cloudnative-pg icon indicating copy to clipboard operation
cloudnative-pg copied to clipboard

Published 20 hours ago verified publisher icon cloudnative-pg

add support for `securityContext` in postgres containers

Open fad3t opened this issue 2 years ago • 6 comments

Hello,

I've noticed that the postgres container of the pods created by the operator have a very basic securityContext:

    securityContext:
      runAsUser: 1001

I saw there's a way to set the seccompProfile but I was hoping one can also set the full securityContext of the container, which doesn't seem to be the case. This is a problem when the restricted PSS is enforced.

This could become part of the ClusterSpec object - e.g. keeping the current value as defaults, but adding the option to override if required.

I don't know how much work this would represent, and I would be happy to help if I can - I would just need some guidance to get started.

Fred

fad3t avatar Sep 20 '23 06:09 fad3t

@fad3t hi!

Are you talking about restricted-scc ? which it's something from openshift right ?

Regards,

sxd avatar Sep 20 '23 14:09 sxd

Hi @sxd, no I'm referring to the pod security standards (cf. https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). We're enforcing it with Kyverno in our case, although I suppose this can be done otherwise.

fad3t avatar Sep 20 '23 15:09 fad3t

Hi @sxd, I see you have assigned yourself to this issue. Does this mean you're working on it? Otherwise I would be happy to contribute!

fad3t avatar Oct 05 '23 12:10 fad3t

Hi, any update? Thanks

fad3t avatar Nov 06 '23 06:11 fad3t

One more reason to have this feature is that large database pods might take up to 30 minutes to mount due to this issue: https://github.com/kubernetes/kubernetes/issues/69699

using

securityContext:
  fsGroupChangePolicy: "OnRootMismatch"

would fix this.

Preisschild avatar Nov 16 '23 18:11 Preisschild

last I ran across this setting the namespace to restricted prevent the init pods from starting entirely

danieljkemp avatar Jun 26 '24 02:06 danieljkemp

@sxd, could you please review the PR I opened that is solving this issue?

x0ddf avatar Jan 17 '25 07:01 x0ddf

@x0ddf, this for this essential feature and your PR!

npgretz avatar Jan 30 '25 16:01 npgretz

Hi, @fad3t. I'm Dosu, and I'm helping the cloudnative-pg team manage their backlog. I'm marking this issue as stale.

Issue Summary:

  • You requested enhanced support for securityContext configuration in PostgreSQL containers to comply with Kubernetes Pod Security Standards.
  • @sxd inquired about specifics, and you clarified the use of Kyverno for enforcement.
  • @Preisschild emphasized the importance of this feature due to potential delays in mounting large database pods.
  • @x0ddf submitted a pull request to address the issue.
  • @npgretz expressed appreciation for the contribution.

Next Steps:

  • Please confirm if this issue is still relevant to the latest version of the cloudnative-pg repository by commenting here.
  • If no further updates are provided, the issue will be automatically closed in 7 days.

Thank you for your understanding and contribution!

dosubot[bot] avatar May 01 '25 16:05 dosubot[bot]

Please keep this open, thanks.

fad3t avatar May 02 '25 06:05 fad3t

@Preisschild raised a great point that I came here specifically to check on. The fsGroupChangePolicy has been around since k8s 1.20 which far preceeds supported k8s releases with CNPG 1.24 only offering support officially from beyond k8s 1.28.

It seems that this would be a relatively small change with the potential for massive benefit for users with large filesystems.

iamasmith avatar May 06 '25 08:05 iamasmith