From 459fa3eedd200ddb899ff6a7d90b57af1ce8608b Mon Sep 17 00:00:00 2001 From: Adam Janikowski <12255597+ajanikow@users.noreply.github.com> Date: Thu, 20 Oct 2022 12:49:03 +0200 Subject: [PATCH] [Feature] Extend Pod Security context (#1151) --- CHANGELOG.md | 1 + .../v1/server_group_security_context_spec.go | 121 ++++++++++++++++++ pkg/apis/deployment/v1/server_group_spec.go | 96 -------------- .../deployment/v1/zz_generated.deepcopy.go | 10 ++ .../server_group_security_context_spec.go | 121 ++++++++++++++++++ .../deployment/v2alpha1/server_group_spec.go | 96 -------------- .../v2alpha1/zz_generated.deepcopy.go | 10 ++ 7 files changed, 263 insertions(+), 192 deletions(-) create mode 100644 pkg/apis/deployment/v1/server_group_security_context_spec.go create mode 100644 pkg/apis/deployment/v2alpha1/server_group_security_context_spec.go diff --git a/CHANGELOG.md b/CHANGELOG.md index 55e1c9855..cc55ef19c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ - (Improvement) Unify K8S Error Handling - (Feature) Remove stuck Pods - (Bugfix) Fix Go routine leak +- (Feature) Extend Pod Security context ## [1.2.19](https://github.com/arangodb/kube-arangodb/tree/1.2.19) (2022-10-05) - (Bugfix) Prevent changes when UID is wrong diff --git a/pkg/apis/deployment/v1/server_group_security_context_spec.go b/pkg/apis/deployment/v1/server_group_security_context_spec.go new file mode 100644 index 000000000..3c6c53cae --- /dev/null +++ b/pkg/apis/deployment/v1/server_group_security_context_spec.go @@ -0,0 +1,121 @@ +// +// DISCLAIMER +// +// Copyright 2016-2022 ArangoDB GmbH, Cologne, Germany +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// Copyright holder is ArangoDB GmbH, Cologne, Germany +// + +package v1 + +import core "k8s.io/api/core/v1" + +// ServerGroupSpecSecurityContext contains specification for pod security context +type ServerGroupSpecSecurityContext struct { + // DropAllCapabilities specifies if capabilities should be dropped for this pod containers + // + // Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0. + DropAllCapabilities *bool `json:"dropAllCapabilities,omitempty"` + // AddCapabilities add new capabilities to containers + AddCapabilities []core.Capability `json:"addCapabilities,omitempty"` + + AllowPrivilegeEscalation *bool `json:"allowPrivilegeEscalation,omitempty"` + Privileged *bool `json:"privileged,omitempty"` + ReadOnlyRootFilesystem *bool `json:"readOnlyRootFilesystem,omitempty"` + RunAsNonRoot *bool `json:"runAsNonRoot,omitempty"` + RunAsUser *int64 `json:"runAsUser,omitempty"` + RunAsGroup *int64 `json:"runAsGroup,omitempty"` + + SupplementalGroups []int64 `json:"supplementalGroups,omitempty"` + FSGroup *int64 `json:"fsGroup,omitempty"` + + SeccompProfile *core.SeccompProfile `json:"seccompProfile,omitempty" protobuf:"bytes,11,opt,name=seccompProfile"` + SELinuxOptions *core.SELinuxOptions `json:"seLinuxOptions,omitempty" protobuf:"bytes,3,opt,name=seLinuxOptions"` +} + +// GetDropAllCapabilities returns flag if capabilities should be dropped +// +// Deprecated: This function is added for backward compatibility. Will be removed in 1.1.0. +func (s *ServerGroupSpecSecurityContext) GetDropAllCapabilities() bool { + if s == nil { + return true + } + + if s.DropAllCapabilities == nil { + return true + } + + return *s.DropAllCapabilities +} + +// GetAddCapabilities add capabilities to pod context +func (s *ServerGroupSpecSecurityContext) GetAddCapabilities() []core.Capability { + if s == nil { + return nil + } + + return s.AddCapabilities +} + +// NewSecurityContext creates new pod security context +func (s *ServerGroupSpecSecurityContext) NewPodSecurityContext() *core.PodSecurityContext { + if s == nil { + return nil + } + + if s.FSGroup == nil && len(s.SupplementalGroups) == 0 { + return nil + } + + return &core.PodSecurityContext{ + SupplementalGroups: s.SupplementalGroups, + FSGroup: s.FSGroup, + } +} + +// NewSecurityContext creates new security context +func (s *ServerGroupSpecSecurityContext) NewSecurityContext() *core.SecurityContext { + r := &core.SecurityContext{} + + if s != nil { + r.AllowPrivilegeEscalation = s.AllowPrivilegeEscalation + r.Privileged = s.Privileged + r.ReadOnlyRootFilesystem = s.ReadOnlyRootFilesystem + r.RunAsNonRoot = s.RunAsNonRoot + r.RunAsUser = s.RunAsUser + r.RunAsGroup = s.RunAsGroup + + r.SeccompProfile = s.SeccompProfile.DeepCopy() + r.SELinuxOptions = s.SELinuxOptions.DeepCopy() + } + + capabilities := &core.Capabilities{} + + if s.GetDropAllCapabilities() { + capabilities.Drop = []core.Capability{ + "ALL", + } + } + + if caps := s.GetAddCapabilities(); caps != nil { + capabilities.Add = []core.Capability{} + + capabilities.Add = append(capabilities.Add, caps...) + } + + r.Capabilities = capabilities + + return r +} diff --git a/pkg/apis/deployment/v1/server_group_spec.go b/pkg/apis/deployment/v1/server_group_spec.go index fcff619ae..44e84a86d 100644 --- a/pkg/apis/deployment/v1/server_group_spec.go +++ b/pkg/apis/deployment/v1/server_group_spec.go @@ -157,102 +157,6 @@ type ServerGroupSpec struct { IndexMethod *ServerGroupIndexMethod `json:"indexMethod,omitempty"` } -// ServerGroupSpecSecurityContext contains specification for pod security context -type ServerGroupSpecSecurityContext struct { - // DropAllCapabilities specifies if capabilities should be dropped for this pod containers - // - // Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0. - DropAllCapabilities *bool `json:"dropAllCapabilities,omitempty"` - // AddCapabilities add new capabilities to containers - AddCapabilities []core.Capability `json:"addCapabilities,omitempty"` - - AllowPrivilegeEscalation *bool `json:"allowPrivilegeEscalation,omitempty"` - Privileged *bool `json:"privileged,omitempty"` - ReadOnlyRootFilesystem *bool `json:"readOnlyRootFilesystem,omitempty"` - RunAsNonRoot *bool `json:"runAsNonRoot,omitempty"` - RunAsUser *int64 `json:"runAsUser,omitempty"` - RunAsGroup *int64 `json:"runAsGroup,omitempty"` - - SupplementalGroups []int64 `json:"supplementalGroups,omitempty"` - FSGroup *int64 `json:"fsGroup,omitempty"` -} - -// GetDropAllCapabilities returns flag if capabilities should be dropped -// -// Deprecated: This function is added for backward compatibility. Will be removed in 1.1.0. -func (s *ServerGroupSpecSecurityContext) GetDropAllCapabilities() bool { - if s == nil { - return true - } - - if s.DropAllCapabilities == nil { - return true - } - - return *s.DropAllCapabilities -} - -// GetAddCapabilities add capabilities to pod context -func (s *ServerGroupSpecSecurityContext) GetAddCapabilities() []core.Capability { - if s == nil { - return nil - } - - if s.AddCapabilities == nil { - return nil - } - - return s.AddCapabilities -} - -// NewSecurityContext creates new pod security context -func (s *ServerGroupSpecSecurityContext) NewPodSecurityContext() *core.PodSecurityContext { - if s == nil { - return nil - } - - if s.FSGroup == nil && len(s.SupplementalGroups) == 0 { - return nil - } - - return &core.PodSecurityContext{ - SupplementalGroups: s.SupplementalGroups, - FSGroup: s.FSGroup, - } -} - -// NewSecurityContext creates new security context -func (s *ServerGroupSpecSecurityContext) NewSecurityContext() *core.SecurityContext { - r := &core.SecurityContext{} - - if s != nil { - r.AllowPrivilegeEscalation = s.AllowPrivilegeEscalation - r.Privileged = s.Privileged - r.ReadOnlyRootFilesystem = s.ReadOnlyRootFilesystem - r.RunAsNonRoot = s.RunAsNonRoot - r.RunAsUser = s.RunAsUser - r.RunAsGroup = s.RunAsGroup - } - - capabilities := &core.Capabilities{} - - if s.GetDropAllCapabilities() { - capabilities.Drop = []core.Capability{ - "ALL", - } - } - - if caps := s.GetAddCapabilities(); caps != nil { - capabilities.Add = []core.Capability{} - - capabilities.Add = append(capabilities.Add, caps...) - } - - r.Capabilities = capabilities - - return r -} - // ServerGroupProbesSpec contains specification for probes for pods of the server group type ServerGroupProbesSpec struct { // LivenessProbeDisabled if true livenessProbes are disabled diff --git a/pkg/apis/deployment/v1/zz_generated.deepcopy.go b/pkg/apis/deployment/v1/zz_generated.deepcopy.go index 2ed579c4a..9f573ea76 100644 --- a/pkg/apis/deployment/v1/zz_generated.deepcopy.go +++ b/pkg/apis/deployment/v1/zz_generated.deepcopy.go @@ -2506,6 +2506,16 @@ func (in *ServerGroupSpecSecurityContext) DeepCopyInto(out *ServerGroupSpecSecur *out = new(int64) **out = **in } + if in.SeccompProfile != nil { + in, out := &in.SeccompProfile, &out.SeccompProfile + *out = new(corev1.SeccompProfile) + (*in).DeepCopyInto(*out) + } + if in.SELinuxOptions != nil { + in, out := &in.SELinuxOptions, &out.SELinuxOptions + *out = new(corev1.SELinuxOptions) + **out = **in + } return } diff --git a/pkg/apis/deployment/v2alpha1/server_group_security_context_spec.go b/pkg/apis/deployment/v2alpha1/server_group_security_context_spec.go new file mode 100644 index 000000000..94020c969 --- /dev/null +++ b/pkg/apis/deployment/v2alpha1/server_group_security_context_spec.go @@ -0,0 +1,121 @@ +// +// DISCLAIMER +// +// Copyright 2016-2022 ArangoDB GmbH, Cologne, Germany +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// Copyright holder is ArangoDB GmbH, Cologne, Germany +// + +package v2alpha1 + +import core "k8s.io/api/core/v1" + +// ServerGroupSpecSecurityContext contains specification for pod security context +type ServerGroupSpecSecurityContext struct { + // DropAllCapabilities specifies if capabilities should be dropped for this pod containers + // + // Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0. + DropAllCapabilities *bool `json:"dropAllCapabilities,omitempty"` + // AddCapabilities add new capabilities to containers + AddCapabilities []core.Capability `json:"addCapabilities,omitempty"` + + AllowPrivilegeEscalation *bool `json:"allowPrivilegeEscalation,omitempty"` + Privileged *bool `json:"privileged,omitempty"` + ReadOnlyRootFilesystem *bool `json:"readOnlyRootFilesystem,omitempty"` + RunAsNonRoot *bool `json:"runAsNonRoot,omitempty"` + RunAsUser *int64 `json:"runAsUser,omitempty"` + RunAsGroup *int64 `json:"runAsGroup,omitempty"` + + SupplementalGroups []int64 `json:"supplementalGroups,omitempty"` + FSGroup *int64 `json:"fsGroup,omitempty"` + + SeccompProfile *core.SeccompProfile `json:"seccompProfile,omitempty" protobuf:"bytes,11,opt,name=seccompProfile"` + SELinuxOptions *core.SELinuxOptions `json:"seLinuxOptions,omitempty" protobuf:"bytes,3,opt,name=seLinuxOptions"` +} + +// GetDropAllCapabilities returns flag if capabilities should be dropped +// +// Deprecated: This function is added for backward compatibility. Will be removed in 1.1.0. +func (s *ServerGroupSpecSecurityContext) GetDropAllCapabilities() bool { + if s == nil { + return true + } + + if s.DropAllCapabilities == nil { + return true + } + + return *s.DropAllCapabilities +} + +// GetAddCapabilities add capabilities to pod context +func (s *ServerGroupSpecSecurityContext) GetAddCapabilities() []core.Capability { + if s == nil { + return nil + } + + return s.AddCapabilities +} + +// NewSecurityContext creates new pod security context +func (s *ServerGroupSpecSecurityContext) NewPodSecurityContext() *core.PodSecurityContext { + if s == nil { + return nil + } + + if s.FSGroup == nil && len(s.SupplementalGroups) == 0 { + return nil + } + + return &core.PodSecurityContext{ + SupplementalGroups: s.SupplementalGroups, + FSGroup: s.FSGroup, + } +} + +// NewSecurityContext creates new security context +func (s *ServerGroupSpecSecurityContext) NewSecurityContext() *core.SecurityContext { + r := &core.SecurityContext{} + + if s != nil { + r.AllowPrivilegeEscalation = s.AllowPrivilegeEscalation + r.Privileged = s.Privileged + r.ReadOnlyRootFilesystem = s.ReadOnlyRootFilesystem + r.RunAsNonRoot = s.RunAsNonRoot + r.RunAsUser = s.RunAsUser + r.RunAsGroup = s.RunAsGroup + + r.SeccompProfile = s.SeccompProfile.DeepCopy() + r.SELinuxOptions = s.SELinuxOptions.DeepCopy() + } + + capabilities := &core.Capabilities{} + + if s.GetDropAllCapabilities() { + capabilities.Drop = []core.Capability{ + "ALL", + } + } + + if caps := s.GetAddCapabilities(); caps != nil { + capabilities.Add = []core.Capability{} + + capabilities.Add = append(capabilities.Add, caps...) + } + + r.Capabilities = capabilities + + return r +} diff --git a/pkg/apis/deployment/v2alpha1/server_group_spec.go b/pkg/apis/deployment/v2alpha1/server_group_spec.go index 60e7a9947..ab28f9fd6 100644 --- a/pkg/apis/deployment/v2alpha1/server_group_spec.go +++ b/pkg/apis/deployment/v2alpha1/server_group_spec.go @@ -157,102 +157,6 @@ type ServerGroupSpec struct { IndexMethod *ServerGroupIndexMethod `json:"indexMethod,omitempty"` } -// ServerGroupSpecSecurityContext contains specification for pod security context -type ServerGroupSpecSecurityContext struct { - // DropAllCapabilities specifies if capabilities should be dropped for this pod containers - // - // Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0. - DropAllCapabilities *bool `json:"dropAllCapabilities,omitempty"` - // AddCapabilities add new capabilities to containers - AddCapabilities []core.Capability `json:"addCapabilities,omitempty"` - - AllowPrivilegeEscalation *bool `json:"allowPrivilegeEscalation,omitempty"` - Privileged *bool `json:"privileged,omitempty"` - ReadOnlyRootFilesystem *bool `json:"readOnlyRootFilesystem,omitempty"` - RunAsNonRoot *bool `json:"runAsNonRoot,omitempty"` - RunAsUser *int64 `json:"runAsUser,omitempty"` - RunAsGroup *int64 `json:"runAsGroup,omitempty"` - - SupplementalGroups []int64 `json:"supplementalGroups,omitempty"` - FSGroup *int64 `json:"fsGroup,omitempty"` -} - -// GetDropAllCapabilities returns flag if capabilities should be dropped -// -// Deprecated: This function is added for backward compatibility. Will be removed in 1.1.0. -func (s *ServerGroupSpecSecurityContext) GetDropAllCapabilities() bool { - if s == nil { - return true - } - - if s.DropAllCapabilities == nil { - return true - } - - return *s.DropAllCapabilities -} - -// GetAddCapabilities add capabilities to pod context -func (s *ServerGroupSpecSecurityContext) GetAddCapabilities() []core.Capability { - if s == nil { - return nil - } - - if s.AddCapabilities == nil { - return nil - } - - return s.AddCapabilities -} - -// NewSecurityContext creates new pod security context -func (s *ServerGroupSpecSecurityContext) NewPodSecurityContext() *core.PodSecurityContext { - if s == nil { - return nil - } - - if s.FSGroup == nil && len(s.SupplementalGroups) == 0 { - return nil - } - - return &core.PodSecurityContext{ - SupplementalGroups: s.SupplementalGroups, - FSGroup: s.FSGroup, - } -} - -// NewSecurityContext creates new security context -func (s *ServerGroupSpecSecurityContext) NewSecurityContext() *core.SecurityContext { - r := &core.SecurityContext{} - - if s != nil { - r.AllowPrivilegeEscalation = s.AllowPrivilegeEscalation - r.Privileged = s.Privileged - r.ReadOnlyRootFilesystem = s.ReadOnlyRootFilesystem - r.RunAsNonRoot = s.RunAsNonRoot - r.RunAsUser = s.RunAsUser - r.RunAsGroup = s.RunAsGroup - } - - capabilities := &core.Capabilities{} - - if s.GetDropAllCapabilities() { - capabilities.Drop = []core.Capability{ - "ALL", - } - } - - if caps := s.GetAddCapabilities(); caps != nil { - capabilities.Add = []core.Capability{} - - capabilities.Add = append(capabilities.Add, caps...) - } - - r.Capabilities = capabilities - - return r -} - // ServerGroupProbesSpec contains specification for probes for pods of the server group type ServerGroupProbesSpec struct { // LivenessProbeDisabled if true livenessProbes are disabled diff --git a/pkg/apis/deployment/v2alpha1/zz_generated.deepcopy.go b/pkg/apis/deployment/v2alpha1/zz_generated.deepcopy.go index 53a94e090..f659ad5ef 100644 --- a/pkg/apis/deployment/v2alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/deployment/v2alpha1/zz_generated.deepcopy.go @@ -2506,6 +2506,16 @@ func (in *ServerGroupSpecSecurityContext) DeepCopyInto(out *ServerGroupSpecSecur *out = new(int64) **out = **in } + if in.SeccompProfile != nil { + in, out := &in.SeccompProfile, &out.SeccompProfile + *out = new(v1.SeccompProfile) + (*in).DeepCopyInto(*out) + } + if in.SELinuxOptions != nil { + in, out := &in.SELinuxOptions, &out.SELinuxOptions + *out = new(v1.SELinuxOptions) + **out = **in + } return }