security context revert

Signed-off-by: Hiranmoy Das Chowdhury <[email protected]>
kubedb · Nov 19, 2024 · cd28153 · cd28153
1 parent d30f965
commit cd28153
Showing 1 changed file with 36 additions and 47 deletions.
diff --git a/apis/kubedb/v1/pgbouncer_helpers.go b/apis/kubedb/v1/pgbouncer_helpers.go
@@ -32,12 +32,10 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/utils/ptr"
 	kmapi "kmodules.xyz/client-go/api/v1"
 	"kmodules.xyz/client-go/apiextensions"
 	core_util "kmodules.xyz/client-go/core/v1"
 	meta_util "kmodules.xyz/client-go/meta"
-	"kmodules.xyz/client-go/policy/secomp"
 	appcat "kmodules.xyz/custom-resources/apis/appcatalog/v1alpha1"
 	mona "kmodules.xyz/monitoring-agent-api/api/v1"
 	ofstv2 "kmodules.xyz/offshoot-api/api/v2"
@@ -234,15 +232,12 @@ func (p *PgBouncer) SetDefaults(pgBouncerVersion *catalog.PgBouncerVersion, uses
 	}
 
 	p.Spec.Monitor.SetDefaults()
-
-	// we have set the permission for exporter certificate for 70 userid
-	// that's why we need to set RunAsUser and RunAsGroup 70
 	if p.Spec.Monitor != nil && p.Spec.Monitor.Prometheus != nil {
 		if p.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsUser == nil {
-			p.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsUser = pointer.Int64P(70)
+			p.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsUser = pgBouncerVersion.Spec.SecurityContext.RunAsUser
 		}
 		if p.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsGroup == nil {
-			p.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsGroup = pointer.Int64P(70)
+			p.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsGroup = pgBouncerVersion.Spec.SecurityContext.RunAsUser
 		}
 	}
 	dbContainer := core_util.GetContainerByName(p.Spec.PodTemplate.Spec.Containers, ResourceSingularPgBouncer)
@@ -332,55 +327,49 @@ func (p *PgBouncer) SetSecurityContext(pgBouncerVersion *catalog.PgBouncerVersio
 			Name: kubedb.PgBouncerContainerName,
 		}
 	}
-
 	if container.SecurityContext == nil {
-		container.SecurityContext = &core.SecurityContext{}
-	}
-	if container.SecurityContext.RunAsUser == nil {
-		if p.Spec.PodTemplate.Spec.SecurityContext == nil || p.Spec.PodTemplate.Spec.SecurityContext.RunAsUser == nil {
-			container.SecurityContext.RunAsUser = pgBouncerVersion.Spec.SecurityContext.RunAsUser
-		} else {
-			container.SecurityContext.RunAsUser = p.Spec.PodTemplate.Spec.SecurityContext.RunAsUser
+		container.SecurityContext = &core.SecurityContext{
+			RunAsUser: func() *int64 {
+				if p.Spec.PodTemplate.Spec.SecurityContext == nil || p.Spec.PodTemplate.Spec.SecurityContext.RunAsUser == nil {
+					return pgBouncerVersion.Spec.SecurityContext.RunAsUser
+				}
+				return p.Spec.PodTemplate.Spec.SecurityContext.RunAsUser
+			}(),
+			RunAsGroup: func() *int64 {
+				if p.Spec.PodTemplate.Spec.SecurityContext == nil || p.Spec.PodTemplate.Spec.SecurityContext.RunAsGroup == nil {
+					return pgBouncerVersion.Spec.SecurityContext.RunAsUser
+				}
+				return p.Spec.PodTemplate.Spec.SecurityContext.RunAsGroup
+			}(),
+			Privileged: pointer.BoolP(false),
 		}
-	}
-
-	if container.SecurityContext.RunAsGroup == nil {
-		if p.Spec.PodTemplate.Spec.SecurityContext == nil || p.Spec.PodTemplate.Spec.SecurityContext.RunAsGroup == nil {
-			container.SecurityContext.RunAsGroup = pgBouncerVersion.Spec.SecurityContext.RunAsUser
-		} else {
-			container.SecurityContext.RunAsGroup = p.Spec.PodTemplate.Spec.SecurityContext.RunAsGroup
+	} else {
+		if container.SecurityContext.RunAsUser == nil {
+			container.SecurityContext.RunAsUser = pgBouncerVersion.Spec.SecurityContext.RunAsUser
 		}
-	}
-
-	allowPrivilegeEscalation := pointer.Bool(container.SecurityContext.AllowPrivilegeEscalation)
-	container.SecurityContext.AllowPrivilegeEscalation = &allowPrivilegeEscalation
-
-	if container.SecurityContext.Capabilities == nil {
-		container.SecurityContext.Capabilities = &core.Capabilities{
-			Drop: []core.Capability{"ALL"},
+		if container.SecurityContext.RunAsGroup == nil {
+			container.SecurityContext.RunAsGroup = container.SecurityContext.RunAsUser
 		}
 	}
 
-	if container.SecurityContext.RunAsNonRoot == nil {
-		container.SecurityContext.RunAsNonRoot = ptr.To(true)
-	}
-
-	if container.SecurityContext.SeccompProfile == nil {
-		container.SecurityContext.SeccompProfile = secomp.DefaultSeccompProfile()
-	}
-
-	// podTemplate
 	if p.Spec.PodTemplate.Spec.SecurityContext == nil {
-		p.Spec.PodTemplate.Spec.SecurityContext = &core.PodSecurityContext{}
-	}
-	if p.Spec.PodTemplate.Spec.SecurityContext.RunAsUser == nil {
-		p.Spec.PodTemplate.Spec.SecurityContext.RunAsUser = ptr.To(*container.SecurityContext.RunAsUser)
-	}
-	if p.Spec.PodTemplate.Spec.SecurityContext.RunAsGroup == nil {
-		p.Spec.PodTemplate.Spec.SecurityContext.RunAsGroup = ptr.To(*container.SecurityContext.RunAsGroup)
+		p.Spec.PodTemplate.Spec.SecurityContext = &core.PodSecurityContext{
+			RunAsUser:  container.SecurityContext.RunAsUser,
+			RunAsGroup: container.SecurityContext.RunAsGroup,
+		}
+	} else {
+		if p.Spec.PodTemplate.Spec.SecurityContext.RunAsUser == nil {
+			p.Spec.PodTemplate.Spec.SecurityContext.RunAsUser = container.SecurityContext.RunAsUser
+		}
+		if p.Spec.PodTemplate.Spec.SecurityContext.RunAsGroup == nil {
+			p.Spec.PodTemplate.Spec.SecurityContext.RunAsGroup = container.SecurityContext.RunAsGroup
+		}
 	}
 
-	p.Spec.PodTemplate.Spec.SecurityContext.FSGroup = ptr.To(*container.SecurityContext.RunAsGroup)
+	// Need to set FSGroup equal to  p.Spec.PodTemplate.Spec.ContainerSecurityContext.RunAsGroup.
+	// So that /var/pv directory have the group permission for the RunAsGroup user GID.
+	// Otherwise, We will get write permission denied.
+	p.Spec.PodTemplate.Spec.SecurityContext.FSGroup = container.SecurityContext.RunAsGroup
 	isPgbouncerContainerPresent := core_util.GetContainerByName(p.Spec.PodTemplate.Spec.Containers, kubedb.PgBouncerContainerName)
 	if isPgbouncerContainerPresent == nil {
 		core_util.UpsertContainer(p.Spec.PodTemplate.Spec.Containers, *container)