diff --git a/apis/dashboard/v1alpha1/elasticsearchdashboard_webhook.go b/apis/dashboard/v1alpha1/elasticsearchdashboard_webhook.go index 89e3f3dfb4..8ea7002b04 100644 --- a/apis/dashboard/v1alpha1/elasticsearchdashboard_webhook.go +++ b/apis/dashboard/v1alpha1/elasticsearchdashboard_webhook.go @@ -24,11 +24,13 @@ import ( amv "kubedb.dev/apimachinery/pkg/validator" "gomodules.xyz/pointer" + core "k8s.io/api/core/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/util/validation/field" kmapi "kmodules.xyz/client-go/api/v1" + ofst "kmodules.xyz/offshoot-api/api/v1" "sigs.k8s.io/controller-runtime/pkg/builder" logf "sigs.k8s.io/controller-runtime/pkg/log" "sigs.k8s.io/controller-runtime/pkg/manager" @@ -70,6 +72,38 @@ func (ed *ElasticsearchDashboard) SetupWebhookWithManager(mgr manager.Manager) e var _ webhook.Defaulter = &ElasticsearchDashboard{} +func (ed *ElasticsearchDashboard) setDefaultContainerSecurityContext(podTemplate *ofst.PodTemplateSpec) { + if podTemplate == nil { + return + } + if podTemplate.Spec.ContainerSecurityContext == nil { + podTemplate.Spec.ContainerSecurityContext = &core.SecurityContext{} + } + ed.assignDefaultContainerSecurityContext(podTemplate.Spec.ContainerSecurityContext) +} + +func (ed *ElasticsearchDashboard) assignDefaultContainerSecurityContext(sc *core.SecurityContext) { + if sc.AllowPrivilegeEscalation == nil { + sc.AllowPrivilegeEscalation = pointer.BoolP(false) + } + if sc.Capabilities == nil { + sc.Capabilities = &core.Capabilities{ + Drop: []core.Capability{"ALL"}, + } + } + if sc.RunAsNonRoot == nil { + sc.RunAsNonRoot = pointer.BoolP(true) + } + if sc.RunAsUser == nil { + sc.RunAsUser = pointer.Int64P(1000) + } + if sc.SeccompProfile == nil { + sc.SeccompProfile = &core.SeccompProfile{ + Type: core.SeccompProfileTypeRuntimeDefault, + } + } +} + // Default implements webhook.Defaulter so a webhook will be registered for the type func (ed *ElasticsearchDashboard) Default() { if ed.Spec.Replicas == nil { @@ -85,6 +119,8 @@ func (ed *ElasticsearchDashboard) Default() { edLog.Info(".Spec.TerminationPolicy have been set to TerminationPolicyWipeOut") } + ed.setDefaultContainerSecurityContext(&ed.Spec.PodTemplate) + if ed.Spec.EnableSSL { if ed.Spec.TLS == nil { ed.Spec.TLS = &kmapi.TLSConfig{} diff --git a/apis/kubedb/v1alpha2/elasticsearch_helpers.go b/apis/kubedb/v1alpha2/elasticsearch_helpers.go index 6ad03dd1d5..5ea78d54b4 100644 --- a/apis/kubedb/v1alpha2/elasticsearch_helpers.go +++ b/apis/kubedb/v1alpha2/elasticsearch_helpers.go @@ -385,6 +385,38 @@ func (e Elasticsearch) StatsServiceLabels() map[string]string { return e.ServiceLabels(StatsServiceAlias, map[string]string{LabelRole: RoleStats}) } +func (e Elasticsearch) setContainerSecurityContextDefaults(podTemplate *ofst.PodTemplateSpec) { + if podTemplate == nil { + return + } + if podTemplate.Spec.ContainerSecurityContext == nil { + podTemplate.Spec.ContainerSecurityContext = &core.SecurityContext{} + } + e.assignDefaultContainerSecurityContext(podTemplate.Spec.ContainerSecurityContext) +} + +func (e Elasticsearch) assignDefaultContainerSecurityContext(sc *core.SecurityContext) { + if sc.AllowPrivilegeEscalation == nil { + sc.AllowPrivilegeEscalation = pointer.BoolP(false) + } + if sc.Capabilities == nil { + sc.Capabilities = &core.Capabilities{ + Drop: []core.Capability{"ALL"}, + } + } + if sc.RunAsNonRoot == nil { + sc.RunAsNonRoot = pointer.BoolP(true) + } + if sc.RunAsUser == nil { + sc.RunAsUser = pointer.Int64P(1000) + } + if sc.SeccompProfile == nil { + sc.SeccompProfile = &core.SeccompProfile{ + Type: core.SeccompProfileTypeRuntimeDefault, + } + } +} + func (e *Elasticsearch) SetDefaults(esVersion *catalog.ElasticsearchVersion, topology *core_util.Topology) { if e == nil { return @@ -563,37 +595,44 @@ func (e *Elasticsearch) SetDefaults(esVersion *catalog.ElasticsearchVersion, top // set default kernel settings // - Ref: https://www.elastic.co/guide/en/elasticsearch/reference/7.9/vm-max-map-count.html + // if kernelSettings defaults is enabled systls-init container will be injected with the default vm_map_count settings + // if not init container will not be injected and default values will not be set if e.Spec.KernelSettings == nil { e.Spec.KernelSettings = &KernelSettings{ - Privileged: true, - Sysctls: []core.Sysctl{ - { - Name: "vm.max_map_count", - Value: "262144", - }, - }, + DisableDefaults: false, } } - - if e.Spec.PodTemplate.Spec.ContainerSecurityContext == nil { - e.Spec.PodTemplate.Spec.ContainerSecurityContext = &core.SecurityContext{ - Privileged: pointer.BoolP(false), - Capabilities: &core.Capabilities{ - Add: []core.Capability{"IPC_LOCK", "SYS_RESOURCE"}, - }, + if !e.Spec.KernelSettings.DisableDefaults { + e.Spec.KernelSettings.Privileged = true + vmMapCountNotSet := true + if len(e.Spec.KernelSettings.Sysctls) != 0 { + for i := 0; i < len(e.Spec.KernelSettings.Sysctls); i++ { + if e.Spec.KernelSettings.Sysctls[i].Name == "vm.max_map_count" { + vmMapCountNotSet = false + break + } + } + } + if vmMapCountNotSet { + e.Spec.KernelSettings.Sysctls = append(e.Spec.KernelSettings.Sysctls, core.Sysctl{ + Name: "vm.max_map_count", + Value: "262144", + }) } - } - - // Add default Elasticsearch UID - if e.Spec.PodTemplate.Spec.ContainerSecurityContext.RunAsUser == nil && - esVersion.Spec.SecurityContext.RunAsUser != nil { - e.Spec.PodTemplate.Spec.ContainerSecurityContext.RunAsUser = esVersion.Spec.SecurityContext.RunAsUser } e.setDefaultAffinity(&e.Spec.PodTemplate, e.OffshootSelectors(), topology) - e.SetTLSDefaults(esVersion) + e.setContainerSecurityContextDefaults(&e.Spec.PodTemplate) e.setDefaultInternalUsersAndRoleMappings(esVersion) + e.SetMetricsExporterDefaults() + e.SetTLSDefaults(esVersion) +} + +func (e *Elasticsearch) SetMetricsExporterDefaults() { e.Spec.Monitor.SetDefaults() + if e.Spec.Monitor != nil && e.Spec.Monitor.Prometheus != nil && e.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsUser == nil { + e.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsUser = pointer.Int64P(1000) + } } // setDefaultAffinity diff --git a/apis/kubedb/v1alpha2/openapi_generated.go b/apis/kubedb/v1alpha2/openapi_generated.go index d67ab729ef..c3c4cd91c7 100644 --- a/apis/kubedb/v1alpha2/openapi_generated.go +++ b/apis/kubedb/v1alpha2/openapi_generated.go @@ -23735,6 +23735,13 @@ func schema_apimachinery_apis_kubedb_v1alpha2_KernelSettings(ref common.Referenc SchemaProps: spec.SchemaProps{ Type: []string{"object"}, Properties: map[string]spec.Schema{ + "disableDefaults": { + SchemaProps: spec.SchemaProps{ + Description: "DisableDefaults can be set to false to avoid defaulting via mutator", + Type: []string{"boolean"}, + Format: "", + }, + }, "privileged": { SchemaProps: spec.SchemaProps{ Description: "Privileged specifies the status whether the init container requires privileged access to perform the following commands.", diff --git a/apis/kubedb/v1alpha2/types.go b/apis/kubedb/v1alpha2/types.go index 2267983118..4cc51fa7df 100644 --- a/apis/kubedb/v1alpha2/types.go +++ b/apis/kubedb/v1alpha2/types.go @@ -143,6 +143,8 @@ type NamedServiceTemplateSpec struct { } type KernelSettings struct { + // DisableDefaults can be set to false to avoid defaulting via mutator + DisableDefaults bool `json:"disableDefaults,omitempty"` // Privileged specifies the status whether the init container // requires privileged access to perform the following commands. // +optional diff --git a/crds/kubedb.com_elasticsearches.yaml b/crds/kubedb.com_elasticsearches.yaml index 32cf1e864d..f09542dd1c 100644 --- a/crds/kubedb.com_elasticsearches.yaml +++ b/crds/kubedb.com_elasticsearches.yaml @@ -1018,6 +1018,8 @@ spec: type: object kernelSettings: properties: + disableDefaults: + type: boolean privileged: type: boolean sysctls: diff --git a/openapi/swagger.json b/openapi/swagger.json index cf8d671e99..472da65fe9 100644 --- a/openapi/swagger.json +++ b/openapi/swagger.json @@ -30925,6 +30925,10 @@ "dev.kubedb.apimachinery.apis.kubedb.v1alpha2.KernelSettings": { "type": "object", "properties": { + "disableDefaults": { + "description": "DisableDefaults can be set to false to avoid defaulting via mutator", + "type": "boolean" + }, "privileged": { "description": "Privileged specifies the status whether the init container requires privileged access to perform the following commands.", "type": "boolean"