Skip to content

Commit

Permalink
Set Default Security Context for Redis Sentinel
Browse files Browse the repository at this point in the history
Signed-off-by: Shaad7 <[email protected]>
  • Loading branch information
AbdullahAlShaad committed Nov 22, 2023
1 parent 43d1c5d commit db292bc
Showing 1 changed file with 37 additions and 0 deletions.
37 changes: 37 additions & 0 deletions apis/kubedb/v1alpha2/redis_sentinel_helpers.go
Original file line number Diff line number Diff line change
Expand Up @@ -189,13 +189,18 @@ func (rs *RedisSentinel) SetDefaults(topology *core_util.Topology) {
rs.Spec.TerminationPolicy = TerminationPolicyDelete
}

rs.setDefaultContainerSecurityContext(&rs.Spec.PodTemplate)
if rs.Spec.PodTemplate.Spec.ServiceAccountName == "" {
rs.Spec.PodTemplate.Spec.ServiceAccountName = rs.OffshootName()
}

rs.setDefaultAffinity(&rs.Spec.PodTemplate, rs.OffshootSelectors(), topology)

rs.Spec.Monitor.SetDefaults()
// If prometheus enabled, & RunAsUser not set. set the default 999
if rs.Spec.Monitor != nil && rs.Spec.Monitor.Prometheus != nil && rs.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsUser == nil {
rs.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsUser = pointer.Int64P(999)
}
rs.SetTLSDefaults()
rs.SetHealthCheckerDefaults()
apis.SetDefaultResourceLimits(&rs.Spec.PodTemplate.Spec.Resources, DefaultResources)
Expand Down Expand Up @@ -273,6 +278,38 @@ func (rs *RedisSentinel) setDefaultAffinity(podTemplate *ofst.PodTemplateSpec, l
}
}

func (rs *RedisSentinel) setDefaultContainerSecurityContext(podTemplate *ofst.PodTemplateSpec) {
if podTemplate == nil {
return
}
if podTemplate.Spec.ContainerSecurityContext == nil {
podTemplate.Spec.ContainerSecurityContext = &corev1.SecurityContext{}
}
rs.assignDefaultContainerSecurityContext(podTemplate.Spec.ContainerSecurityContext)
}

func (rs *RedisSentinel) assignDefaultContainerSecurityContext(sc *corev1.SecurityContext) {
if sc.AllowPrivilegeEscalation == nil {
sc.AllowPrivilegeEscalation = pointer.BoolP(false)
}
if sc.Capabilities == nil {
sc.Capabilities = &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
}
}
if sc.RunAsNonRoot == nil {
sc.RunAsNonRoot = pointer.BoolP(true)
}
if sc.RunAsUser == nil {
sc.RunAsUser = pointer.Int64P(999)
}
if sc.SeccompProfile == nil {
sc.SeccompProfile = &corev1.SeccompProfile{
Type: corev1.SeccompProfileTypeRuntimeDefault,
}
}
}

// CertificateName returns the default certificate name and/or certificate secret name for a certificate alias
func (rs *RedisSentinel) CertificateName(alias RedisCertificateAlias) string {
return meta_util.NameWithSuffix(rs.Name, fmt.Sprintf("%s-cert", string(alias)))
Expand Down

0 comments on commit db292bc

Please sign in to comment.