From 60fd27f3c4e87a02ec623bc0389632492231488a Mon Sep 17 00:00:00 2001 From: obaydullahmhs Date: Fri, 10 Nov 2023 18:43:26 +0600 Subject: [PATCH] Set default SecurityContext for Kafka Signed-off-by: obaydullahmhs --- apis/kubedb/v1alpha2/kafka_helpers.go | 45 +++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/apis/kubedb/v1alpha2/kafka_helpers.go b/apis/kubedb/v1alpha2/kafka_helpers.go index 6a0cd37470..a427b3da27 100644 --- a/apis/kubedb/v1alpha2/kafka_helpers.go +++ b/apis/kubedb/v1alpha2/kafka_helpers.go @@ -27,12 +27,14 @@ import ( promapi "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1" "gomodules.xyz/pointer" + core "k8s.io/api/core/v1" meta "k8s.io/apimachinery/pkg/apis/meta/v1" kmapi "kmodules.xyz/client-go/api/v1" "kmodules.xyz/client-go/apiextensions" meta_util "kmodules.xyz/client-go/meta" appcat "kmodules.xyz/custom-resources/apis/appcatalog/v1alpha1" mona "kmodules.xyz/monitoring-agent-api/api/v1" + ofst "kmodules.xyz/offshoot-api/api/v1" ) func (k *Kafka) CustomResourceDefinition() *apiextensions.CustomResourceDefinition { @@ -312,12 +314,55 @@ func (k *Kafka) SetDefaults() { k.Spec.Replicas = pointer.Int32P(1) } } + + k.setDefaultContainerSecurityContext(&k.Spec.PodTemplate) + if k.Spec.CruiseControl != nil { + k.setDefaultContainerSecurityContext(&k.Spec.CruiseControl.PodTemplate) + } + k.Spec.Monitor.SetDefaults() + // If prometheus enabled, & RunAsUser not set. set the default 1001 + if k.Spec.Monitor != nil && k.Spec.Monitor.Prometheus != nil && k.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsUser == nil { + k.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsUser = pointer.Int64P(1001) + } + if k.Spec.EnableSSL { k.SetTLSDefaults() } k.SetHealthCheckerDefaults() } +func (k *Kafka) setDefaultContainerSecurityContext(podTemplate *ofst.PodTemplateSpec) { + if podTemplate == nil { + return + } + if podTemplate.Spec.ContainerSecurityContext == nil { + podTemplate.Spec.ContainerSecurityContext = &core.SecurityContext{} + } + k.assignDefaultContainerSecurityContext(podTemplate.Spec.ContainerSecurityContext) +} + +func (k *Kafka) assignDefaultContainerSecurityContext(sc *core.SecurityContext) { + if sc.AllowPrivilegeEscalation == nil { + sc.AllowPrivilegeEscalation = pointer.BoolP(false) + } + if sc.Capabilities == nil { + sc.Capabilities = &core.Capabilities{ + Drop: []core.Capability{"ALL"}, + } + } + if sc.RunAsNonRoot == nil { + sc.RunAsNonRoot = pointer.BoolP(true) + } + if sc.RunAsUser == nil { + sc.RunAsUser = pointer.Int64P(1001) + } + if sc.SeccompProfile == nil { + sc.SeccompProfile = &core.SeccompProfile{ + Type: core.SeccompProfileTypeRuntimeDefault, + } + } +} + func (k *Kafka) SetTLSDefaults() { if k.Spec.TLS == nil || k.Spec.TLS.IssuerRef == nil { return