postgres-operator icon indicating copy to clipboard operation
postgres-operator copied to clipboard

Published 20 hours ago verified publisher icon zalando

Custom SecurityContext in Postgresql, OperatorConfiguration CRDs

Open hshmilo opened this issue 2 years ago • 19 comments

This PR extends the Postgresql, OperatorConfiguration CRDs with the following list of properties related to pod/containers SecurityContext. Postgresql CRD:

  1. spiloSeccompProfile – adds SeccompProfile config property on the cluster pod level.
  2. securityContext for the sidecars configuration – configures securityContext property for particular sidecar container.

OperatorConfiguration CRD:

  1. dropped_pod_capabilities - list of dropped capabilities for spilo container.
  2. spilo_seccompprofile – adds SeccompProfile config property on clusters pod level.
  3. securityContext for the sidecars configuration – configures securityContext property for particular sidecar container.

This PR addresses #2223

hshmilo avatar Feb 27 '23 10:02 hshmilo

+1

EmilMunksoe avatar Apr 27 '23 13:04 EmilMunksoe

+1

x3rus avatar May 17 '23 14:05 x3rus

Hi everyone, any updates regarding this PR?

ugur99 avatar Aug 08 '23 12:08 ugur99

Hi,

any chance to review this MR please? It would be a good addition for cluster security in depth.

m1m1x avatar Sep 17 '23 07:09 m1m1x

+1 on needing this to comply with restricted profiles, as @EmilMunksoe mentioned https://github.com/zalando/postgres-operator/issues/2223#issuecomment-1527082580

mattwing avatar Dec 06 '23 19:12 mattwing

Hey, this is also a blocker for us since we have strict pod policies for the clusters. Is this something that will be merged soon?

Tahedah avatar Apr 17 '24 12:04 Tahedah

+1

sj-porter-knime avatar Apr 22 '24 20:04 sj-porter-knime

+1

BalintCsonka avatar Apr 23 '24 13:04 BalintCsonka

+1 this would allow my team to be able to deploy postgres into our clusters with this operator

mrpainte avatar May 02 '24 14:05 mrpainte

Why is this MR (which will make many lives easier) ignored for over a year now? waiting only makes it more complicated to merge and now there are merge conflicts to resolve. I hope there's a good reason for that.. 😓

bumarcell avatar May 13 '24 13:05 bumarcell

Honestly, the delay on this led me to move from this operator over the CloudNative PostgreSQL Operator, which does everything and is already secure.

ajchiarello avatar May 13 '24 15:05 ajchiarello

Honestly, the delay on this led me to move from this operator over the CloudNative PostgreSQL Operator, which does everything and is already secure.

same here :(

sdesbure avatar May 14 '24 07:05 sdesbure

+1

zacharyljones avatar Aug 09 '24 15:08 zacharyljones

I circumvented the problem with a MutatingWebhookConfiguration and the corresponding controller:

https://github.com/mheers/pod-spec-mutator

You create a deployment with an env var that specifies how the pod will modified before starting: https://github.com/mheers/pod-spec-mutator/blob/main/deploy/deployment.yaml#L38

With this one can easily specify the SecurityContext and have it merged in the starting pods specification on-the-fly.

mheers avatar Aug 09 '24 15:08 mheers

I circumvented the problem with a MutatingWebhookConfiguration and the corresponding controller:

I circumvented the problem by moving to the CNPG Operator which does everything securely by default.

ajchiarello avatar Aug 09 '24 15:08 ajchiarello

I circumvented the problem with a MutatingWebhookConfiguration and the corresponding controller:

I circumvented the problem by moving to the CNPG Operator which does everything securely by default.

I also checked CNPG and indeed it offers to set the SecurityContext, but I also need to define additional volumes and hostAliases - which is also not supported by CNPG so I sticked with zalando and built the admission-hook.

mheers avatar Aug 09 '24 15:08 mheers

please merge this PR

chef-6229 avatar Aug 15 '24 12:08 chef-6229

I think labeling this PR as minor might be a bit of an understatement - setting restricted security contexts is a best practice for any database running in Kubernetes and increasingly becoming a hard requirement. Almost every company we see using Kubernetes is installing tools like Kyverno or Gatekeeper to enforce security policies, making Postgres instances controlled via this operator a security exception in every single case. Using mutation policies with Kyverno is a creative workaround for those brave enough to use mutation policies, but also a bit of an anti-pattern.

Could we please get an acknowledgement or response from the PR reviewers (or other repo maintainers) with current status and/or some steps that community members can take to help it along? Do you need testers, or is there something else you're concerned about that we can help with? Migrating to another Postgres Operator would be a large undertaking for us, but if we can't get these security exceptions resolved, we may be forced to migrate at some point like others already have.

sj-porter-knime avatar Aug 27 '24 17:08 sj-porter-knime

I am not part of postgres-operator maintainers, but from kubernetes point of view I have some idea. I hope my questions are fine and help to get some things sorted out.

szuecs avatar Aug 29 '24 17:08 szuecs