From 5b6ddf58882cc656ae7c89ec184ab4c605dfd35c Mon Sep 17 00:00:00 2001 From: Hiranmoy Das Chowdhury Date: Fri, 1 Nov 2024 16:29:23 +0600 Subject: [PATCH 1/5] security-context for pgbouncer Signed-off-by: Hiranmoy Das Chowdhury --- apis/kubedb/v1/pgbouncer_helpers.go | 81 ++++++++++++++++------------- 1 file changed, 45 insertions(+), 36 deletions(-) diff --git a/apis/kubedb/v1/pgbouncer_helpers.go b/apis/kubedb/v1/pgbouncer_helpers.go index 63512dfb2c..60b7ff1709 100644 --- a/apis/kubedb/v1/pgbouncer_helpers.go +++ b/apis/kubedb/v1/pgbouncer_helpers.go @@ -19,6 +19,8 @@ package v1 import ( "context" "fmt" + "k8s.io/utils/ptr" + "kmodules.xyz/client-go/policy/secomp" "strconv" "kubedb.dev/apimachinery/apis" @@ -234,10 +236,10 @@ func (p *PgBouncer) SetDefaults(pgBouncerVersion *catalog.PgBouncerVersion, uses p.Spec.Monitor.SetDefaults() if p.Spec.Monitor != nil && p.Spec.Monitor.Prometheus != nil { if p.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsUser == nil { - p.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsUser = pgBouncerVersion.Spec.SecurityContext.RunAsUser + p.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsUser = ptr.To(*pgBouncerVersion.Spec.SecurityContext.RunAsUser) } if p.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsGroup == nil { - p.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsGroup = pgBouncerVersion.Spec.SecurityContext.RunAsUser + p.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsGroup = ptr.To(*pgBouncerVersion.Spec.SecurityContext.RunAsUser) } } dbContainer := core_util.GetContainerByName(p.Spec.PodTemplate.Spec.Containers, ResourceSingularPgBouncer) @@ -321,55 +323,62 @@ func (p *PgBouncer) SetHealthCheckerDefaults() { } func (p *PgBouncer) SetSecurityContext(pgBouncerVersion *catalog.PgBouncerVersion) { + container := core_util.GetContainerByName(p.Spec.PodTemplate.Spec.Containers, kubedb.PgBouncerContainerName) if container == nil { container = &core.Container{ Name: kubedb.PgBouncerContainerName, } } + if container.SecurityContext == nil { - container.SecurityContext = &core.SecurityContext{ - RunAsUser: func() *int64 { - if p.Spec.PodTemplate.Spec.SecurityContext == nil || p.Spec.PodTemplate.Spec.SecurityContext.RunAsUser == nil { - return pgBouncerVersion.Spec.SecurityContext.RunAsUser - } - return p.Spec.PodTemplate.Spec.SecurityContext.RunAsUser - }(), - RunAsGroup: func() *int64 { - if p.Spec.PodTemplate.Spec.SecurityContext == nil || p.Spec.PodTemplate.Spec.SecurityContext.RunAsGroup == nil { - return pgBouncerVersion.Spec.SecurityContext.RunAsUser - } - return p.Spec.PodTemplate.Spec.SecurityContext.RunAsGroup - }(), - Privileged: pointer.BoolP(false), - } - } else { - if container.SecurityContext.RunAsUser == nil { + container.SecurityContext = &core.SecurityContext{} + } + if container.SecurityContext.RunAsUser == nil { + if p.Spec.PodTemplate.Spec.SecurityContext == nil || p.Spec.PodTemplate.Spec.SecurityContext.RunAsUser == nil { container.SecurityContext.RunAsUser = pgBouncerVersion.Spec.SecurityContext.RunAsUser - } - if container.SecurityContext.RunAsGroup == nil { - container.SecurityContext.RunAsGroup = container.SecurityContext.RunAsUser + } else { + container.SecurityContext.RunAsUser = p.Spec.PodTemplate.Spec.SecurityContext.RunAsUser } } - if p.Spec.PodTemplate.Spec.SecurityContext == nil { - p.Spec.PodTemplate.Spec.SecurityContext = &core.PodSecurityContext{ - RunAsUser: container.SecurityContext.RunAsUser, - RunAsGroup: container.SecurityContext.RunAsGroup, - } - } else { - if p.Spec.PodTemplate.Spec.SecurityContext.RunAsUser == nil { - p.Spec.PodTemplate.Spec.SecurityContext.RunAsUser = container.SecurityContext.RunAsUser + if container.SecurityContext.RunAsGroup == nil { + if p.Spec.PodTemplate.Spec.SecurityContext == nil || p.Spec.PodTemplate.Spec.SecurityContext.RunAsGroup == nil { + container.SecurityContext.RunAsGroup = pgBouncerVersion.Spec.SecurityContext.RunAsUser + } else { + container.SecurityContext.RunAsGroup = p.Spec.PodTemplate.Spec.SecurityContext.RunAsGroup } - if p.Spec.PodTemplate.Spec.SecurityContext.RunAsGroup == nil { - p.Spec.PodTemplate.Spec.SecurityContext.RunAsGroup = container.SecurityContext.RunAsGroup + } + + allowPrivilegeEscalation := pointer.Bool(container.SecurityContext.AllowPrivilegeEscalation) + container.SecurityContext.AllowPrivilegeEscalation = &allowPrivilegeEscalation + + if container.SecurityContext.Capabilities == nil { + container.SecurityContext.Capabilities = &core.Capabilities{ + Drop: []core.Capability{"ALL"}, } } - // Need to set FSGroup equal to p.Spec.PodTemplate.Spec.ContainerSecurityContext.RunAsGroup. - // So that /var/pv directory have the group permission for the RunAsGroup user GID. - // Otherwise, We will get write permission denied. - p.Spec.PodTemplate.Spec.SecurityContext.FSGroup = container.SecurityContext.RunAsGroup + if container.SecurityContext.RunAsNonRoot == nil { + container.SecurityContext.RunAsNonRoot = ptr.To(true) + } + + if container.SecurityContext.SeccompProfile == nil { + container.SecurityContext.SeccompProfile = secomp.DefaultSeccompProfile() + } + + // podTemplate + if p.Spec.PodTemplate.Spec.SecurityContext == nil { + p.Spec.PodTemplate.Spec.SecurityContext = &core.PodSecurityContext{} + } + if p.Spec.PodTemplate.Spec.SecurityContext.RunAsUser == nil { + p.Spec.PodTemplate.Spec.SecurityContext.RunAsUser = ptr.To(*container.SecurityContext.RunAsUser) + } + if p.Spec.PodTemplate.Spec.SecurityContext.RunAsGroup == nil { + p.Spec.PodTemplate.Spec.SecurityContext.RunAsGroup = ptr.To(*container.SecurityContext.RunAsGroup) + } + + p.Spec.PodTemplate.Spec.SecurityContext.FSGroup = ptr.To(*container.SecurityContext.RunAsGroup) isPgbouncerContainerPresent := core_util.GetContainerByName(p.Spec.PodTemplate.Spec.Containers, kubedb.PgBouncerContainerName) if isPgbouncerContainerPresent == nil { core_util.UpsertContainer(p.Spec.PodTemplate.Spec.Containers, *container) From ed4553eaccc8c1b294df51d287f4387914acd2a8 Mon Sep 17 00:00:00 2001 From: Hiranmoy Das Chowdhury Date: Fri, 1 Nov 2024 17:53:26 +0600 Subject: [PATCH 2/5] Signed-off-by: Hiranmoy Das Chowdhury --- apis/kubedb/v1/pgbouncer_helpers.go | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/apis/kubedb/v1/pgbouncer_helpers.go b/apis/kubedb/v1/pgbouncer_helpers.go index 60b7ff1709..bcf18d8b2c 100644 --- a/apis/kubedb/v1/pgbouncer_helpers.go +++ b/apis/kubedb/v1/pgbouncer_helpers.go @@ -234,12 +234,15 @@ func (p *PgBouncer) SetDefaults(pgBouncerVersion *catalog.PgBouncerVersion, uses } p.Spec.Monitor.SetDefaults() + + // we have set the permission for exporter certificate for 70 userid + // that's why we need to set RunAsUser and RunAsGroup 70 if p.Spec.Monitor != nil && p.Spec.Monitor.Prometheus != nil { if p.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsUser == nil { - p.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsUser = ptr.To(*pgBouncerVersion.Spec.SecurityContext.RunAsUser) + p.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsUser = pointer.Int64P(70) } if p.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsGroup == nil { - p.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsGroup = ptr.To(*pgBouncerVersion.Spec.SecurityContext.RunAsUser) + p.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsGroup = pointer.Int64P(70) } } dbContainer := core_util.GetContainerByName(p.Spec.PodTemplate.Spec.Containers, ResourceSingularPgBouncer) From d149bd29fb7df5b21573241219e325cda6662db7 Mon Sep 17 00:00:00 2001 From: Hiranmoy Das Chowdhury Date: Mon, 4 Nov 2024 10:05:52 +0600 Subject: [PATCH 3/5] finished security context Signed-off-by: Hiranmoy Das Chowdhury --- apis/kubedb/v1/pgbouncer_helpers.go | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/apis/kubedb/v1/pgbouncer_helpers.go b/apis/kubedb/v1/pgbouncer_helpers.go index bcf18d8b2c..34b6bb366c 100644 --- a/apis/kubedb/v1/pgbouncer_helpers.go +++ b/apis/kubedb/v1/pgbouncer_helpers.go @@ -19,8 +19,6 @@ package v1 import ( "context" "fmt" - "k8s.io/utils/ptr" - "kmodules.xyz/client-go/policy/secomp" "strconv" "kubedb.dev/apimachinery/apis" @@ -34,10 +32,12 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/types" + "k8s.io/utils/ptr" kmapi "kmodules.xyz/client-go/api/v1" "kmodules.xyz/client-go/apiextensions" core_util "kmodules.xyz/client-go/core/v1" meta_util "kmodules.xyz/client-go/meta" + "kmodules.xyz/client-go/policy/secomp" appcat "kmodules.xyz/custom-resources/apis/appcatalog/v1alpha1" mona "kmodules.xyz/monitoring-agent-api/api/v1" ofstv2 "kmodules.xyz/offshoot-api/api/v2" @@ -326,7 +326,6 @@ func (p *PgBouncer) SetHealthCheckerDefaults() { } func (p *PgBouncer) SetSecurityContext(pgBouncerVersion *catalog.PgBouncerVersion) { - container := core_util.GetContainerByName(p.Spec.PodTemplate.Spec.Containers, kubedb.PgBouncerContainerName) if container == nil { container = &core.Container{ From c610812cad52251e851fbaefb52ded6b64e91196 Mon Sep 17 00:00:00 2001 From: Hiranmoy Das Chowdhury Date: Mon, 4 Nov 2024 17:57:10 +0600 Subject: [PATCH 4/5] Signed-off-by: Hiranmoy Das Chowdhury --- apis/ops/v1alpha1/pgbouncer_ops_types.go | 4 ++-- apis/ops/v1alpha1/pgbouncer_ops_types_enum.go | 5 +++++ crds/ops.kubedb.com_pgbounceropsrequests.yaml | 1 + 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/apis/ops/v1alpha1/pgbouncer_ops_types.go b/apis/ops/v1alpha1/pgbouncer_ops_types.go index 628edaf133..ad4890f4d1 100644 --- a/apis/ops/v1alpha1/pgbouncer_ops_types.go +++ b/apis/ops/v1alpha1/pgbouncer_ops_types.go @@ -75,8 +75,8 @@ type PgBouncerOpsRequestSpec struct { Apply ApplyOption `json:"apply,omitempty"` } -// +kubebuilder:validation:Enum=HorizontalScaling;VerticalScaling;UpdateVersion;Reconfigure;RotateAuth -// ENUM(HorizontalScaling, VerticalScaling, UpdateVersion, Reconfigure, RotateAuth) +// +kubebuilder:validation:Enum=HorizontalScaling;VerticalScaling;UpdateVersion;Reconfigure;RotateAuth;Restart +// ENUM(HorizontalScaling, VerticalScaling, UpdateVersion, Reconfigure, RotateAuth, Restart) type PgBouncerOpsRequestType string type PgBouncerUpdateVersionSpec struct { diff --git a/apis/ops/v1alpha1/pgbouncer_ops_types_enum.go b/apis/ops/v1alpha1/pgbouncer_ops_types_enum.go index 6043a822c9..915da9881a 100644 --- a/apis/ops/v1alpha1/pgbouncer_ops_types_enum.go +++ b/apis/ops/v1alpha1/pgbouncer_ops_types_enum.go @@ -22,6 +22,8 @@ const ( PgBouncerOpsRequestTypeReconfigure PgBouncerOpsRequestType = "Reconfigure" // PgBouncerOpsRequestTypeRotateAuth is a PgBouncerOpsRequestType of type RotateAuth. PgBouncerOpsRequestTypeRotateAuth PgBouncerOpsRequestType = "RotateAuth" + // PgBouncerOpsRequestTypeRestart is a PgBouncerOpsRequestType of type Restart. + PgBouncerOpsRequestTypeRestart PgBouncerOpsRequestType = "Restart" ) var ErrInvalidPgBouncerOpsRequestType = fmt.Errorf("not a valid PgBouncerOpsRequestType, try [%s]", strings.Join(_PgBouncerOpsRequestTypeNames, ", ")) @@ -32,6 +34,7 @@ var _PgBouncerOpsRequestTypeNames = []string{ string(PgBouncerOpsRequestTypeUpdateVersion), string(PgBouncerOpsRequestTypeReconfigure), string(PgBouncerOpsRequestTypeRotateAuth), + string(PgBouncerOpsRequestTypeRestart), } // PgBouncerOpsRequestTypeNames returns a list of possible string values of PgBouncerOpsRequestType. @@ -49,6 +52,7 @@ func PgBouncerOpsRequestTypeValues() []PgBouncerOpsRequestType { PgBouncerOpsRequestTypeUpdateVersion, PgBouncerOpsRequestTypeReconfigure, PgBouncerOpsRequestTypeRotateAuth, + PgBouncerOpsRequestTypeRestart, } } @@ -70,6 +74,7 @@ var _PgBouncerOpsRequestTypeValue = map[string]PgBouncerOpsRequestType{ "UpdateVersion": PgBouncerOpsRequestTypeUpdateVersion, "Reconfigure": PgBouncerOpsRequestTypeReconfigure, "RotateAuth": PgBouncerOpsRequestTypeRotateAuth, + "Restart": PgBouncerOpsRequestTypeRestart, } // ParsePgBouncerOpsRequestType attempts to convert a string to a PgBouncerOpsRequestType. diff --git a/crds/ops.kubedb.com_pgbounceropsrequests.yaml b/crds/ops.kubedb.com_pgbounceropsrequests.yaml index cbe5dca2c5..55eabd91fb 100644 --- a/crds/ops.kubedb.com_pgbounceropsrequests.yaml +++ b/crds/ops.kubedb.com_pgbounceropsrequests.yaml @@ -208,6 +208,7 @@ spec: - UpdateVersion - Reconfigure - RotateAuth + - Restart type: string updateVersion: properties: From ed372425e18f9cc3e948ddf4c70f3fd1d987e063 Mon Sep 17 00:00:00 2001 From: Hiranmoy Das Chowdhury Date: Tue, 19 Nov 2024 18:47:58 +0600 Subject: [PATCH 5/5] security context revert Signed-off-by: Hiranmoy Das Chowdhury --- apis/kubedb/v1/pgbouncer_helpers.go | 83 +++++++++++++---------------- 1 file changed, 36 insertions(+), 47 deletions(-) diff --git a/apis/kubedb/v1/pgbouncer_helpers.go b/apis/kubedb/v1/pgbouncer_helpers.go index 34b6bb366c..63512dfb2c 100644 --- a/apis/kubedb/v1/pgbouncer_helpers.go +++ b/apis/kubedb/v1/pgbouncer_helpers.go @@ -32,12 +32,10 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/types" - "k8s.io/utils/ptr" kmapi "kmodules.xyz/client-go/api/v1" "kmodules.xyz/client-go/apiextensions" core_util "kmodules.xyz/client-go/core/v1" meta_util "kmodules.xyz/client-go/meta" - "kmodules.xyz/client-go/policy/secomp" appcat "kmodules.xyz/custom-resources/apis/appcatalog/v1alpha1" mona "kmodules.xyz/monitoring-agent-api/api/v1" ofstv2 "kmodules.xyz/offshoot-api/api/v2" @@ -234,15 +232,12 @@ func (p *PgBouncer) SetDefaults(pgBouncerVersion *catalog.PgBouncerVersion, uses } p.Spec.Monitor.SetDefaults() - - // we have set the permission for exporter certificate for 70 userid - // that's why we need to set RunAsUser and RunAsGroup 70 if p.Spec.Monitor != nil && p.Spec.Monitor.Prometheus != nil { if p.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsUser == nil { - p.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsUser = pointer.Int64P(70) + p.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsUser = pgBouncerVersion.Spec.SecurityContext.RunAsUser } if p.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsGroup == nil { - p.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsGroup = pointer.Int64P(70) + p.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsGroup = pgBouncerVersion.Spec.SecurityContext.RunAsUser } } dbContainer := core_util.GetContainerByName(p.Spec.PodTemplate.Spec.Containers, ResourceSingularPgBouncer) @@ -332,55 +327,49 @@ func (p *PgBouncer) SetSecurityContext(pgBouncerVersion *catalog.PgBouncerVersio Name: kubedb.PgBouncerContainerName, } } - if container.SecurityContext == nil { - container.SecurityContext = &core.SecurityContext{} - } - if container.SecurityContext.RunAsUser == nil { - if p.Spec.PodTemplate.Spec.SecurityContext == nil || p.Spec.PodTemplate.Spec.SecurityContext.RunAsUser == nil { - container.SecurityContext.RunAsUser = pgBouncerVersion.Spec.SecurityContext.RunAsUser - } else { - container.SecurityContext.RunAsUser = p.Spec.PodTemplate.Spec.SecurityContext.RunAsUser + container.SecurityContext = &core.SecurityContext{ + RunAsUser: func() *int64 { + if p.Spec.PodTemplate.Spec.SecurityContext == nil || p.Spec.PodTemplate.Spec.SecurityContext.RunAsUser == nil { + return pgBouncerVersion.Spec.SecurityContext.RunAsUser + } + return p.Spec.PodTemplate.Spec.SecurityContext.RunAsUser + }(), + RunAsGroup: func() *int64 { + if p.Spec.PodTemplate.Spec.SecurityContext == nil || p.Spec.PodTemplate.Spec.SecurityContext.RunAsGroup == nil { + return pgBouncerVersion.Spec.SecurityContext.RunAsUser + } + return p.Spec.PodTemplate.Spec.SecurityContext.RunAsGroup + }(), + Privileged: pointer.BoolP(false), } - } - - if container.SecurityContext.RunAsGroup == nil { - if p.Spec.PodTemplate.Spec.SecurityContext == nil || p.Spec.PodTemplate.Spec.SecurityContext.RunAsGroup == nil { - container.SecurityContext.RunAsGroup = pgBouncerVersion.Spec.SecurityContext.RunAsUser - } else { - container.SecurityContext.RunAsGroup = p.Spec.PodTemplate.Spec.SecurityContext.RunAsGroup + } else { + if container.SecurityContext.RunAsUser == nil { + container.SecurityContext.RunAsUser = pgBouncerVersion.Spec.SecurityContext.RunAsUser } - } - - allowPrivilegeEscalation := pointer.Bool(container.SecurityContext.AllowPrivilegeEscalation) - container.SecurityContext.AllowPrivilegeEscalation = &allowPrivilegeEscalation - - if container.SecurityContext.Capabilities == nil { - container.SecurityContext.Capabilities = &core.Capabilities{ - Drop: []core.Capability{"ALL"}, + if container.SecurityContext.RunAsGroup == nil { + container.SecurityContext.RunAsGroup = container.SecurityContext.RunAsUser } } - if container.SecurityContext.RunAsNonRoot == nil { - container.SecurityContext.RunAsNonRoot = ptr.To(true) - } - - if container.SecurityContext.SeccompProfile == nil { - container.SecurityContext.SeccompProfile = secomp.DefaultSeccompProfile() - } - - // podTemplate if p.Spec.PodTemplate.Spec.SecurityContext == nil { - p.Spec.PodTemplate.Spec.SecurityContext = &core.PodSecurityContext{} - } - if p.Spec.PodTemplate.Spec.SecurityContext.RunAsUser == nil { - p.Spec.PodTemplate.Spec.SecurityContext.RunAsUser = ptr.To(*container.SecurityContext.RunAsUser) - } - if p.Spec.PodTemplate.Spec.SecurityContext.RunAsGroup == nil { - p.Spec.PodTemplate.Spec.SecurityContext.RunAsGroup = ptr.To(*container.SecurityContext.RunAsGroup) + p.Spec.PodTemplate.Spec.SecurityContext = &core.PodSecurityContext{ + RunAsUser: container.SecurityContext.RunAsUser, + RunAsGroup: container.SecurityContext.RunAsGroup, + } + } else { + if p.Spec.PodTemplate.Spec.SecurityContext.RunAsUser == nil { + p.Spec.PodTemplate.Spec.SecurityContext.RunAsUser = container.SecurityContext.RunAsUser + } + if p.Spec.PodTemplate.Spec.SecurityContext.RunAsGroup == nil { + p.Spec.PodTemplate.Spec.SecurityContext.RunAsGroup = container.SecurityContext.RunAsGroup + } } - p.Spec.PodTemplate.Spec.SecurityContext.FSGroup = ptr.To(*container.SecurityContext.RunAsGroup) + // Need to set FSGroup equal to p.Spec.PodTemplate.Spec.ContainerSecurityContext.RunAsGroup. + // So that /var/pv directory have the group permission for the RunAsGroup user GID. + // Otherwise, We will get write permission denied. + p.Spec.PodTemplate.Spec.SecurityContext.FSGroup = container.SecurityContext.RunAsGroup isPgbouncerContainerPresent := core_util.GetContainerByName(p.Spec.PodTemplate.Spec.Containers, kubedb.PgBouncerContainerName) if isPgbouncerContainerPresent == nil { core_util.UpsertContainer(p.Spec.PodTemplate.Spec.Containers, *container)