[Bugfix] Fix ID Pod security (#1093)

2024-12-14 11:57:37 +00:00 · 2022-09-04 19:56:35 +02:00 · 2022-09-04 19:56:35 +02:00 · 38e3ce8f49
commit 38e3ce8f49
parent ad03acb55c
3 changed files with 37 additions and 13 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -21,6 +21,7 @@
 - (Bugfix) Proper agent cleanout
 - (Bugfix) Fix ClusterScaling integration
 - (Feature) Sensitive information protection
+- (Bugfix) Propagate SecurityContext to the ID Containers

 ## [1.2.15](https://github.com/arangodb/kube-arangodb/tree/1.2.15) (2022-07-20)
 - (Bugfix) Ensure pod names not too long
--- a/pkg/deployment/images.go
+++ b/pkg/deployment/images.go
@ -52,8 +52,9 @@ var _ interfaces.ContainerCreator = &ContainerIdentity{}
 // ImageUpdatePod describes how to launch the ID ArangoD POD.
 type ImageUpdatePod struct {
 	spec             api.DeploymentSpec
+	status           api.DeploymentStatus
 	apiObject        k8sutil.APIObject
-	containerCreator interfaces.ContainerCreator
+	containerCreator *ArangoDIdentity
 }

 // ContainerIdentity helps to resolve the container identity, e.g.: image ID, version of the entrypoint.
@ -66,6 +67,7 @@ type ContainerIdentity struct {
 // ArangoDIdentity helps to resolve the ArangoD identity, e.g.: image ID, version of the entrypoint.
 type ArangoDIdentity struct {
 	interfaces.ContainerCreator
+	input     pod.Input
 	License   *string
 	ipAddress string
 }
@ -226,6 +228,7 @@ func (ib *imagesBuilder) fetchArangoDBImageIDAndVersion(ctx context.Context, cac

 	imagePod := ImageUpdatePod{
 		spec:      ib.Spec,
+		status:    ib.Status,
 		apiObject: ib.APIObject,
 		containerCreator: &ArangoDIdentity{
 			ContainerCreator: &ContainerIdentity{
@ -237,6 +240,7 @@ func (ib *imagesBuilder) fetchArangoDBImageIDAndVersion(ctx context.Context, cac
 			ipAddress: ib.Spec.GetListenAddr(),
 		},
 	}
+	imagePod.containerCreator.input = imagePod.AsInput()

 	pod, err = resources.RenderArangoPod(ctx, cachedStatus, ib.APIObject, role, id, podName, &imagePod)
 	if err != nil {
@ -297,7 +301,7 @@ func (i *ImageUpdatePod) GetAffinityRole() string {
 }

 func (i *ImageUpdatePod) GetVolumes() []core.Volume {
-	return getVolumes().Volumes()
+	return getVolumes(i.AsInput()).Volumes()
 }

 func (i *ImageUpdatePod) GetSidecars(*core.Pod) error {
@ -381,7 +385,10 @@ func (i *ImageUpdatePod) Validate(_ interfaces.Inspector) error {
 	return nil
 }

-func (i *ImageUpdatePod) ApplyPodSpec(_ *core.PodSpec) error {
+func (i *ImageUpdatePod) ApplyPodSpec(p *core.PodSpec) error {
+	if id := i.spec.ID; id != nil {
+		p.SecurityContext = i.spec.ID.SecurityContext.NewPodSecurityContext()
+	}
 	return nil
 }

@ -442,12 +449,16 @@ func (a *ContainerIdentity) GetVolumeMounts() []core.VolumeMount {

 // GetArgs returns the list of arguments for the ArangoD container identification.
 func (a *ArangoDIdentity) GetArgs() ([]string, error) {
-	return []string{
-		"--server.authentication=false",
-		fmt.Sprintf("--server.endpoint=tcp://%s:%d", a.ipAddress, shared.ArangoPort),
-		"--database.directory=" + shared.ArangodVolumeMountDir,
-		"--log.output=+",
-	}, nil
+	options := k8sutil.CreateOptionPairs(64)
+	options.Add("--server.authentication", "false")
+	options.Addf("--server.endpoint", "tcp://%s:%d", a.ipAddress, shared.ArangoPort)
+	options.Add("--database.directory", shared.ArangodVolumeMountDir)
+	options.Add("--log.output", "+")
+
+	// Security
+	options.Merge(pod.Security().Args(a.input))
+
+	return options.Copy().Sort().AsArgs(), nil
 }

 func (a *ArangoDIdentity) GetEnvs() []core.EnvVar {
@ -468,7 +479,16 @@ func (a *ArangoDIdentity) GetEnvs() []core.EnvVar {

 // GetVolumeMounts returns volume mount for the ArangoD data.
 func (a *ArangoDIdentity) GetVolumeMounts() []core.VolumeMount {
-	return getVolumes().VolumeMounts()
+	return getVolumes(a.input).VolumeMounts()
+}
+
+func (a *ImageUpdatePod) AsInput() pod.Input {
+	return pod.Input{
+		ApiObject:  a.apiObject,
+		Deployment: a.spec,
+		Status:     a.status,
+		Group:      api.ServerGroupImageDiscovery,
+	}
 }

 // GetExecutor returns the fixed path to the ArangoSync binary in the container.
@ -476,10 +496,13 @@ func (a *ArangoSyncIdentity) GetExecutor() string {
 	return resources.ArangoSyncExecutor
 }

-func getVolumes() pod.Volumes {
+func getVolumes(input pod.Input) pod.Volumes {
 	volumes := pod.NewVolumes()
 	volumes.AddVolume(k8sutil.CreateVolumeEmptyDir(shared.ArangodVolumeName))
 	volumes.AddVolumeMount(k8sutil.ArangodVolumeMount())

+	// Security
+	volumes.Append(pod.Security(), input)
+
 	return volumes
 }
--- a/pkg/deployment/images_test.go
+++ b/pkg/deployment/images_test.go
@ -473,10 +473,10 @@ func TestEnsureImages(t *testing.T) {

 func createTestCommandForImageUpdatePod() []string {
 	return []string{resources.ArangoDExecutor,
-		"--server.authentication=false",
-		fmt.Sprintf("--server.endpoint=tcp://[::]:%d", shared.ArangoPort),
 		"--database.directory=" + shared.ArangodVolumeMountDir,
 		"--log.output=+",
+		"--server.authentication=false",
+		fmt.Sprintf("--server.endpoint=tcp://[::]:%d", shared.ArangoPort),
 	}
 }