diff --git a/apis/kubedb/v1/pgbouncer_helpers.go b/apis/kubedb/v1/pgbouncer_helpers.go index 34b6bb366c..63512dfb2c 100644 --- a/apis/kubedb/v1/pgbouncer_helpers.go +++ b/apis/kubedb/v1/pgbouncer_helpers.go @@ -32,12 +32,10 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/types" - "k8s.io/utils/ptr" kmapi "kmodules.xyz/client-go/api/v1" "kmodules.xyz/client-go/apiextensions" core_util "kmodules.xyz/client-go/core/v1" meta_util "kmodules.xyz/client-go/meta" - "kmodules.xyz/client-go/policy/secomp" appcat "kmodules.xyz/custom-resources/apis/appcatalog/v1alpha1" mona "kmodules.xyz/monitoring-agent-api/api/v1" ofstv2 "kmodules.xyz/offshoot-api/api/v2" @@ -234,15 +232,12 @@ func (p *PgBouncer) SetDefaults(pgBouncerVersion *catalog.PgBouncerVersion, uses } p.Spec.Monitor.SetDefaults() - - // we have set the permission for exporter certificate for 70 userid - // that's why we need to set RunAsUser and RunAsGroup 70 if p.Spec.Monitor != nil && p.Spec.Monitor.Prometheus != nil { if p.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsUser == nil { - p.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsUser = pointer.Int64P(70) + p.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsUser = pgBouncerVersion.Spec.SecurityContext.RunAsUser } if p.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsGroup == nil { - p.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsGroup = pointer.Int64P(70) + p.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsGroup = pgBouncerVersion.Spec.SecurityContext.RunAsUser } } dbContainer := core_util.GetContainerByName(p.Spec.PodTemplate.Spec.Containers, ResourceSingularPgBouncer) @@ -332,55 +327,49 @@ func (p *PgBouncer) SetSecurityContext(pgBouncerVersion *catalog.PgBouncerVersio Name: kubedb.PgBouncerContainerName, } } - if container.SecurityContext == nil { - container.SecurityContext = &core.SecurityContext{} - } - if container.SecurityContext.RunAsUser == nil { - if p.Spec.PodTemplate.Spec.SecurityContext == nil || p.Spec.PodTemplate.Spec.SecurityContext.RunAsUser == nil { - container.SecurityContext.RunAsUser = pgBouncerVersion.Spec.SecurityContext.RunAsUser - } else { - container.SecurityContext.RunAsUser = p.Spec.PodTemplate.Spec.SecurityContext.RunAsUser + container.SecurityContext = &core.SecurityContext{ + RunAsUser: func() *int64 { + if p.Spec.PodTemplate.Spec.SecurityContext == nil || p.Spec.PodTemplate.Spec.SecurityContext.RunAsUser == nil { + return pgBouncerVersion.Spec.SecurityContext.RunAsUser + } + return p.Spec.PodTemplate.Spec.SecurityContext.RunAsUser + }(), + RunAsGroup: func() *int64 { + if p.Spec.PodTemplate.Spec.SecurityContext == nil || p.Spec.PodTemplate.Spec.SecurityContext.RunAsGroup == nil { + return pgBouncerVersion.Spec.SecurityContext.RunAsUser + } + return p.Spec.PodTemplate.Spec.SecurityContext.RunAsGroup + }(), + Privileged: pointer.BoolP(false), } - } - - if container.SecurityContext.RunAsGroup == nil { - if p.Spec.PodTemplate.Spec.SecurityContext == nil || p.Spec.PodTemplate.Spec.SecurityContext.RunAsGroup == nil { - container.SecurityContext.RunAsGroup = pgBouncerVersion.Spec.SecurityContext.RunAsUser - } else { - container.SecurityContext.RunAsGroup = p.Spec.PodTemplate.Spec.SecurityContext.RunAsGroup + } else { + if container.SecurityContext.RunAsUser == nil { + container.SecurityContext.RunAsUser = pgBouncerVersion.Spec.SecurityContext.RunAsUser } - } - - allowPrivilegeEscalation := pointer.Bool(container.SecurityContext.AllowPrivilegeEscalation) - container.SecurityContext.AllowPrivilegeEscalation = &allowPrivilegeEscalation - - if container.SecurityContext.Capabilities == nil { - container.SecurityContext.Capabilities = &core.Capabilities{ - Drop: []core.Capability{"ALL"}, + if container.SecurityContext.RunAsGroup == nil { + container.SecurityContext.RunAsGroup = container.SecurityContext.RunAsUser } } - if container.SecurityContext.RunAsNonRoot == nil { - container.SecurityContext.RunAsNonRoot = ptr.To(true) - } - - if container.SecurityContext.SeccompProfile == nil { - container.SecurityContext.SeccompProfile = secomp.DefaultSeccompProfile() - } - - // podTemplate if p.Spec.PodTemplate.Spec.SecurityContext == nil { - p.Spec.PodTemplate.Spec.SecurityContext = &core.PodSecurityContext{} - } - if p.Spec.PodTemplate.Spec.SecurityContext.RunAsUser == nil { - p.Spec.PodTemplate.Spec.SecurityContext.RunAsUser = ptr.To(*container.SecurityContext.RunAsUser) - } - if p.Spec.PodTemplate.Spec.SecurityContext.RunAsGroup == nil { - p.Spec.PodTemplate.Spec.SecurityContext.RunAsGroup = ptr.To(*container.SecurityContext.RunAsGroup) + p.Spec.PodTemplate.Spec.SecurityContext = &core.PodSecurityContext{ + RunAsUser: container.SecurityContext.RunAsUser, + RunAsGroup: container.SecurityContext.RunAsGroup, + } + } else { + if p.Spec.PodTemplate.Spec.SecurityContext.RunAsUser == nil { + p.Spec.PodTemplate.Spec.SecurityContext.RunAsUser = container.SecurityContext.RunAsUser + } + if p.Spec.PodTemplate.Spec.SecurityContext.RunAsGroup == nil { + p.Spec.PodTemplate.Spec.SecurityContext.RunAsGroup = container.SecurityContext.RunAsGroup + } } - p.Spec.PodTemplate.Spec.SecurityContext.FSGroup = ptr.To(*container.SecurityContext.RunAsGroup) + // Need to set FSGroup equal to p.Spec.PodTemplate.Spec.ContainerSecurityContext.RunAsGroup. + // So that /var/pv directory have the group permission for the RunAsGroup user GID. + // Otherwise, We will get write permission denied. + p.Spec.PodTemplate.Spec.SecurityContext.FSGroup = container.SecurityContext.RunAsGroup isPgbouncerContainerPresent := core_util.GetContainerByName(p.Spec.PodTemplate.Spec.Containers, kubedb.PgBouncerContainerName) if isPgbouncerContainerPresent == nil { core_util.UpsertContainer(p.Spec.PodTemplate.Spec.Containers, *container)