public_git
/
postgres-operator
mirror of https://github.com/zalando/postgres-operator.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge 37924413a7 into 1af4c50ed0

This commit is contained in:
yyvess 2025-10-21 15:03:11 +02:00 committed by GitHub
parent 1af4c50ed0 37924413a7
commit 25985a5f75
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 99 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/cluster/k8sres.go
View File

@ -834,7 +834,9 @@ func (c *Cluster) generatePodTemplate(
securityContext := v1.PodSecurityContext{} securityContext := v1.PodSecurityContext{}
if spiloRunAsUser != nil { if spiloRunAsUser != nil {
var isNoRootPid = (*spiloRunAsUser > int64(0))
securityContext.RunAsUser = spiloRunAsUser securityContext.RunAsUser = spiloRunAsUser
securityContext.RunAsNonRoot = &isNoRootPid
} }
if spiloRunAsGroup != nil { if spiloRunAsGroup != nil {

97
pkg/cluster/k8sres_test.go
View File

@ -3984,3 +3984,100 @@ func TestGenerateCapabilities(t *testing.T) {
} }
} }
} }
func TestRunPids(t *testing.T) {
client, _ := newFakeK8sTestClient()
clusterName := "acid-test-cluster"
namespace := "default"
spiloRunAsUser := int64(999)
spiloRunAsGroup := int64(100)
spiloFSGroup := int64(200)
pg := acidv1.Postgresql{
ObjectMeta: metav1.ObjectMeta{
Name: clusterName,
Namespace: namespace,
},
Spec: acidv1.PostgresSpec{
TeamID: "myapp", NumberOfInstances: 1,
Resources: &acidv1.Resources{
ResourceRequests: acidv1.ResourceDescription{CPU: "1", Memory: "10"},
ResourceLimits: acidv1.ResourceDescription{CPU: "1", Memory: "10"},
},
Volume: acidv1.Volume{
Size: "1G",
},
},
}
var cluster = New(
Config{
OpConfig: config.Config{
PodManagementPolicy: "ordered_ready",
ProtectedRoles: []string{"admin"},
Resources: config.Resources{
SpiloRunAsUser: &spiloRunAsUser,
SpiloRunAsGroup: &spiloRunAsGroup,
SpiloFSGroup: &spiloFSGroup,
},
},
}, client, pg, logger, eventRecorder)
// create a statefulset
sts, err := cluster.createStatefulSet()
assert.NoError(t, err)
assert.Equal(t, &spiloRunAsUser, sts.Spec.Template.Spec.SecurityContext.RunAsUser, "has a RunAsUser assigned")
assert.Equal(t, &spiloRunAsGroup, sts.Spec.Template.Spec.SecurityContext.RunAsGroup, "has a RunAsGroup assigned")
assert.Equal(t, &spiloFSGroup, sts.Spec.Template.Spec.SecurityContext.FSGroup, "has a FSGroup assigned")
assert.Equal(t, true, *sts.Spec.Template.Spec.SecurityContext.RunAsNonRoot, "has the flag RunAsNonRoot")
}
func TestRunRootPids(t *testing.T) {
client, _ := newFakeK8sTestClient()
clusterName := "acid-test-cluster"
namespace := "default"
spiloRunAsUser := int64(0)
spiloRunAsGroup := int64(100)
spiloFSGroup := int64(200)
pg := acidv1.Postgresql{
ObjectMeta: metav1.ObjectMeta{
Name: clusterName,
Namespace: namespace,
},
Spec: acidv1.PostgresSpec{
TeamID: "myapp", NumberOfInstances: 1,
Resources: &acidv1.Resources{
ResourceRequests: acidv1.ResourceDescription{CPU: "1", Memory: "10"},
ResourceLimits: acidv1.ResourceDescription{CPU: "1", Memory: "10"},
},
Volume: acidv1.Volume{
Size: "1G",
},
},
}
var cluster = New(
Config{
OpConfig: config.Config{
PodManagementPolicy: "ordered_ready",
ProtectedRoles: []string{"admin"},
Resources: config.Resources{
SpiloRunAsUser: &spiloRunAsUser,
SpiloRunAsGroup: &spiloRunAsGroup,
SpiloFSGroup: &spiloFSGroup,
},
},
}, client, pg, logger, eventRecorder)
// create a statefulset
sts, err := cluster.createStatefulSet()
assert.NoError(t, err)
assert.Equal(t, &spiloRunAsUser, sts.Spec.Template.Spec.SecurityContext.RunAsUser, "has a RunAsUser assigned")
assert.Equal(t, &spiloRunAsGroup, sts.Spec.Template.Spec.SecurityContext.RunAsGroup, "has a RunAsGroup assigned")
assert.Equal(t, &spiloFSGroup, sts.Spec.Template.Spec.SecurityContext.FSGroup, "has a FSGroup assigned")
assert.Equal(t, false, *sts.Spec.Template.Spec.SecurityContext.RunAsNonRoot, "has the flag RunAsNonRoot")
}