Allow ability to set security context for postgres deployment (#1517)

- Added docs for securityContext - enabled web securityContext configuration Co-authored-by: Christian M. Adams <chadams@redhat.com>
2026-03-26 21:33:14 +00:00 · 2023-09-27 18:05:46 -04:00
parent 6bc101af3e
commit 8518e0d1c7
8 changed files with 47 additions and 1 deletions
--- a/README.md
+++ b/README.md
@@ -76,6 +76,7 @@ All of our usage and configuration docs are nested in the `docs/` directory. Bel
    - [Redis Container Capabilities](./docs/user-guide/advanced-configuration/redis-container-capabilities.md)
    - [Trusting a Custom Certificate Authority](./docs/user-guide/advanced-configuration/trusting-a-custom-certificate-authority.md)
    - [Service Account](./docs/user-guide/advanced-configuration/service-account.md)
+    - [Security Context](./docs/user-guide/advanced-configuration/security-context.md)
    - [Persisting the Projects Directory](./docs/user-guide/advanced-configuration/persisting-projects-directory.md)
 - Troubleshooting
  - [General Debugging](./docs/troubleshooting/debugging.md)
--- a/config/crd/bases/awx.ansible.com_awxs.yaml
+++ b/config/crd/bases/awx.ansible.com_awxs.yaml
@@ -1779,6 +1779,10 @@ spec:
              session_cookie_secure:
                description: Set session cookie secure mode for web
                type: string
+              postgres_security_context_settings:
+                description: Key/values that will be set under the pod-level securityContext field
+                type: object
+                x-kubernetes-preserve-unknown-fields: true
              receptor_log_level:
                description: Set log level of receptor service
                type: string
--- a/config/manifests/bases/awx-operator.clusterserviceversion.yaml
+++ b/config/manifests/bases/awx-operator.clusterserviceversion.yaml
@@ -61,6 +61,11 @@ spec:
        x-descriptors:
        - urn:alm:descriptor:com.tectonic.ui:advanced
        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: PostgreSQL Security Context Settings
+        path: postgres_security_context_settings
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden      
      - displayName: PostgreSQL Image
        path: postgres_image
        x-descriptors:
--- a/docs/user-guide/advanced-configuration/security-context.md
+++ b/docs/user-guide/advanced-configuration/security-context.md
@@ -0,0 +1,27 @@
+#### Service Account
+
+It is possible to modify some `SecurityContext` proprieties of the various deployments and stateful sets if needed.
+
+| Name                               | Description                                  | Default |
+| ---------------------------------- | -------------------------------------------- | ------- |
+| security_context_settings          | SecurityContext for Task and Web deployments | {}      |
+| postgres_security_context_settings | SecurityContext for Task and Web deployments | {}      |
+
+
+Example configuration securityContext for the Task and Web deployments:
+
+```yaml
+spec:
+  security_context_settings:
+    allowPrivilegeEscalation: false
+    capabilities:
+        drop:
+        - ALL
+```
+
+
+```yaml
+spec:
+  postgres_security_context_settings:
+    runAsNonRoot: true
+```
--- a/roles/installer/defaults/main.yml
+++ b/roles/installer/defaults/main.yml
@@ -424,6 +424,7 @@ garbage_collect_secrets: false
 development_mode: false

 security_context_settings: {}
+postgres_security_context_settings: {}

 # Set no_log settings on certain tasks
 no_log: true
--- a/roles/installer/templates/deployments/task.yaml.j2
+++ b/roles/installer/templates/deployments/task.yaml.j2
@@ -442,7 +442,7 @@ spec:
        fsGroup: 1000
 {% endif %}
 {% if security_context_settings|length %}
-        {{ security_context_settings | to_nice_yaml | indent(8) }}
+        {{ security_context_settings | to_nice_yaml | indent(10) }}
 {% endif %}
 {% endif %}
 {% if termination_grace_period_seconds is defined %}
--- a/roles/installer/templates/deployments/web.yaml.j2
+++ b/roles/installer/templates/deployments/web.yaml.j2
@@ -340,6 +340,10 @@ spec:
 {% elif affinity %}
      affinity:
        {{ affinity | to_nice_yaml | indent(width=8) }}
+{% endif %}
+{% if security_context_settings|length %}
+      securityContext:
+        {{ security_context_settings | to_nice_yaml | indent(8) }}
 {% endif %}
      volumes:
        - name: "{{ ansible_operator_meta.name }}-receptor-ca"
--- a/roles/installer/templates/statefulsets/postgres.yaml.j2
+++ b/roles/installer/templates/statefulsets/postgres.yaml.j2
@@ -51,6 +51,10 @@ spec:
        - image: '{{ _postgres_image }}'
          imagePullPolicy: '{{ image_pull_policy }}'
          name: postgres
+{% if postgres_security_context_settings|length %}
+          securityContext:
+            {{ postgres_security_context_settings | to_nice_yaml | indent(12) }}
+{% endif %}
 {% if postgres_extra_args %}
          args: {{ postgres_extra_args }}
 {% endif %}