Set default SecurityContext for Kafka

Signed-off-by: obaydullahmhs <[email protected]>
kubedb · Nov 23, 2023 · a619021 · a619021
1 parent 8e497b9
commit a619021
Showing 1 changed file with 45 additions and 0 deletions.
diff --git a/apis/kubedb/v1alpha2/kafka_helpers.go b/apis/kubedb/v1alpha2/kafka_helpers.go
@@ -27,12 +27,14 @@ import (
 
 	promapi "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
 	"gomodules.xyz/pointer"
+	core "k8s.io/api/core/v1"
 	meta "k8s.io/apimachinery/pkg/apis/meta/v1"
 	kmapi "kmodules.xyz/client-go/api/v1"
 	"kmodules.xyz/client-go/apiextensions"
 	meta_util "kmodules.xyz/client-go/meta"
 	appcat "kmodules.xyz/custom-resources/apis/appcatalog/v1alpha1"
 	mona "kmodules.xyz/monitoring-agent-api/api/v1"
+	ofst "kmodules.xyz/offshoot-api/api/v1"
 )
 
 func (k *Kafka) CustomResourceDefinition() *apiextensions.CustomResourceDefinition {
@@ -320,12 +322,55 @@ func (k *Kafka) SetDefaults() {
 			k.Spec.Replicas = pointer.Int32P(1)
 		}
 	}
+
+	k.setDefaultContainerSecurityContext(&k.Spec.PodTemplate)
+	if k.Spec.CruiseControl != nil {
+		k.setDefaultContainerSecurityContext(&k.Spec.CruiseControl.PodTemplate)
+	}
+	k.Spec.Monitor.SetDefaults()
+	// If prometheus enabled, & RunAsUser not set. set the default 1001
+	if k.Spec.Monitor != nil && k.Spec.Monitor.Prometheus != nil && k.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsUser == nil {
+		k.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsUser = pointer.Int64P(1001)
+	}
+
 	if k.Spec.EnableSSL {
 		k.SetTLSDefaults()
 	}
 	k.SetHealthCheckerDefaults()
 }
 
+func (k *Kafka) setDefaultContainerSecurityContext(podTemplate *ofst.PodTemplateSpec) {
+	if podTemplate == nil {
+		return
+	}
+	if podTemplate.Spec.ContainerSecurityContext == nil {
+		podTemplate.Spec.ContainerSecurityContext = &core.SecurityContext{}
+	}
+	k.assignDefaultContainerSecurityContext(podTemplate.Spec.ContainerSecurityContext)
+}
+
+func (k *Kafka) assignDefaultContainerSecurityContext(sc *core.SecurityContext) {
+	if sc.AllowPrivilegeEscalation == nil {
+		sc.AllowPrivilegeEscalation = pointer.BoolP(false)
+	}
+	if sc.Capabilities == nil {
+		sc.Capabilities = &core.Capabilities{
+			Drop: []core.Capability{"ALL"},
+		}
+	}
+	if sc.RunAsNonRoot == nil {
+		sc.RunAsNonRoot = pointer.BoolP(true)
+	}
+	if sc.RunAsUser == nil {
+		sc.RunAsUser = pointer.Int64P(1001)
+	}
+	if sc.SeccompProfile == nil {
+		sc.SeccompProfile = &core.SeccompProfile{
+			Type: core.SeccompProfileTypeRuntimeDefault,
+		}
+	}
+}
+
 func (k *Kafka) SetTLSDefaults() {
 	if k.Spec.TLS == nil || k.Spec.TLS.IssuerRef == nil {
 		return