[Feature] Extend Pod Security context (#1151)

CHANGELOG.md

@@ -12,6 +12,7 @@
 - (Improvement) Unify K8S Error Handling
 - (Feature) Remove stuck Pods
 - (Bugfix) Fix Go routine leak
+- (Feature) Extend Pod Security context
 
 ## [1.2.19](https://github.com/arangodb/kube-arangodb/tree/1.2.19) (2022-10-05)
 - (Bugfix) Prevent changes when UID is wrong

pkg/apis/deployment/v1/server_group_security_context_spec.go

@@ -0,0 +1,121 @@
+//
+// DISCLAIMER
+//
+// Copyright 2016-2022 ArangoDB GmbH, Cologne, Germany
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Copyright holder is ArangoDB GmbH, Cologne, Germany
+//
+
+package v1
+
+import core "k8s.io/api/core/v1"
+
+// ServerGroupSpecSecurityContext contains specification for pod security context
+type ServerGroupSpecSecurityContext struct {
+	// DropAllCapabilities specifies if capabilities should be dropped for this pod containers
+	//
+	// Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0.
+	DropAllCapabilities *bool `json:"dropAllCapabilities,omitempty"`
+	// AddCapabilities add new capabilities to containers
+	AddCapabilities []core.Capability `json:"addCapabilities,omitempty"`
+
+	AllowPrivilegeEscalation *bool  `json:"allowPrivilegeEscalation,omitempty"`
+	Privileged               *bool  `json:"privileged,omitempty"`
+	ReadOnlyRootFilesystem   *bool  `json:"readOnlyRootFilesystem,omitempty"`
+	RunAsNonRoot             *bool  `json:"runAsNonRoot,omitempty"`
+	RunAsUser                *int64 `json:"runAsUser,omitempty"`
+	RunAsGroup               *int64 `json:"runAsGroup,omitempty"`
+
+	SupplementalGroups []int64 `json:"supplementalGroups,omitempty"`
+	FSGroup            *int64  `json:"fsGroup,omitempty"`
+
+	SeccompProfile *core.SeccompProfile `json:"seccompProfile,omitempty" protobuf:"bytes,11,opt,name=seccompProfile"`
+	SELinuxOptions *core.SELinuxOptions `json:"seLinuxOptions,omitempty" protobuf:"bytes,3,opt,name=seLinuxOptions"`
+}
+
+// GetDropAllCapabilities returns flag if capabilities should be dropped
+//
+// Deprecated: This function is added for backward compatibility. Will be removed in 1.1.0.
+func (s *ServerGroupSpecSecurityContext) GetDropAllCapabilities() bool {
+	if s == nil {
+		return true
+	}
+
+	if s.DropAllCapabilities == nil {
+		return true
+	}
+
+	return *s.DropAllCapabilities
+}
+
+// GetAddCapabilities add capabilities to pod context
+func (s *ServerGroupSpecSecurityContext) GetAddCapabilities() []core.Capability {
+	if s == nil {
+		return nil
+	}
+
+	return s.AddCapabilities
+}
+
+// NewSecurityContext creates new pod security context
+func (s *ServerGroupSpecSecurityContext) NewPodSecurityContext() *core.PodSecurityContext {
+	if s == nil {
+		return nil
+	}
+
+	if s.FSGroup == nil && len(s.SupplementalGroups) == 0 {
+		return nil
+	}
+
+	return &core.PodSecurityContext{
+		SupplementalGroups: s.SupplementalGroups,
+		FSGroup:            s.FSGroup,
+	}
+}
+
+// NewSecurityContext creates new security context
+func (s *ServerGroupSpecSecurityContext) NewSecurityContext() *core.SecurityContext {
+	r := &core.SecurityContext{}
+
+	if s != nil {
+		r.AllowPrivilegeEscalation = s.AllowPrivilegeEscalation
+		r.Privileged = s.Privileged
+		r.ReadOnlyRootFilesystem = s.ReadOnlyRootFilesystem
+		r.RunAsNonRoot = s.RunAsNonRoot
+		r.RunAsUser = s.RunAsUser
+		r.RunAsGroup = s.RunAsGroup
+
+		r.SeccompProfile = s.SeccompProfile.DeepCopy()
+		r.SELinuxOptions = s.SELinuxOptions.DeepCopy()
+	}
+
+	capabilities := &core.Capabilities{}
+
+	if s.GetDropAllCapabilities() {
+		capabilities.Drop = []core.Capability{
+			"ALL",
+		}
+	}
+
+	if caps := s.GetAddCapabilities(); caps != nil {
+		capabilities.Add = []core.Capability{}
+
+		capabilities.Add = append(capabilities.Add, caps...)
+	}
+
+	r.Capabilities = capabilities
+
+	return r
+}

pkg/apis/deployment/v1/server_group_spec.go

@@ -157,102 +157,6 @@ type ServerGroupSpec struct {
 	IndexMethod *ServerGroupIndexMethod `json:"indexMethod,omitempty"`
 }
 
-// ServerGroupSpecSecurityContext contains specification for pod security context
-type ServerGroupSpecSecurityContext struct {
-	// DropAllCapabilities specifies if capabilities should be dropped for this pod containers
-	//
-	// Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0.
-	DropAllCapabilities *bool `json:"dropAllCapabilities,omitempty"`
-	// AddCapabilities add new capabilities to containers
-	AddCapabilities []core.Capability `json:"addCapabilities,omitempty"`
-
-	AllowPrivilegeEscalation *bool  `json:"allowPrivilegeEscalation,omitempty"`
-	Privileged               *bool  `json:"privileged,omitempty"`
-	ReadOnlyRootFilesystem   *bool  `json:"readOnlyRootFilesystem,omitempty"`
-	RunAsNonRoot             *bool  `json:"runAsNonRoot,omitempty"`
-	RunAsUser                *int64 `json:"runAsUser,omitempty"`
-	RunAsGroup               *int64 `json:"runAsGroup,omitempty"`
-
-	SupplementalGroups []int64 `json:"supplementalGroups,omitempty"`
-	FSGroup            *int64  `json:"fsGroup,omitempty"`
-}
-
-// GetDropAllCapabilities returns flag if capabilities should be dropped
-//
-// Deprecated: This function is added for backward compatibility. Will be removed in 1.1.0.
-func (s *ServerGroupSpecSecurityContext) GetDropAllCapabilities() bool {
-	if s == nil {
-		return true
-	}
-
-	if s.DropAllCapabilities == nil {
-		return true
-	}
-
-	return *s.DropAllCapabilities
-}
-
-// GetAddCapabilities add capabilities to pod context
-func (s *ServerGroupSpecSecurityContext) GetAddCapabilities() []core.Capability {
-	if s == nil {
-		return nil
-	}
-
-	if s.AddCapabilities == nil {
-		return nil
-	}
-
-	return s.AddCapabilities
-}
-
-// NewSecurityContext creates new pod security context
-func (s *ServerGroupSpecSecurityContext) NewPodSecurityContext() *core.PodSecurityContext {
-	if s == nil {
-		return nil
-	}
-
-	if s.FSGroup == nil && len(s.SupplementalGroups) == 0 {
-		return nil
-	}
-
-	return &core.PodSecurityContext{
-		SupplementalGroups: s.SupplementalGroups,
-		FSGroup:            s.FSGroup,
-	}
-}
-
-// NewSecurityContext creates new security context
-func (s *ServerGroupSpecSecurityContext) NewSecurityContext() *core.SecurityContext {
-	r := &core.SecurityContext{}
-
-	if s != nil {
-		r.AllowPrivilegeEscalation = s.AllowPrivilegeEscalation
-		r.Privileged = s.Privileged
-		r.ReadOnlyRootFilesystem = s.ReadOnlyRootFilesystem
-		r.RunAsNonRoot = s.RunAsNonRoot
-		r.RunAsUser = s.RunAsUser
-		r.RunAsGroup = s.RunAsGroup
-	}
-
-	capabilities := &core.Capabilities{}
-
-	if s.GetDropAllCapabilities() {
-		capabilities.Drop = []core.Capability{
-			"ALL",
-		}
-	}
-
-	if caps := s.GetAddCapabilities(); caps != nil {
-		capabilities.Add = []core.Capability{}
-
-		capabilities.Add = append(capabilities.Add, caps...)
-	}
-
-	r.Capabilities = capabilities
-
-	return r
-}
-
 // ServerGroupProbesSpec contains specification for probes for pods of the server group
 type ServerGroupProbesSpec struct {
 	// LivenessProbeDisabled if true livenessProbes are disabled

pkg/apis/deployment/v1/zz_generated.deepcopy.go

@@ -2506,6 +2506,16 @@ func (in *ServerGroupSpecSecurityContext) DeepCopyInto(out *ServerGroupSpecSecur
 		*out = new(int64)
 		**out = **in
 	}
+	if in.SeccompProfile != nil {
+		in, out := &in.SeccompProfile, &out.SeccompProfile
+		*out = new(corev1.SeccompProfile)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.SELinuxOptions != nil {
+		in, out := &in.SELinuxOptions, &out.SELinuxOptions
+		*out = new(corev1.SELinuxOptions)
+		**out = **in
+	}
 	return
 }
 

pkg/apis/deployment/v2alpha1/server_group_security_context_spec.go

@@ -0,0 +1,121 @@
+//
+// DISCLAIMER
+//
+// Copyright 2016-2022 ArangoDB GmbH, Cologne, Germany
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Copyright holder is ArangoDB GmbH, Cologne, Germany
+//
+
+package v2alpha1
+
+import core "k8s.io/api/core/v1"
+
+// ServerGroupSpecSecurityContext contains specification for pod security context
+type ServerGroupSpecSecurityContext struct {
+	// DropAllCapabilities specifies if capabilities should be dropped for this pod containers
+	//
+	// Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0.
+	DropAllCapabilities *bool `json:"dropAllCapabilities,omitempty"`
+	// AddCapabilities add new capabilities to containers
+	AddCapabilities []core.Capability `json:"addCapabilities,omitempty"`
+
+	AllowPrivilegeEscalation *bool  `json:"allowPrivilegeEscalation,omitempty"`
+	Privileged               *bool  `json:"privileged,omitempty"`
+	ReadOnlyRootFilesystem   *bool  `json:"readOnlyRootFilesystem,omitempty"`
+	RunAsNonRoot             *bool  `json:"runAsNonRoot,omitempty"`
+	RunAsUser                *int64 `json:"runAsUser,omitempty"`
+	RunAsGroup               *int64 `json:"runAsGroup,omitempty"`
+
+	SupplementalGroups []int64 `json:"supplementalGroups,omitempty"`
+	FSGroup            *int64  `json:"fsGroup,omitempty"`
+
+	SeccompProfile *core.SeccompProfile `json:"seccompProfile,omitempty" protobuf:"bytes,11,opt,name=seccompProfile"`
+	SELinuxOptions *core.SELinuxOptions `json:"seLinuxOptions,omitempty" protobuf:"bytes,3,opt,name=seLinuxOptions"`
+}
+
+// GetDropAllCapabilities returns flag if capabilities should be dropped
+//
+// Deprecated: This function is added for backward compatibility. Will be removed in 1.1.0.
+func (s *ServerGroupSpecSecurityContext) GetDropAllCapabilities() bool {
+	if s == nil {
+		return true
+	}
+
+	if s.DropAllCapabilities == nil {
+		return true
+	}
+
+	return *s.DropAllCapabilities
+}
+
+// GetAddCapabilities add capabilities to pod context
+func (s *ServerGroupSpecSecurityContext) GetAddCapabilities() []core.Capability {
+	if s == nil {
+		return nil
+	}
+
+	return s.AddCapabilities
+}
+
+// NewSecurityContext creates new pod security context
+func (s *ServerGroupSpecSecurityContext) NewPodSecurityContext() *core.PodSecurityContext {
+	if s == nil {
+		return nil
+	}
+
+	if s.FSGroup == nil && len(s.SupplementalGroups) == 0 {
+		return nil
+	}
+
+	return &core.PodSecurityContext{
+		SupplementalGroups: s.SupplementalGroups,
+		FSGroup:            s.FSGroup,
+	}
+}
+
+// NewSecurityContext creates new security context
+func (s *ServerGroupSpecSecurityContext) NewSecurityContext() *core.SecurityContext {
+	r := &core.SecurityContext{}
+
+	if s != nil {
+		r.AllowPrivilegeEscalation = s.AllowPrivilegeEscalation
+		r.Privileged = s.Privileged
+		r.ReadOnlyRootFilesystem = s.ReadOnlyRootFilesystem
+		r.RunAsNonRoot = s.RunAsNonRoot
+		r.RunAsUser = s.RunAsUser
+		r.RunAsGroup = s.RunAsGroup
+
+		r.SeccompProfile = s.SeccompProfile.DeepCopy()
+		r.SELinuxOptions = s.SELinuxOptions.DeepCopy()
+	}
+
+	capabilities := &core.Capabilities{}
+
+	if s.GetDropAllCapabilities() {
+		capabilities.Drop = []core.Capability{
+			"ALL",
+		}
+	}
+
+	if caps := s.GetAddCapabilities(); caps != nil {
+		capabilities.Add = []core.Capability{}
+
+		capabilities.Add = append(capabilities.Add, caps...)
+	}
+
+	r.Capabilities = capabilities
+
+	return r
+}

pkg/apis/deployment/v2alpha1/server_group_spec.go

@@ -157,102 +157,6 @@ type ServerGroupSpec struct {
 	IndexMethod *ServerGroupIndexMethod `json:"indexMethod,omitempty"`
 }
 
-// ServerGroupSpecSecurityContext contains specification for pod security context
-type ServerGroupSpecSecurityContext struct {
-	// DropAllCapabilities specifies if capabilities should be dropped for this pod containers
-	//
-	// Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0.
-	DropAllCapabilities *bool `json:"dropAllCapabilities,omitempty"`
-	// AddCapabilities add new capabilities to containers
-	AddCapabilities []core.Capability `json:"addCapabilities,omitempty"`
-
-	AllowPrivilegeEscalation *bool  `json:"allowPrivilegeEscalation,omitempty"`
-	Privileged               *bool  `json:"privileged,omitempty"`
-	ReadOnlyRootFilesystem   *bool  `json:"readOnlyRootFilesystem,omitempty"`
-	RunAsNonRoot             *bool  `json:"runAsNonRoot,omitempty"`
-	RunAsUser                *int64 `json:"runAsUser,omitempty"`
-	RunAsGroup               *int64 `json:"runAsGroup,omitempty"`
-
-	SupplementalGroups []int64 `json:"supplementalGroups,omitempty"`
-	FSGroup            *int64  `json:"fsGroup,omitempty"`
-}
-
-// GetDropAllCapabilities returns flag if capabilities should be dropped
-//
-// Deprecated: This function is added for backward compatibility. Will be removed in 1.1.0.
-func (s *ServerGroupSpecSecurityContext) GetDropAllCapabilities() bool {
-	if s == nil {
-		return true
-	}
-
-	if s.DropAllCapabilities == nil {
-		return true
-	}
-
-	return *s.DropAllCapabilities
-}
-
-// GetAddCapabilities add capabilities to pod context
-func (s *ServerGroupSpecSecurityContext) GetAddCapabilities() []core.Capability {
-	if s == nil {
-		return nil
-	}
-
-	if s.AddCapabilities == nil {
-		return nil
-	}
-
-	return s.AddCapabilities
-}
-
-// NewSecurityContext creates new pod security context
-func (s *ServerGroupSpecSecurityContext) NewPodSecurityContext() *core.PodSecurityContext {
-	if s == nil {
-		return nil
-	}
-
-	if s.FSGroup == nil && len(s.SupplementalGroups) == 0 {
-		return nil
-	}
-
-	return &core.PodSecurityContext{
-		SupplementalGroups: s.SupplementalGroups,
-		FSGroup:            s.FSGroup,
-	}
-}
-
-// NewSecurityContext creates new security context
-func (s *ServerGroupSpecSecurityContext) NewSecurityContext() *core.SecurityContext {
-	r := &core.SecurityContext{}
-
-	if s != nil {
-		r.AllowPrivilegeEscalation = s.AllowPrivilegeEscalation
-		r.Privileged = s.Privileged
-		r.ReadOnlyRootFilesystem = s.ReadOnlyRootFilesystem
-		r.RunAsNonRoot = s.RunAsNonRoot
-		r.RunAsUser = s.RunAsUser
-		r.RunAsGroup = s.RunAsGroup
-	}
-
-	capabilities := &core.Capabilities{}
-
-	if s.GetDropAllCapabilities() {
-		capabilities.Drop = []core.Capability{
-			"ALL",
-		}
-	}
-
-	if caps := s.GetAddCapabilities(); caps != nil {
-		capabilities.Add = []core.Capability{}
-
-		capabilities.Add = append(capabilities.Add, caps...)
-	}
-
-	r.Capabilities = capabilities
-
-	return r
-}
-
 // ServerGroupProbesSpec contains specification for probes for pods of the server group
 type ServerGroupProbesSpec struct {
 	// LivenessProbeDisabled if true livenessProbes are disabled

pkg/apis/deployment/v2alpha1/zz_generated.deepcopy.go

@@ -2506,6 +2506,16 @@ func (in *ServerGroupSpecSecurityContext) DeepCopyInto(out *ServerGroupSpecSecur
 		*out = new(int64)
 		**out = **in
 	}
+	if in.SeccompProfile != nil {
+		in, out := &in.SeccompProfile, &out.SeccompProfile
+		*out = new(v1.SeccompProfile)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.SELinuxOptions != nil {
+		in, out := &in.SELinuxOptions, &out.SELinuxOptions
+		*out = new(v1.SELinuxOptions)
+		**out = **in
+	}
 	return
 }