public_git
/
postgres-operator
mirror of https://github.com/zalando/postgres-operator.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge branch 'master' of github.com:zalando/postgres-operator

This commit is contained in:
Felix Kunde 2021-03-29 11:19:43 +02:00
parent 690f0504b1 9e93c0a4ef
commit 20a3e403df
14 changed files with 37 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
charts/postgres-operator-ui/templates/deployment.yaml
View File

@ -18,7 +18,7 @@ spec:
labels: labels:
app.kubernetes.io/name: {{ template "postgres-operator-ui.name" . }} app.kubernetes.io/name: {{ template "postgres-operator-ui.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
team: "acid" # Parameterize? team: "{{ join "," .Values.envs.teams }}"
spec: spec:
serviceAccountName: {{ include "postgres-operator-ui.serviceAccountName" . }} serviceAccountName: {{ include "postgres-operator-ui.serviceAccountName" . }}
{{- if .Values.imagePullSecrets }} {{- if .Values.imagePullSecrets }}
@ -54,7 +54,10 @@ spec:
- name: "TEAMS" - name: "TEAMS"
value: |- value: |-
[ [
"acid" {{- range(initial .Values.envs.teams) }}
{{ . | quote }},
{{- end }}
{{ last .Values.envs.teams | quote }}
] ]
- name: "OPERATOR_UI_CONFIG" - name: "OPERATOR_UI_CONFIG"
value: |- value: |-

4
charts/postgres-operator-ui/values.yaml
View File

@ -15,7 +15,7 @@ image:
# Secrets must be manually created in the namespace. # Secrets must be manually created in the namespace.
# ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod # ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
# imagePullSecrets: # imagePullSecrets:
# - name: # - name:
rbac: rbac:
# Specifies whether RBAC resources should be created # Specifies whether RBAC resources should be created
@ -45,6 +45,8 @@ envs:
operatorClusterNameLabel: "cluster-name" operatorClusterNameLabel: "cluster-name"
resourcesVisible: "False" resourcesVisible: "False"
targetNamespace: "default" targetNamespace: "default"
teams:
- "acid"
# configure UI service # configure UI service
service: service:

3
charts/postgres-operator/crds/operatorconfigurations.yaml
View File

@ -264,6 +264,9 @@ spec:
secret_name_template: secret_name_template:
type: string type: string
default: "{username}.{cluster}.credentials.{tprkind}.{tprgroup}" default: "{username}.{cluster}.credentials.{tprkind}.{tprgroup}"
spilo_allow_privilege_escalation:
type: boolean
default: true
spilo_runasuser: spilo_runasuser:
type: integer type: integer
spilo_runasgroup: spilo_runasgroup:

3
charts/postgres-operator/values-crd.yaml
View File

@ -155,6 +155,9 @@ configKubernetes:
# whether the Spilo container should run in privileged mode # whether the Spilo container should run in privileged mode
spilo_privileged: false spilo_privileged: false
# whether the Spilo container should run with additional permissions other than parent.
# required by cron which needs setuid
spilo_allow_privilege_escalation: true
# storage resize strategy, available options are: ebs, pvc, off # storage resize strategy, available options are: ebs, pvc, off
storage_resize_mode: pvc storage_resize_mode: pvc
# operator watches for postgres objects in the given namespace # operator watches for postgres objects in the given namespace

3
charts/postgres-operator/values.yaml
View File

@ -147,6 +147,9 @@ configKubernetes:
# whether the Spilo container should run in privileged mode # whether the Spilo container should run in privileged mode
spilo_privileged: "false" spilo_privileged: "false"
# whether the Spilo container should run with additional permissions other than parent.
# required by cron which needs setuid
spilo_allow_privilege_escalation: true
# storage resize strategy, available options are: ebs, pvc, off # storage resize strategy, available options are: ebs, pvc, off
storage_resize_mode: pvc storage_resize_mode: pvc
# operator watches for postgres objects in the given namespace # operator watches for postgres objects in the given namespace

5
docs/reference/operator_parameters.md
View File

@ -374,6 +374,11 @@ configuration they are grouped under the `kubernetes` key.
used for AWS volume resizing and not required if you don't need that used for AWS volume resizing and not required if you don't need that
capability. The default is `false`. capability. The default is `false`.
* **spilo_allow_privilege_escalation**
Controls whether a process can gain more privileges than its parent
process. Required by cron which needs setuid. Without this parameter,
certification rotation & backups will not be done. The default is `true`.
* **additional_pod_capabilities** * **additional_pod_capabilities**
list of additional capabilities to be added to the postgres container's list of additional capabilities to be added to the postgres container's
SecurityContext (e.g. SYS_NICE etc.). Please, make sure first that the SecurityContext (e.g. SYS_NICE etc.). Please, make sure first that the

1
manifests/configmap.yaml
View File

@ -114,6 +114,7 @@ data:
secret_name_template: "{username}.{cluster}.credentials" secret_name_template: "{username}.{cluster}.credentials"
# sidecar_docker_images: "" # sidecar_docker_images: ""
# set_memory_request_to_limit: "false" # set_memory_request_to_limit: "false"
spilo_allow_privilege_escalation: "true"
# spilo_runasuser: 101 # spilo_runasuser: 101
# spilo_runasgroup: 103 # spilo_runasgroup: 103
# spilo_fsgroup: 103 # spilo_fsgroup: 103

3
manifests/operatorconfiguration.crd.yaml
View File

@ -260,6 +260,9 @@ spec:
secret_name_template: secret_name_template:
type: string type: string
default: "{username}.{cluster}.credentials.{tprkind}.{tprgroup}" default: "{username}.{cluster}.credentials.{tprkind}.{tprgroup}"
spilo_allow_privilege_escalation:
type: boolean
default: true
spilo_runasuser: spilo_runasuser:
type: integer type: integer
spilo_runasgroup: spilo_runasgroup:

1
manifests/postgresql-operator-default-configuration.yaml
View File

@ -79,6 +79,7 @@ configuration:
# pod_service_account_role_binding_definition: "" # pod_service_account_role_binding_definition: ""
pod_terminate_grace_period: 5m pod_terminate_grace_period: 5m
secret_name_template: "{username}.{cluster}.credentials.{tprkind}.{tprgroup}" secret_name_template: "{username}.{cluster}.credentials.{tprkind}.{tprgroup}"
spilo_allow_privilege_escalation: true
# spilo_runasuser: 101 # spilo_runasuser: 101
# spilo_runasgroup: 103 # spilo_runasgroup: 103
# spilo_fsgroup: 103 # spilo_fsgroup: 103

3
pkg/apis/acid.zalan.do/v1/crds.go
View File

@ -1162,6 +1162,9 @@ var OperatorConfigCRDResourceValidation = apiextv1.CustomResourceValidation{
"spilo_privileged": { "spilo_privileged": {
Type: "boolean", Type: "boolean",
}, },
"spilo_allow_privilege_escalation": {
Type: "boolean",
},
"storage_resize_mode": { "storage_resize_mode": {
Type: "string", Type: "string",
Enum: []apiextv1.JSON{ Enum: []apiextv1.JSON{

1
pkg/apis/acid.zalan.do/v1/operator_configuration_type.go
View File

@ -56,6 +56,7 @@ type KubernetesMetaConfiguration struct {
PodServiceAccountRoleBindingDefinition string `json:"pod_service_account_role_binding_definition,omitempty"` PodServiceAccountRoleBindingDefinition string `json:"pod_service_account_role_binding_definition,omitempty"`
PodTerminateGracePeriod Duration `json:"pod_terminate_grace_period,omitempty"` PodTerminateGracePeriod Duration `json:"pod_terminate_grace_period,omitempty"`
SpiloPrivileged bool `json:"spilo_privileged,omitempty"` SpiloPrivileged bool `json:"spilo_privileged,omitempty"`
SpiloAllowPrivilegeEscalation bool `json:"spilo_allow_privilege_escalation,omitempty"`
SpiloRunAsUser *int64 `json:"spilo_runasuser,omitempty"` SpiloRunAsUser *int64 `json:"spilo_runasuser,omitempty"`
SpiloRunAsGroup *int64 `json:"spilo_runasgroup,omitempty"` SpiloRunAsGroup *int64 `json:"spilo_runasgroup,omitempty"`
SpiloFSGroup *int64 `json:"spilo_fsgroup,omitempty"` SpiloFSGroup *int64 `json:"spilo_fsgroup,omitempty"`

5
pkg/cluster/k8sres.go
View File

@ -442,6 +442,7 @@ func generateContainer(
envVars []v1.EnvVar, envVars []v1.EnvVar,
volumeMounts []v1.VolumeMount, volumeMounts []v1.VolumeMount,
privilegedMode bool, privilegedMode bool,
privilegeEscalationMode bool,
additionalPodCapabilities *v1.Capabilities, additionalPodCapabilities *v1.Capabilities,
) *v1.Container { ) *v1.Container {
return &v1.Container{ return &v1.Container{
@ -466,7 +467,7 @@ func generateContainer(
VolumeMounts: volumeMounts, VolumeMounts: volumeMounts,
Env: envVars, Env: envVars,
SecurityContext: &v1.SecurityContext{ SecurityContext: &v1.SecurityContext{
AllowPrivilegeEscalation: &privilegedMode, AllowPrivilegeEscalation: &privilegeEscalationMode,
Privileged: &privilegedMode, Privileged: &privilegedMode,
ReadOnlyRootFilesystem: util.False(), ReadOnlyRootFilesystem: util.False(),
Capabilities: additionalPodCapabilities, Capabilities: additionalPodCapabilities,
@ -1162,6 +1163,7 @@ func (c *Cluster) generateStatefulSet(spec *acidv1.PostgresSpec) (*appsv1.Statef
deduplicateEnvVars(spiloEnvVars, c.containerName(), c.logger), deduplicateEnvVars(spiloEnvVars, c.containerName(), c.logger),
volumeMounts, volumeMounts,
c.OpConfig.Resources.SpiloPrivileged, c.OpConfig.Resources.SpiloPrivileged,
c.OpConfig.Resources.SpiloAllowPrivilegeEscalation,
generateCapabilities(c.OpConfig.AdditionalPodCapabilities), generateCapabilities(c.OpConfig.AdditionalPodCapabilities),
) )
@ -1915,6 +1917,7 @@ func (c *Cluster) generateLogicalBackupJob() (*batchv1beta1.CronJob, error) {
envVars, envVars,
[]v1.VolumeMount{}, []v1.VolumeMount{},
c.OpConfig.SpiloPrivileged, // use same value as for normal DB pods c.OpConfig.SpiloPrivileged, // use same value as for normal DB pods
c.OpConfig.SpiloAllowPrivilegeEscalation,
nil, nil,
) )

1
pkg/controller/operator_config.go
View File

@ -68,6 +68,7 @@ func (c *Controller) importConfigurationFromCRD(fromCRD *acidv1.OperatorConfigur
result.PodEnvironmentSecret = fromCRD.Kubernetes.PodEnvironmentSecret result.PodEnvironmentSecret = fromCRD.Kubernetes.PodEnvironmentSecret
result.PodTerminateGracePeriod = util.CoalesceDuration(time.Duration(fromCRD.Kubernetes.PodTerminateGracePeriod), "5m") result.PodTerminateGracePeriod = util.CoalesceDuration(time.Duration(fromCRD.Kubernetes.PodTerminateGracePeriod), "5m")
result.SpiloPrivileged = fromCRD.Kubernetes.SpiloPrivileged result.SpiloPrivileged = fromCRD.Kubernetes.SpiloPrivileged
result.SpiloAllowPrivilegeEscalation = fromCRD.Kubernetes.SpiloAllowPrivilegeEscalation
result.SpiloRunAsUser = fromCRD.Kubernetes.SpiloRunAsUser result.SpiloRunAsUser = fromCRD.Kubernetes.SpiloRunAsUser
result.SpiloRunAsGroup = fromCRD.Kubernetes.SpiloRunAsGroup result.SpiloRunAsGroup = fromCRD.Kubernetes.SpiloRunAsGroup
result.SpiloFSGroup = fromCRD.Kubernetes.SpiloFSGroup result.SpiloFSGroup = fromCRD.Kubernetes.SpiloFSGroup

1
pkg/util/config/config.go
View File

@ -34,6 +34,7 @@ type Resources struct {
PodPriorityClassName string `name:"pod_priority_class_name"` PodPriorityClassName string `name:"pod_priority_class_name"`
ClusterDomain string `name:"cluster_domain" default:"cluster.local"` ClusterDomain string `name:"cluster_domain" default:"cluster.local"`
SpiloPrivileged bool `name:"spilo_privileged" default:"false"` SpiloPrivileged bool `name:"spilo_privileged" default:"false"`
SpiloAllowPrivilegeEscalation bool `name:"spilo_allow_privilege_escalation" default:"false"`
AdditionalPodCapabilities []string `name:"additional_pod_capabilities" default:""` AdditionalPodCapabilities []string `name:"additional_pod_capabilities" default:""`
ClusterLabels map[string]string `name:"cluster_labels" default:"application:spilo"` ClusterLabels map[string]string `name:"cluster_labels" default:"application:spilo"`
InheritedLabels []string `name:"inherited_labels" default:""` InheritedLabels []string `name:"inherited_labels" default:""`