postgres-operator icon indicating copy to clipboard operation
postgres-operator copied to clipboard

Published 20 hours ago verified publisher icon zalando

Feature Request: Non-Privilege-Escalation Support for Certificate Rotation & Backups

Open haslersn opened this issue 3 years ago • 4 comments

Feature request: Support certificate rotation & backups without privilege escalation.

According to this documentation, enabling spilo_allow_privilege_escalation is required for certificate rotation & backups to work. However, this breaks those features when running under the Restricted policy of Pod Security Standards where privilege escalation must not be enabled. Therefore I request those features to work without privilege escalation.

Workaround

Currently the following (more insecure) workaround is required in every namespace where a PostgreSQL cluster is deployed (the non-namespaced ClusterRole is of course only needed once).

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: psp-baseline
rules:
  - apiGroups: [policy]
    resources: [podsecuritypolicies]
    verbs: [use]
    resourceNames: [baseline]

---
# Workaround for https://github.com/zalando/postgres-operator/issues/1730
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: psp-baseline
roleRef:
  kind: ClusterRole
  name: psp-baseline
  apiGroup: rbac.authorization.k8s.io
subjects:
  - kind: Group
    # Match all ServiceAccounts in this namespace. ServiceAccounts in other
    # namespaces are not affected, because this is a (namespaced) RoleBinding.
    name: system:serviceaccounts
    apiGroup: rbac.authorization.k8s.io

haslersn avatar Dec 30 '21 13:12 haslersn

@FxKu can we perhaps use supercronic instead of cron?

haslersn avatar Dec 31 '21 02:12 haslersn

I think since https://github.com/zalando/spilo/commit/4a45ac42fcce5a96b10bb394330037f36a1d66bc this issue is solved. But the postgres-operator documentation (here) needs to be updated accordingly. Currently it still says:

spilo_allow_privilege_escalation Controls whether a process can gain more privileges than its parent process. Required by cron which needs setuid. Without this parameter, certification rotation & backups will not be done. The default is true.

This is parameter is no longer needed for certification rotation & backups, right?

haslersn avatar Jul 02 '22 09:07 haslersn

@CyberDem0n pinging you, since you authored https://github.com/zalando/spilo/commit/4a45ac42fcce5a96b10bb394330037f36a1d66bc

haslersn avatar Jul 05 '22 11:07 haslersn

@CyberDem0n do you have time to fix the documentation (as mentioned in https://github.com/zalando/postgres-operator/issues/1730#issuecomment-1172871922) and then close this issue?

haslersn avatar Mar 07 '24 14:03 haslersn