Drop Container Capabilities #56
Comments
|
@alex1989hu Yup, I think that is the direction we want to head in. We have not thoroughly tested doing so across all the containers yet. That said, I do agree with the change in principle. Have you tested dropping the capabilities? |
Yes, here is the Operator output with dropped capabilities:
I was able to create a Postgres Cluster: kubectl -n alex describe postgresclusters.postgres-operator.crunchydata.com foo
Name: foo
Namespace: alex
Labels: <none>
Annotations: <none>
API Version: postgres-operator.crunchydata.com/v1beta1
Kind: PostgresCluster
Metadata:
Creation Timestamp: 2021-11-19T11:55:45Z
Finalizers:
postgres-operator.crunchydata.com/finalizer
Generation: 1
Managed Fields:
API Version: postgres-operator.crunchydata.com/v1beta1
Fields Type: FieldsV1
fieldsV1:
f:spec:
.:
f:backups:
.:
f:pgbackrest:
.:
f:repos:
.:
k:{"name":"repo1"}:
.:
f:name:
f:volume:
.:
f:volumeClaimSpec:
.:
f:accessModes:
f:resources:
.:
f:requests:
.:
f:storage:
f:instances:
.:
k:{"name":"postgres"}:
.:
f:affinity:
.:
f:podAntiAffinity:
.:
f:requiredDuringSchedulingIgnoredDuringExecution:
f:dataVolumeClaimSpec:
.:
f:accessModes:
f:resources:
.:
f:requests:
.:
f:storage:
f:metadata:
.:
f:annotations:
.:
f:co.elastic.logs/enabled:
f:name:
f:replicas:
f:port:
f:postgresVersion:
Manager: kubectl-create
Operation: Update
Time: 2021-11-19T11:55:45Z
API Version: postgres-operator.crunchydata.com/v1beta1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:finalizers:
.:
v:"postgres-operator.crunchydata.com/finalizer":
Manager: postgrescluster-controller
Operation: Update
Time: 2021-11-19T11:55:45Z
API Version: postgres-operator.crunchydata.com/v1beta1
Fields Type: FieldsV1
fieldsV1:
f:status:
.:
f:conditions:
.:
k:{"type":"PGBackRestReplicaCreate"}:
.:
f:lastTransitionTime:
f:message:
f:observedGeneration:
f:reason:
f:status:
f:type:
k:{"type":"PGBackRestReplicaRepoReady"}:
.:
f:lastTransitionTime:
f:message:
f:observedGeneration:
f:reason:
f:status:
f:type:
k:{"type":"PGBackRestRepoHostReady"}:
.:
f:lastTransitionTime:
f:message:
f:observedGeneration:
f:reason:
f:status:
f:type:
f:databaseRevision:
f:instances:
.:
k:{"name":"postgres"}:
.:
f:name:
f:readyReplicas:
f:replicas:
f:updatedReplicas:
f:monitoring:
.:
f:exporterConfiguration:
f:observedGeneration:
f:patroni:
.:
f:systemIdentifier:
f:pgbackrest:
.:
f:repoHost:
.:
f:apiVersion:
f:kind:
f:ready:
f:repos:
.:
k:{"name":"repo1"}:
.:
f:bound:
f:name:
f:replicaCreateBackupComplete:
f:stanzaCreated:
f:volume:
f:proxy:
.:
f:pgBouncer:
.:
f:postgresRevision:
f:usersRevision:
Manager: postgrescluster-controller
Operation: Update
Subresource: status
Time: 2021-11-19T11:56:21Z
Resource Version: 10705
UID: 77e90c43-5db8-428e-a67d-11d93b4af348
Spec:
Backups:
Pgbackrest:
Repos:
Name: repo1
Volume:
Volume Claim Spec:
Access Modes:
ReadWriteOnce
Resources:
Requests:
Storage: 1Gi
Instances:
Affinity:
Pod Anti Affinity:
Required During Scheduling Ignored During Execution:
Label Selector:
Match Labels:
postgres-operator.crunchydata.com/cluster: foo
postgres-operator.crunchydata.com/instance-set: postgres
Topology Key: kubernetes.io/hostname
Data Volume Claim Spec:
Access Modes:
ReadWriteOnce
Resources:
Requests:
Storage: 500Mi
Metadata:
Annotations:
co.elastic.logs/enabled: true
Name: postgres
Replicas: 3
Port: 5432
Postgres Version: 13
Status:
Conditions:
Last Transition Time: 2021-11-19T11:55:59Z
Message: pgBackRest dedicated repository host is ready
Observed Generation: 1
Reason: RepoHostReady
Status: True
Type: PGBackRestRepoHostReady
Last Transition Time: 2021-11-19T11:56:02Z
Message: pgBackRest replica create repo is ready for backups
Observed Generation: 1
Reason: StanzaCreated
Status: True
Type: PGBackRestReplicaRepoReady
Last Transition Time: 2021-11-19T11:56:21Z
Message: pgBackRest replica creation is now possible
Observed Generation: 1
Reason: RepoBackupComplete
Status: True
Type: PGBackRestReplicaCreate
Database Revision: 86957996b
Instances:
Name: postgres
Ready Replicas: 3
Replicas: 3
Updated Replicas: 3
Monitoring:
Exporter Configuration: 559c4c97d6
Observed Generation: 1
Patroni:
System Identifier: 7032248538980384877
Pgbackrest:
Repo Host:
API Version: apps/v1
Kind: StatefulSet
Ready: true
Repos:
Bound: true
Name: repo1
Replica Create Backup Complete: true
Stanza Created: true
Volume: pvc-677d110f-eda4-4f6f-8987-a605415fb26b
Proxy:
Pg Bouncer:
Postgres Revision: 5c9966f6bc
Users Revision: 6d5fb668d9
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal RepoHostCreated 3m2s postgrescluster-controller created pgBackRest repository host StatefulSet/foo-repo-host
Warning UnableToCreateStanzas 2m47s (x2 over 2m49s) postgrescluster-controller command terminated with exit code 125: ERROR: [125]: remote-0 process on 'foo-repo-host-0.foo-pods.alex.svc.cluster.local.' terminated unexpectedly [255]: ssh: Could not resolve hostname foo-repo-host-0.foo-pods.alex.svc.cluster.local.: Name or service not known
Normal StanzasCreated 2m45s postgrescluster-controller pgBackRest stanza creation completed successfully |
|
Yeah, I think it's safe to do this on the Operator container itself. I'd like to put it into our e2e pipeline to ensure all the other various functionalities still work. That said, I think we can try to target adding that directive for the v5.1 release. |
|
The following securityContext is required by For the operator I can configure through the kustomize files. But for the database I had to change manually the deployment/statefulsets . Can we make this configurable somehow? |
|
I'll confess interest in having this along with having this pass the Trivy security scanner for all configuration values. |
As far as I see there is no reason to keep all the capabilities and we can drop all of them in Container Security Context:
What do you think about? Please tell me if there is a specific need, otherwise I am happy to create a PR as a follow up of #55
The text was updated successfully, but these errors were encountered: