Skip to content

Commit 000f58c

Browse files
author
Jonathan S. Katz
committed
Fully support readOnlyRootFilesystem for each deployed container
This adds support for the readOnlyRootFilesystem security context attribute, which locks down the container filesystem for writing, except for specified mount points. The Operator containers mostly supported this, but required adding some ephemeral storage mounts for interacting with temporary storage, e.g. /tmp Reviewed-by: Joseph Cho <[email protected]> Issue: [ch7571]
1 parent 55c2d9b commit 000f58c

15 files changed

+274
-34
lines changed

deploy/deployment.json

Lines changed: 35 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,8 @@
3333
"image": "$PGO_IMAGE_PREFIX/pgo-apiserver:$PGO_IMAGE_TAG",
3434
"imagePullPolicy": "IfNotPresent",
3535
"securityContext": {
36-
"allowPrivilegeEscalation": false
36+
"allowPrivilegeEscalation": false,
37+
"readOnlyRootFilesystem": true
3738
},
3839
"ports": [
3940
{ "containerPort": $PGO_APISERVER_PORT }
@@ -110,13 +111,19 @@
110111
"value": "localhost:4150"
111112
}
112113
],
113-
"volumeMounts": []
114+
"volumeMounts": [
115+
{
116+
"mountPath": "/tmp",
117+
"name": "tmp"
118+
}
119+
]
114120
}, {
115121
"name": "operator",
116122
"image": "$PGO_IMAGE_PREFIX/postgres-operator:$PGO_IMAGE_TAG",
117123
"imagePullPolicy": "IfNotPresent",
118124
"securityContext": {
119-
"allowPrivilegeEscalation": false
125+
"allowPrivilegeEscalation": false,
126+
"readOnlyRootFilesystem": true
120127
},
121128
"readinessProbe": {
122129
"exec": {
@@ -171,7 +178,8 @@
171178
"name": "scheduler",
172179
"image": "$PGO_IMAGE_PREFIX/pgo-scheduler:$PGO_IMAGE_TAG",
173180
"securityContext": {
174-
"allowPrivilegeEscalation": false
181+
"allowPrivilegeEscalation": false,
182+
"readOnlyRootFilesystem": true
175183
},
176184
"livenessProbe": {
177185
"exec": {
@@ -215,14 +223,20 @@
215223
"value": "localhost:4150"
216224
}
217225
],
218-
"volumeMounts": [],
226+
"volumeMounts": [
227+
{
228+
"mountPath": "/tmp",
229+
"name": "tmp"
230+
}
231+
],
219232
"imagePullPolicy": "IfNotPresent"
220233
},
221234
{
222235
"name": "event",
223236
"image": "$PGO_IMAGE_PREFIX/pgo-event:$PGO_IMAGE_TAG",
224237
"securityContext": {
225-
"allowPrivilegeEscalation": false
238+
"allowPrivilegeEscalation": false,
239+
"readOnlyRootFilesystem": true
226240
},
227241
"livenessProbe": {
228242
"httpGet": {
@@ -238,11 +252,24 @@
238252
"value": "3600"
239253
}
240254
],
241-
"volumeMounts": [],
255+
"volumeMounts": [
256+
{
257+
"mountPath": "/tmp",
258+
"name": "tmp"
259+
}
260+
],
242261
"imagePullPolicy": "IfNotPresent"
243262
}
244263
],
245-
"volumes": []
264+
"volumes": [
265+
{
266+
"name": "tmp",
267+
"emptyDir": {
268+
"medium": "Memory",
269+
"sizeLimit": "16Mi"
270+
}
271+
}
272+
]
246273
}
247274
}
248275
}

installers/ansible/roles/pgo-operator/files/pgo-configs/backrest-job.json

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,13 @@
2525
},
2626
"spec": {
2727
"volumes": [
28+
{
29+
"name": "tmp",
30+
"emptyDir": {
31+
"medium": "Memory",
32+
"sizeLimit": "16Mi"
33+
}
34+
}{{ if .PgbackrestRestoreVolumes }},{{ end }}
2835
{{.PgbackrestRestoreVolumes}}
2936
],
3037
"securityContext": {{.SecurityContext}},
@@ -36,9 +43,14 @@
3643
"name": "backrest",
3744
"image": "{{.CCPImagePrefix}}/crunchy-pgbackrest:{{.CCPImageTag}}",
3845
"securityContext": {
39-
"allowPrivilegeEscalation": false
46+
"allowPrivilegeEscalation": false,
47+
"readOnlyRootFilesystem": true
4048
},
4149
"volumeMounts": [
50+
{
51+
"mountPath": "/tmp",
52+
"name": "tmp"
53+
}{{ if .PgbackrestRestoreVolumeMounts }},{{ end }}
4254
{{.PgbackrestRestoreVolumeMounts}}
4355
],
4456
"env": [{

installers/ansible/roles/pgo-operator/files/pgo-configs/cluster-bootstrap-job.json

Lines changed: 24 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,8 @@
3030
"name": "database",
3131
"image": "{{.CCPImagePrefix}}/{{.CCPImage}}:{{.CCPImageTag}}",
3232
"securityContext": {
33-
"allowPrivilegeEscalation": false
33+
"allowPrivilegeEscalation": false,
34+
"readOnlyRootFilesystem": true
3435
},
3536
{{.ContainerResources}}
3637
"env": [{
@@ -137,6 +138,14 @@
137138
}, {
138139
"mountPath": "/dev/shm",
139140
"name": "dshm"
141+
},
142+
{
143+
"mountPath": "/tmp",
144+
"name": "tmp"
145+
},
146+
{
147+
"mountPath": "/var/lib/pgsql/.ssh",
148+
"name": "pgbackrest-ssh"
140149
}, {
141150
"mountPath": "/etc/pgbackrest/conf.d",
142151
"name": "pgbackrest-config"
@@ -169,6 +178,13 @@
169178
"secretName": "{{.RestoreFrom}}-backrest-repo-config"
170179
}
171180
},
181+
{
182+
"name": "pgbackrest-ssh",
183+
"emptyDir": {
184+
"medium": "Memory",
185+
"sizeLimit": "128Ki"
186+
}
187+
},
172188
{{if .TLSEnabled}}
173189
{
174190
"name": "tls-server",
@@ -218,6 +234,13 @@
218234
}
219235
]
220236
}
237+
},
238+
{
239+
"name": "tmp",
240+
"emptyDir": {
241+
"medium": "Memory",
242+
"sizeLimit": "16Mi"
243+
}
221244
}
222245
{{.TablespaceVolumes}}],
223246
"affinity": {

installers/ansible/roles/pgo-operator/files/pgo-configs/cluster-deployment.json

Lines changed: 24 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,8 @@
4343
"name": "database",
4444
"image": "{{.CCPImagePrefix}}/{{.CCPImage}}:{{.CCPImageTag}}",
4545
"securityContext": {
46-
"allowPrivilegeEscalation": false
46+
"allowPrivilegeEscalation": false,
47+
"readOnlyRootFilesystem": true
4748
},
4849
"readinessProbe": {
4950
"exec": {
@@ -191,6 +192,14 @@
191192
{
192193
"mountPath": "/etc/podinfo",
193194
"name": "podinfo"
195+
},
196+
{
197+
"mountPath": "/tmp",
198+
"name": "tmp"
199+
},
200+
{
201+
"mountPath": "/var/lib/pgsql/.ssh",
202+
"name": "pgbackrest-ssh"
194203
}
195204
{{.TablespaceVolumeMounts}}
196205
],
@@ -294,6 +303,20 @@
294303
"medium": "Memory"
295304
}
296305
},
306+
{
307+
"name": "tmp",
308+
"emptyDir": {
309+
"medium": "Memory",
310+
"sizeLimit": "16Mi"
311+
}
312+
},
313+
{
314+
"name": "pgbackrest-ssh",
315+
"emptyDir": {
316+
"medium": "Memory",
317+
"sizeLimit": "128Ki"
318+
}
319+
},
297320
{
298321
"name": "pgbackrest-config",
299322
"projected": { "sources": [] }

installers/ansible/roles/pgo-operator/files/pgo-configs/exporter.json

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,8 @@
22
"name": "exporter",
33
"image": "{{.PGOImagePrefix}}/crunchy-postgres-exporter:{{.PGOImageTag}}",
44
"securityContext": {
5-
"allowPrivilegeEscalation": false
5+
"allowPrivilegeEscalation": false,
6+
"readOnlyRootFilesystem": true
67
},
78
"ports": [{
89
"containerPort": {{.ExporterPort}},
@@ -52,5 +53,11 @@
5253
}
5354
}
5455
}
56+
],
57+
"volumeMounts": [
58+
{
59+
"mountPath": "/tmp",
60+
"name": "tmp"
61+
}
5562
]
5663
}

installers/ansible/roles/pgo-operator/files/pgo-configs/pgadmin-template.json

Lines changed: 30 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,8 @@
4444
"name": "pgadminweb",
4545
"image": "{{.CCPImagePrefix}}/crunchy-pgadmin4:{{.CCPImageTag}}",
4646
"securityContext": {
47-
"allowPrivilegeEscalation": false
47+
"allowPrivilegeEscalation": false,
48+
"readOnlyRootFilesystem": true
4849
},
4950
"ports": [{
5051
"containerPort": {{.Port}},
@@ -58,12 +59,37 @@
5859
"value": "{{.InitPass}}"
5960
}],
6061
"volumeMounts": [{
62+
"name": "tmp",
63+
"mountPath": "/tmp"
64+
},
65+
{
66+
"name": "pgadmin-log",
67+
"mountPath": "/var/log/pgadmin"
68+
},
69+
{
70+
"name": "tmp",
71+
"mountPath": "/etc/httpd/run"
72+
},
73+
{
6174
"name": "pgadmin-datadir",
62-
"mountPath": "/var/lib/pgadmin",
63-
"readOnly": false
64-
}]
75+
"mountPath": "/var/lib/pgadmin"
76+
}]
6577
}],
6678
"volumes": [{
79+
"name": "tmp",
80+
"emptyDir": {
81+
"medium": "Memory",
82+
"sizeLimit": "16Mi"
83+
}
84+
},
85+
{
86+
"name": "pgadmin-log",
87+
"emptyDir": {
88+
"medium": "Memory",
89+
"sizeLimit": "16Mi"
90+
}
91+
},
92+
{
6793
"name": "pgadmin-datadir",
6894
"persistentVolumeClaim": {
6995
"claimName": "{{.PVCName}}"

installers/ansible/roles/pgo-operator/files/pgo-configs/pgbadger.json

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,8 @@
22
"name": "pgbadger",
33
"image": "{{.CCPImagePrefix}}/crunchy-pgbadger:{{.CCPImageTag}}",
44
"securityContext": {
5-
"allowPrivilegeEscalation": false
5+
"allowPrivilegeEscalation": false,
6+
"readOnlyRootFilesystem": true
67
},
78
"ports": [ {
89
"containerPort": {{.PGBadgerPort}},
@@ -30,6 +31,10 @@
3031
}
3132
},
3233
"volumeMounts": [
34+
{
35+
"mountPath": "/tmp",
36+
"name": "tmp"
37+
},
3338
{
3439
"mountPath": "/pgdata",
3540
"name": "pgdata",

installers/ansible/roles/pgo-operator/files/pgo-configs/pgbouncer-template.json

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -49,7 +49,8 @@
4949
"name": "pgbouncer",
5050
"image": "{{.CCPImagePrefix}}/crunchy-pgbouncer:{{.CCPImageTag}}",
5151
"securityContext": {
52-
"allowPrivilegeEscalation": false
52+
"allowPrivilegeEscalation": false,
53+
"readOnlyRootFilesystem": true
5354
},
5455
"ports": [{
5556
"containerPort": {{.Port}},
@@ -69,6 +70,10 @@
6970
"value": "{{.PrimaryServiceName}}"
7071
}],
7172
"volumeMounts": [
73+
{
74+
"mountPath": "/tmp",
75+
"name": "tmp"
76+
},
7277
{{if .TLSEnabled}}
7378
{
7479
"mountPath": "/pgconf/tls/pgbouncer",
@@ -83,6 +88,13 @@
8388
]
8489
}],
8590
"volumes": [
91+
{
92+
"name": "tmp",
93+
"emptyDir": {
94+
"medium": "Memory",
95+
"sizeLimit": "1Mi"
96+
}
97+
},
8698
{{if .TLSEnabled}}
8799
{
88100
"name": "tls-pgbouncer",

installers/ansible/roles/pgo-operator/files/pgo-configs/pgdump-job.json

Lines changed: 14 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,13 @@
2222
},
2323
"spec": {
2424
"volumes": [
25+
{
26+
"name": "tmp",
27+
"emptyDir": {
28+
"medium": "Memory",
29+
"sizeLimit": "1Mi"
30+
}
31+
},
2532
{
2633
"name": "pgdata",
2734
"persistentVolumeClaim": {
@@ -38,15 +45,19 @@
3845
"name": "pgdump",
3946
"image": "{{.CCPImagePrefix}}/crunchy-postgres-ha:{{.CCPImageTag}}",
4047
"securityContext": {
41-
"allowPrivilegeEscalation": false
48+
"allowPrivilegeEscalation": false,
49+
"readOnlyRootFilesystem": true
4250
},
4351
"command": ["/opt/crunchy/bin/uid_postgres.sh"],
4452
"args": ["/opt/crunchy/bin/start.sh"],
4553
"volumeMounts": [
54+
{
55+
"mountPath": "/tmp",
56+
"name": "tmp"
57+
},
4658
{
4759
"mountPath": "/pgdata",
48-
"name": "pgdata",
49-
"readOnly": false
60+
"name": "pgdata"
5061
}
5162
],
5263
"env": [

0 commit comments

Comments
 (0)