Add securityContext runAsNonRoot on Postgres Statefullset

[yyvess]

Set RunAsNonRoot on securityContext of Postgres statfullset

Fix (#2081)

[mmoscher]

+1, nice and we need this as well. Let me know when help is needed.

[bumarcell]

We also need this! ❤️

[bumarcell]

@sdudoladov any news regarding this? :D

[lodotek]

bump 🤞

[msglueck]

from the docs... https://github.com/zalando/postgres-operator/blob/master/docs/reference/operator_parameters.md

• spilo_runasuser sets the user ID which should be used in the container to run the process. This must be set to run the container without root. By default the container runs with root. This option only works for Spilo versions >= 1.6-p3.

• spilo_runasgroup sets the group ID which should be used in the container to run the process. This must be set to run the container without root. By default the container runs with root. This option only works for Spilo versions >= 1.6-p3.

• spilo_fsgroup the Persistent Volumes for the Spilo pods in the StatefulSet will be owned and writable by the group ID specified. This is required to run Spilo as a non-root process, but requires a custom Spilo image. Note the FSGroup of a Pod cannot be changed without recreating a new Pod.

• spilo_privileged whether the Spilo container should run in privileged mode. Privileged mode is used for AWS volume resizing and not required if you don't need that capability. The default is false.

• spilo_allow_privilege_escalation Controls whether a process can gain more privileges than its parent process. Required by cron which needs setuid. Without this parameter, certification rotation & backups will not be done. The default is true.

• additional_pod_capabilities list of additional capabilities to be added to the postgres container's SecurityContext (e.g. SYS_NICE etc.). Please, make sure first that the PodSecruityPolicy allows the capabilities listed here. Otherwise, the container will not start. The default is empty.

guess its already configurable... trying it currently

[YvesZelros]

@msglueck From the Kubernetes doc => spec.securityContext.runAsNonRoot => Containers must be required to run as non-root users. https://kubernetes.io/docs/concepts/security/pod-security-standards/

The documentation that you referring don't talk about the flag runAsNonRoot. .

This PR "compute" the value runAsNonRoot from the value spilo_runasuser.

An other option can be to add a new spilo option spilo_runasroot : boolean

But I not will not consume more time here when I see that PR still open without any comment during years ...

[kndoni]

Anyone still working on this topic, I am trying to configure this operator in kubernetes cluster with kyverno policies for security. And runAsNonRoot is mandatory. It is missing also in the operator-ui but also in the cluster configuration itself. Now it can only be added in postgres-operator

[yyvess]

@kndoni This PR seem not be a priority for this project .. as work around you can use an kyverno ClusterPolicy

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: postgresql-securitycontext
spec:
  rules:
    - name: mutate-postgresql-sts
      match:
        any:
          - resources:
              kinds:
                - Pod
              selector:
                matchLabels:
                  application: spilo
      mutate:
        patchStrategicMerge:
          spec:
            containers:
              - (name): "*"
                securityContext:
                  allowPrivilegeEscalation: false
                  capabilities:
                    drop:
                      - ALL
                  seccompProfile:
                    type: RuntimeDefault
            securityContext:
              runAsNonRoot: true