From 95152149437160f16da742a5a076cf31779713fe Mon Sep 17 00:00:00 2001 From: BlueCog <58980604+BlueCog@users.noreply.github.com> Date: Mon, 11 Nov 2024 13:19:31 +0100 Subject: [PATCH 1/3] feat: Add enableSecurityContext flag to containerSecurityContext Introduced a new boolean flag enableSecurityContext within containerSecurityContext in values.yaml. This flag allows users to control whether the container-level securityContext should be included in the deployment. By default, it's set to true to maintain existing functionality. Signed-off-by: BlueCog <58980604+BlueCog@users.noreply.github.com> --- charts/cloudnative-pg/values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/charts/cloudnative-pg/values.yaml b/charts/cloudnative-pg/values.yaml index a95165ffd..6f65171b0 100644 --- a/charts/cloudnative-pg/values.yaml +++ b/charts/cloudnative-pg/values.yaml @@ -100,6 +100,7 @@ podLabels: {} # -- Container Security Context. containerSecurityContext: + enableSecurityContext: true allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsUser: 10001 From 5e098b3854be56d1cffafad26df11310a0cac5d2 Mon Sep 17 00:00:00 2001 From: BlueCog <58980604+BlueCog@users.noreply.github.com> Date: Mon, 11 Nov 2024 13:21:11 +0100 Subject: [PATCH 2/3] feat: Update deployment.yaml to conditionally include container securityContext Modified the deployment.yaml template to include the container securityContext only when enableSecurityContext is true. This change makes the inclusion of the container-level securityContext conditional, providing flexibility for environments like OpenShift where specifying these fields may cause conflicts. Signed-off-by: BlueCog <58980604+BlueCog@users.noreply.github.com> --- charts/cloudnative-pg/templates/deployment.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/charts/cloudnative-pg/templates/deployment.yaml b/charts/cloudnative-pg/templates/deployment.yaml index 569752007..b375aa30c 100644 --- a/charts/cloudnative-pg/templates/deployment.yaml +++ b/charts/cloudnative-pg/templates/deployment.yaml @@ -109,8 +109,11 @@ spec: {{- end }} resources: {{- toYaml .Values.resources | nindent 10 }} + {{- if .Values.containerSecurityContext.enableSecurityContext }} + {{- $containerSecurityContext := omit .Values.containerSecurityContext "enableSecurityContext" }} securityContext: - {{- toYaml .Values.containerSecurityContext | nindent 10 }} + {{- toYaml $containerSecurityContext | nindent 10 }} + {{- end }} volumeMounts: - mountPath: /controller name: scratch-data From 3df8b00ffbc55cb36741bfcd9e0cb2c1b8994254 Mon Sep 17 00:00:00 2001 From: BlueCog <58980604+BlueCog@users.noreply.github.com> Date: Mon, 11 Nov 2024 13:27:08 +0100 Subject: [PATCH 3/3] feat: Update README.md to document containerSecurityContext.enableSecurityContext setting Signed-off-by: BlueCog <58980604+BlueCog@users.noreply.github.com> --- charts/cloudnative-pg/README.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/charts/cloudnative-pg/README.md b/charts/cloudnative-pg/README.md index a9e569466..f441a0bc2 100644 --- a/charts/cloudnative-pg/README.md +++ b/charts/cloudnative-pg/README.md @@ -35,7 +35,14 @@ CloudNativePG Operator Helm Chart | config.data | object | `{}` | The content of the configmap/secret, see https://cloudnative-pg.io/documentation/current/operator_conf/#available-options for all the available options. | | config.name | string | `"cnpg-controller-manager-config"` | The name of the configmap/secret to use. | | config.secret | bool | `false` | Specifies whether it should be stored in a secret, instead of a configmap. | -| containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":10001,"runAsUser":10001,"seccompProfile":{"type":"RuntimeDefault"}}` | Container Security Context. | +| containerSecurityContext | object | See below | Container Security Context. | +| containerSecurityContext.enableSecurityContext | bool | `true` | Determines whether the container-level securityContext is included in the Deployment. Set to `false` to disable the container securityContext (useful for OpenShift). | +| containerSecurityContext.allowPrivilegeEscalation | bool | `false` | Controls whether a process can gain more privileges than its parent process. | +| containerSecurityContext.readOnlyRootFilesystem | bool | `true` | Whether the container has a read-only root filesystem. | +| containerSecurityContext.runAsUser | int | `10001` | The user ID to run the container process. | +| containerSecurityContext.runAsGroup | int | `10001` | The group ID for the container process. | +| containerSecurityContext.seccompProfile | object | `{"type":"RuntimeDefault"}` | Seccomp profile for the container. | +| containerSecurityContext.capabilities | object | `{"drop":["ALL"]}` | Linux capabilities to be dropped from the container. | | crds.create | bool | `true` | Specifies whether the CRDs should be created when installing the chart. | | dnsPolicy | string | `""` | | | fullnameOverride | string | `""` | |