From 8518e0d1c7b60c76f339f47ba8ed666ce80117c4 Mon Sep 17 00:00:00 2001 From: rakesh561 Date: Wed, 27 Sep 2023 18:05:46 -0400 Subject: [PATCH] Allow ability to set security context for postgres deployment (#1517) - Added docs for securityContext - enabled web securityContext configuration Co-authored-by: Christian M. Adams --- README.md | 1 + config/crd/bases/awx.ansible.com_awxs.yaml | 4 +++ .../awx-operator.clusterserviceversion.yaml | 5 ++++ .../security-context.md | 27 +++++++++++++++++++ roles/installer/defaults/main.yml | 1 + .../templates/deployments/task.yaml.j2 | 2 +- .../templates/deployments/web.yaml.j2 | 4 +++ .../templates/statefulsets/postgres.yaml.j2 | 4 +++ 8 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 docs/user-guide/advanced-configuration/security-context.md diff --git a/README.md b/README.md index 16f42bdf..5380b111 100644 --- a/README.md +++ b/README.md @@ -76,6 +76,7 @@ All of our usage and configuration docs are nested in the `docs/` directory. Bel - [Redis Container Capabilities](./docs/user-guide/advanced-configuration/redis-container-capabilities.md) - [Trusting a Custom Certificate Authority](./docs/user-guide/advanced-configuration/trusting-a-custom-certificate-authority.md) - [Service Account](./docs/user-guide/advanced-configuration/service-account.md) + - [Security Context](./docs/user-guide/advanced-configuration/security-context.md) - [Persisting the Projects Directory](./docs/user-guide/advanced-configuration/persisting-projects-directory.md) - Troubleshooting - [General Debugging](./docs/troubleshooting/debugging.md) diff --git a/config/crd/bases/awx.ansible.com_awxs.yaml b/config/crd/bases/awx.ansible.com_awxs.yaml index 21fcbf55..683552fc 100644 --- a/config/crd/bases/awx.ansible.com_awxs.yaml +++ b/config/crd/bases/awx.ansible.com_awxs.yaml @@ -1779,6 +1779,10 @@ spec: session_cookie_secure: description: Set session cookie secure mode for web type: string + postgres_security_context_settings: + description: Key/values that will be set under the pod-level securityContext field + type: object + x-kubernetes-preserve-unknown-fields: true receptor_log_level: description: Set log level of receptor service type: string diff --git a/config/manifests/bases/awx-operator.clusterserviceversion.yaml b/config/manifests/bases/awx-operator.clusterserviceversion.yaml index 70affaaf..e1b8d92d 100644 --- a/config/manifests/bases/awx-operator.clusterserviceversion.yaml +++ b/config/manifests/bases/awx-operator.clusterserviceversion.yaml @@ -61,6 +61,11 @@ spec: x-descriptors: - urn:alm:descriptor:com.tectonic.ui:advanced - urn:alm:descriptor:com.tectonic.ui:hidden + - displayName: PostgreSQL Security Context Settings + path: postgres_security_context_settings + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:advanced + - urn:alm:descriptor:com.tectonic.ui:hidden - displayName: PostgreSQL Image path: postgres_image x-descriptors: diff --git a/docs/user-guide/advanced-configuration/security-context.md b/docs/user-guide/advanced-configuration/security-context.md new file mode 100644 index 00000000..9ab68ffc --- /dev/null +++ b/docs/user-guide/advanced-configuration/security-context.md @@ -0,0 +1,27 @@ +#### Service Account + +It is possible to modify some `SecurityContext` proprieties of the various deployments and stateful sets if needed. + +| Name | Description | Default | +| ---------------------------------- | -------------------------------------------- | ------- | +| security_context_settings | SecurityContext for Task and Web deployments | {} | +| postgres_security_context_settings | SecurityContext for Task and Web deployments | {} | + + +Example configuration securityContext for the Task and Web deployments: + +```yaml +spec: + security_context_settings: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL +``` + + +```yaml +spec: + postgres_security_context_settings: + runAsNonRoot: true +``` diff --git a/roles/installer/defaults/main.yml b/roles/installer/defaults/main.yml index 62a171ad..266203bd 100644 --- a/roles/installer/defaults/main.yml +++ b/roles/installer/defaults/main.yml @@ -424,6 +424,7 @@ garbage_collect_secrets: false development_mode: false security_context_settings: {} +postgres_security_context_settings: {} # Set no_log settings on certain tasks no_log: true diff --git a/roles/installer/templates/deployments/task.yaml.j2 b/roles/installer/templates/deployments/task.yaml.j2 index cb57fbd1..3b3ecb0c 100644 --- a/roles/installer/templates/deployments/task.yaml.j2 +++ b/roles/installer/templates/deployments/task.yaml.j2 @@ -442,7 +442,7 @@ spec: fsGroup: 1000 {% endif %} {% if security_context_settings|length %} - {{ security_context_settings | to_nice_yaml | indent(8) }} + {{ security_context_settings | to_nice_yaml | indent(10) }} {% endif %} {% endif %} {% if termination_grace_period_seconds is defined %} diff --git a/roles/installer/templates/deployments/web.yaml.j2 b/roles/installer/templates/deployments/web.yaml.j2 index 466351b6..1a731834 100644 --- a/roles/installer/templates/deployments/web.yaml.j2 +++ b/roles/installer/templates/deployments/web.yaml.j2 @@ -340,6 +340,10 @@ spec: {% elif affinity %} affinity: {{ affinity | to_nice_yaml | indent(width=8) }} +{% endif %} +{% if security_context_settings|length %} + securityContext: + {{ security_context_settings | to_nice_yaml | indent(8) }} {% endif %} volumes: - name: "{{ ansible_operator_meta.name }}-receptor-ca" diff --git a/roles/installer/templates/statefulsets/postgres.yaml.j2 b/roles/installer/templates/statefulsets/postgres.yaml.j2 index 772410ed..2b99eefc 100644 --- a/roles/installer/templates/statefulsets/postgres.yaml.j2 +++ b/roles/installer/templates/statefulsets/postgres.yaml.j2 @@ -51,6 +51,10 @@ spec: - image: '{{ _postgres_image }}' imagePullPolicy: '{{ image_pull_policy }}' name: postgres +{% if postgres_security_context_settings|length %} + securityContext: + {{ postgres_security_context_settings | to_nice_yaml | indent(12) }} +{% endif %} {% if postgres_extra_args %} args: {{ postgres_extra_args }} {% endif %}