Set securityContext for backup container

2022-11-24 10:56:36 +01:00 · 2022-11-24 10:56:36 +01:00 · 0d80de9997
parent 37d6993439
commit 0d80de9997
1 changed files with 12 additions and 33 deletions
--- a/pkg/cluster/k8sres.go
+++ b/pkg/cluster/k8sres.go
@ -816,9 +816,6 @@ func (c *Cluster) generatePodTemplate(
 	sidecarContainers []v1.Container,
 	sharePgSocketWithSidecars *bool,
 	tolerationsSpec *[]v1.Toleration,
 	spiloRunAsUser *int64,
 	spiloRunAsGroup *int64,
 	spiloFSGroup *int64,
 	nodeAffinity *v1.Affinity,
 	schedulerName *string,
 	terminateGracePeriod int64,
@ -837,18 +834,22 @@ func (c *Cluster) generatePodTemplate(
 	terminateGracePeriodSeconds := terminateGracePeriod
 	containers := []v1.Container{*spiloContainer}
 	containers = append(containers, sidecarContainers...)
-	securityContext := v1.PodSecurityContext{}
+	securityContext := v1.PodSecurityContext{
-
+		RunAsUser:  c.OpConfig.Resources.SpiloRunAsUser,
-	if spiloRunAsUser != nil {
+		RunAsGroup: c.OpConfig.Resources.SpiloRunAsGroup,
-		securityContext.RunAsUser = spiloRunAsUser
+		FSGroup:    c.OpConfig.Resources.SpiloFSGroup,
 	}
-	if spiloRunAsGroup != nil {
+	if c.Spec.SpiloRunAsUser != nil {
-		securityContext.RunAsGroup = spiloRunAsGroup
+		securityContext.RunAsUser = c.Spec.SpiloRunAsUser
 	}
-	if spiloFSGroup != nil {
+	if c.Spec.SpiloRunAsGroup != nil {
-		securityContext.FSGroup = spiloFSGroup
+		securityContext.RunAsGroup = c.Spec.SpiloRunAsGroup
 	}
 	if c.Spec.SpiloFSGroup != nil {
 		securityContext.FSGroup = c.Spec.SpiloFSGroup
 	}
 	podSpec := v1.PodSpec{
@ -1343,22 +1344,6 @@ func (c *Cluster) generateStatefulSet(spec *acidv1.PostgresSpec) (*appsv1.Statef
 	// pickup the docker image for the spilo container
 	effectiveDockerImage := util.Coalesce(spec.DockerImage, c.OpConfig.DockerImage)
 	// determine the User, Group and FSGroup for the spilo pod
 	effectiveRunAsUser := c.OpConfig.Resources.SpiloRunAsUser
 	if spec.SpiloRunAsUser != nil {
 		effectiveRunAsUser = spec.SpiloRunAsUser
 	}
 	effectiveRunAsGroup := c.OpConfig.Resources.SpiloRunAsGroup
 	if spec.SpiloRunAsGroup != nil {
 		effectiveRunAsGroup = spec.SpiloRunAsGroup
 	}
 	effectiveFSGroup := c.OpConfig.Resources.SpiloFSGroup
 	if spec.SpiloFSGroup != nil {
 		effectiveFSGroup = spec.SpiloFSGroup
 	}
 	volumeMounts := generateVolumeMounts(spec.Volume)
 	// configure TLS with a custom secret volume
@ -1472,9 +1457,6 @@ func (c *Cluster) generateStatefulSet(spec *acidv1.PostgresSpec) (*appsv1.Statef
 		sidecarContainers,
 		c.OpConfig.SharePgSocketWithSidecars,
 		&tolerationSpec,
 		effectiveRunAsUser,
 		effectiveRunAsGroup,
 		effectiveFSGroup,
 		c.nodeAffinity(c.OpConfig.NodeReadinessLabel, spec.NodeAffinity),
 		spec.SchedulerName,
 		int64(c.OpConfig.PodTerminateGracePeriod.Seconds()),
@ -2319,9 +2301,6 @@ func (c *Cluster) generateLogicalBackupJob() (*batchv1.CronJob, error) {
 		[]v1.Container{},
 		util.False(),
 		&tolerationsSpec,
 		nil,
 		nil,
 		nil,
 		c.nodeAffinity(c.OpConfig.NodeReadinessLabel, nil),
 		nil,
 		int64(c.OpConfig.PodTerminateGracePeriod.Seconds()),