Set securityContext for backup container
This commit is contained in:
Andreas Mårtensson
parent
37d6993439
commit
0d80de9997
|
|
@ -816,9 +816,6 @@ func (c *Cluster) generatePodTemplate(
|
|||
sidecarContainers []v1.Container,
|
||||
sharePgSocketWithSidecars *bool,
|
||||
tolerationsSpec *[]v1.Toleration,
|
||||
spiloRunAsUser *int64,
|
||||
spiloRunAsGroup *int64,
|
||||
spiloFSGroup *int64,
|
||||
nodeAffinity *v1.Affinity,
|
||||
schedulerName *string,
|
||||
terminateGracePeriod int64,
|
||||
|
|
@ -837,18 +834,22 @@ func (c *Cluster) generatePodTemplate(
|
|||
terminateGracePeriodSeconds := terminateGracePeriod
|
||||
containers := []v1.Container{*spiloContainer}
|
||||
containers = append(containers, sidecarContainers...)
|
||||
securityContext := v1.PodSecurityContext{}
|
||||
|
||||
if spiloRunAsUser != nil {
|
||||
securityContext.RunAsUser = spiloRunAsUser
|
||||
securityContext := v1.PodSecurityContext{
|
||||
RunAsUser: c.OpConfig.Resources.SpiloRunAsUser,
|
||||
RunAsGroup: c.OpConfig.Resources.SpiloRunAsGroup,
|
||||
FSGroup: c.OpConfig.Resources.SpiloFSGroup,
|
||||
}
|
||||
|
||||
if spiloRunAsGroup != nil {
|
||||
securityContext.RunAsGroup = spiloRunAsGroup
|
||||
if c.Spec.SpiloRunAsUser != nil {
|
||||
securityContext.RunAsUser = c.Spec.SpiloRunAsUser
|
||||
}
|
||||
|
||||
if spiloFSGroup != nil {
|
||||
securityContext.FSGroup = spiloFSGroup
|
||||
if c.Spec.SpiloRunAsGroup != nil {
|
||||
securityContext.RunAsGroup = c.Spec.SpiloRunAsGroup
|
||||
}
|
||||
|
||||
if c.Spec.SpiloFSGroup != nil {
|
||||
securityContext.FSGroup = c.Spec.SpiloFSGroup
|
||||
}
|
||||
|
||||
podSpec := v1.PodSpec{
|
||||
|
|
@ -1343,22 +1344,6 @@ func (c *Cluster) generateStatefulSet(spec *acidv1.PostgresSpec) (*appsv1.Statef
|
|||
// pickup the docker image for the spilo container
|
||||
effectiveDockerImage := util.Coalesce(spec.DockerImage, c.OpConfig.DockerImage)
|
||||
|
||||
// determine the User, Group and FSGroup for the spilo pod
|
||||
effectiveRunAsUser := c.OpConfig.Resources.SpiloRunAsUser
|
||||
if spec.SpiloRunAsUser != nil {
|
||||
effectiveRunAsUser = spec.SpiloRunAsUser
|
||||
}
|
||||
|
||||
effectiveRunAsGroup := c.OpConfig.Resources.SpiloRunAsGroup
|
||||
if spec.SpiloRunAsGroup != nil {
|
||||
effectiveRunAsGroup = spec.SpiloRunAsGroup
|
||||
}
|
||||
|
||||
effectiveFSGroup := c.OpConfig.Resources.SpiloFSGroup
|
||||
if spec.SpiloFSGroup != nil {
|
||||
effectiveFSGroup = spec.SpiloFSGroup
|
||||
}
|
||||
|
||||
volumeMounts := generateVolumeMounts(spec.Volume)
|
||||
|
||||
// configure TLS with a custom secret volume
|
||||
|
|
@ -1472,9 +1457,6 @@ func (c *Cluster) generateStatefulSet(spec *acidv1.PostgresSpec) (*appsv1.Statef
|
|||
sidecarContainers,
|
||||
c.OpConfig.SharePgSocketWithSidecars,
|
||||
&tolerationSpec,
|
||||
effectiveRunAsUser,
|
||||
effectiveRunAsGroup,
|
||||
effectiveFSGroup,
|
||||
c.nodeAffinity(c.OpConfig.NodeReadinessLabel, spec.NodeAffinity),
|
||||
spec.SchedulerName,
|
||||
int64(c.OpConfig.PodTerminateGracePeriod.Seconds()),
|
||||
|
|
@ -2319,9 +2301,6 @@ func (c *Cluster) generateLogicalBackupJob() (*batchv1.CronJob, error) {
|
|||
[]v1.Container{},
|
||||
util.False(),
|
||||
&tolerationsSpec,
|
||||
nil,
|
||||
nil,
|
||||
nil,
|
||||
c.nodeAffinity(c.OpConfig.NodeReadinessLabel, nil),
|
||||
nil,
|
||||
int64(c.OpConfig.PodTerminateGracePeriod.Seconds()),
|
||||
|
|
|
|||
Loading…
Reference in New Issue