Feature: add support for `securityContext` in postgres containers

[fad3t]

Hello,

I've noticed that the postgres container of the pods created by the operator have a very basic securityContext:

    securityContext:
      runAsUser: 1001

I saw there's a way to set the seccompProfile but I was hoping one can also set the full securityContext of the container, which doesn't seem to be the case. This is a problem when the restricted PSS is enforced.

This could become part of the ClusterSpec object - e.g. keeping the current value as defaults, but adding the option to override if required.

I don't know how much work this would represent, and I would be happy to help if I can - I would just need some guidance to get started.

Fred

[sxd]

@fad3t hi!

Are you talking about restricted-scc ? which it's something from openshift right ?

Regards,

[fad3t]

Hi @sxd, no I'm referring to the pod security standards (cf. https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted).
We're enforcing it with Kyverno in our case, although I suppose this can be done otherwise.

[fad3t]

Hi @sxd, I see you have assigned yourself to this issue. Does this mean you're working on it?
Otherwise I would be happy to contribute!

[fad3t]

Hi, any update? Thanks

[Preisschild]

One more reason to have this feature is that large database pods might take up to 30 minutes to mount due to this issue: kubernetes/kubernetes#69699

using

securityContext:
  fsGroupChangePolicy: "OnRootMismatch"

would fix this.

[especially-relative]

last I ran across this setting the namespace to restricted prevent the init pods from starting entirely

[x0ddf]

@sxd, could you please review the PR I opened that is solving this issue?

[npgretz]

@x0ddf, this for this essential feature and your PR!

[dosubot]

Hi, @fad3t. I'm Dosu, and I'm helping the cloudnative-pg team manage their backlog. I'm marking this issue as stale.

Issue Summary:

• You requested enhanced support for securityContext configuration in PostgreSQL containers to comply with Kubernetes Pod Security Standards.
• @sxd inquired about specifics, and you clarified the use of Kyverno for enforcement.
• @Preisschild emphasized the importance of this feature due to potential delays in mounting large database pods.
• @x0ddf submitted a pull request to address the issue.
• @npgretz expressed appreciation for the contribution.

Next Steps:

• Please confirm if this issue is still relevant to the latest version of the cloudnative-pg repository by commenting here.
• If no further updates are provided, the issue will be automatically closed in 7 days.

Thank you for your understanding and contribution!

[fad3t]

Please keep this open, thanks.

[iamasmith]

@Preisschild raised a great point that I came here specifically to check on. The fsGroupChangePolicy has been around since k8s 1.20 which far preceeds supported k8s releases with CNPG 1.24 only offering support officially from beyond k8s 1.28.

It seems that this would be a relatively small change with the potential for massive benefit for users with large filesystems.