set AllowPrivilegeEscalation on container securityContext (#1326)

charts/postgres-operator/templates/clusterrole-postgres-pod.yaml

@@ -63,6 +63,7 @@ rules:
   - services
   verbs:
   - create
+{{- if toString .Values.configKubernetes.spilo_privileged | eq "true" }}
 # to run privileged pods
 - apiGroups:
   - extensions
@@ -72,4 +73,5 @@ rules:
   - privileged
   verbs:
   - use
+{{- end }}
 {{ end }}

charts/postgres-operator/templates/clusterrole.yaml

@@ -228,7 +228,8 @@ rules:
   verbs:
   - get
   - create
-# to grant privilege to run privileged pods
+{{- if toString .Values.configKubernetes.spilo_privileged | eq "true" }}
+# to run privileged pods
 - apiGroups:
   - extensions
   resources:
@@ -237,4 +238,5 @@ rules:
   - privileged
   verbs:
   - use
+{{- end }}
 {{ end }}

manifests/operator-service-account-rbac.yaml

@@ -203,15 +203,15 @@ rules:
   verbs:
   - get
   - create
-# to grant privilege to run privileged pods
-- apiGroups:
-  - extensions
-  resources:
-  - podsecuritypolicies
-  resourceNames:
-  - privileged
-  verbs:
-  - use
+# to grant privilege to run privileged pods (not needed by default)
+#- apiGroups:
+#  - extensions
+#  resources:
+#  - podsecuritypolicies
+#  resourceNames:
+#  - privileged
+#  verbs:
+#  - use
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -265,12 +265,12 @@ rules:
   - services
   verbs:
   - create
-# to run privileged pods
-- apiGroups:
-  - extensions
-  resources:
-  - podsecuritypolicies
-  resourceNames:
-  - privileged
-  verbs:
-  - use
+# to grant privilege to run privileged pods (not needed by default)
+#- apiGroups:
+#  - extensions
+#  resources:
+#  - podsecuritypolicies
+#  resourceNames:
+#  - privileged
+#  verbs:
+#  - use

pkg/cluster/k8sres.go

@@ -453,6 +453,7 @@ func generateContainer(
 		VolumeMounts: volumeMounts,
 		Env:          envVars,
 		SecurityContext: &v1.SecurityContext{
+			AllowPrivilegeEscalation: &privilegedMode,
 			Privileged:               &privilegedMode,
 			ReadOnlyRootFilesystem:   util.False(),
 		},