSpecEnforcer)
 	rc.StatefulSetsSpecsEnforcer.AddSpecEnforcer(&resourcesSpecEnforcer)
 	rc.StatefulSetsSpecsEnforcer.AddSpecEnforcer(&volumeSpecEnforcer)
+	rc.StatefulSetsSpecsEnforcer.AddSpecEnforcer(&containerSecurityContextSpecEnforcer)
 	rc.StatefulSetsSpecsEnforcer.AddSpecEnforcer(&securityContextSpecEnforcer)
 	rc.StatefulSetsSpecsEnforcer.AddSpecEnforcer(&livenessProbeSpecEnforcer)
 	rc.StatefulSetsSpecsEnforcer.AddSpecEnforcer(&readinessProbeSpecEnforcer)

Diff for: go.sum

@@ -0,0 +1,56 @@
+package statefulset_spec
+
+import (
+	"reflect"
+
+	apps "k8s.io/api/apps/v1"
+	v1 "k8s.io/api/core/v1"
+	"reactive-tech.io/kubegres/internal/controller/ctx"
+)
+
+type ContainerSecurityContextSpecEnforcer struct {
+	KubegresContext ctx.KubegresContext
+}
+
+func CreateContainerSecurityContextSpecEnforcer(kubegresContext ctx.KubegresContext) ContainerSecurityContextSpecEnforcer {
+	return ContainerSecurityContextSpecEnforcer{KubegresContext: kubegresContext}
+}
+
+func (r *ContainerSecurityContextSpecEnforcer) GetSpecName() string {
+	return "ContainerSecurityContext"
+}
+
+func (r *ContainerSecurityContextSpecEnforcer) CheckForSpecDifference(statefulSet *apps.StatefulSet) StatefulSetSpecDifference {
+	current := statefulSet.Spec.Template.Spec.Containers[0].SecurityContext
+	expected := r.KubegresContext.Kubegres.Spec.ContainerSecurityContext
+	emptyContainerSecurityContext := &v1.SecurityContext{}
+
+	if expected == nil && reflect.DeepEqual(current, emptyContainerSecurityContext) {
+		return StatefulSetSpecDifference{}
+	}
+
+	if !reflect.DeepEqual(current, expected) {
+		return StatefulSetSpecDifference{
+			SpecName: r.GetSpecName(),
+			Current:  current.String(),
+			Expected: expected.String(),
+		}
+	}
+
+	return StatefulSetSpecDifference{}
+}
+
+func (r *ContainerSecurityContextSpecEnforcer) EnforceSpec(statefulSet *apps.StatefulSet) (wasSpecUpdated bool, err error) {
+
+	statefulSet.Spec.Template.Spec.Containers[0].SecurityContext = r.KubegresContext.Kubegres.Spec.ContainerSecurityContext
+
+	if len(statefulSet.Spec.Template.Spec.InitContainers) > 0 {
+		statefulSet.Spec.Template.Spec.InitContainers[0].SecurityContext = r.KubegresContext.Kubegres.Spec.ContainerSecurityContext
+	}
+
+	return true, nil
+}
+
+func (r *ContainerSecurityContextSpecEnforcer) OnSpecEnforcedSuccessfully(statefulSet *apps.StatefulSet) error {
+	return nil
+}

Diff for: internal/controller/ctx/resources/ResourcesContext.go

@@ -254,6 +254,14 @@ func (r *ResourcesCreatorFromTemplate) initStatefulSet(
 		statefulSetTemplate.Spec.Template.Spec.Containers[0].VolumeMounts = append(statefulSetTemplate.Spec.Template.Spec.Containers[0].VolumeMounts, r.kubegresContext.Kubegres.Spec.Volume.VolumeMounts...)
 	}
 
+	if postgresSpec.ContainerSecurityContext != nil {
+		statefulSetTemplate.Spec.Template.Spec.Containers[0].SecurityContext = postgresSpec.ContainerSecurityContext
+
+		if len(statefulSetTemplate.Spec.Template.Spec.InitContainers) > 0 {
+			statefulSetTemplate.Spec.Template.Spec.InitContainers[0].SecurityContext = postgresSpec.ContainerSecurityContext
+		}
+	}
+
 	if postgresSpec.SecurityContext != nil {
 		statefulSetTemplate.Spec.Template.Spec.SecurityContext = postgresSpec.SecurityContext
 	}