Skip to content

Commit 55c2d9b

Browse files
author
Jonathan S. Katz
committed
Explicitly disallow allowPrivilegeEscalation on containers
There is no need for the containers to escalate privileges, ergo we can disallow them from attempting to do so. Issue: [ch10570]
1 parent 90a8a9c commit 55c2d9b

15 files changed

+68
-0
lines changed

deploy/deployment.json

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,9 @@
3232
"name": "apiserver",
3333
"image": "$PGO_IMAGE_PREFIX/pgo-apiserver:$PGO_IMAGE_TAG",
3434
"imagePullPolicy": "IfNotPresent",
35+
"securityContext": {
36+
"allowPrivilegeEscalation": false
37+
},
3538
"ports": [
3639
{ "containerPort": $PGO_APISERVER_PORT }
3740
],
@@ -112,6 +115,9 @@
112115
"name": "operator",
113116
"image": "$PGO_IMAGE_PREFIX/postgres-operator:$PGO_IMAGE_TAG",
114117
"imagePullPolicy": "IfNotPresent",
118+
"securityContext": {
119+
"allowPrivilegeEscalation": false
120+
},
115121
"readinessProbe": {
116122
"exec": {
117123
"command": [
@@ -164,6 +170,9 @@
164170
}, {
165171
"name": "scheduler",
166172
"image": "$PGO_IMAGE_PREFIX/pgo-scheduler:$PGO_IMAGE_TAG",
173+
"securityContext": {
174+
"allowPrivilegeEscalation": false
175+
},
167176
"livenessProbe": {
168177
"exec": {
169178
"command": [
@@ -212,6 +221,9 @@
212221
{
213222
"name": "event",
214223
"image": "$PGO_IMAGE_PREFIX/pgo-event:$PGO_IMAGE_TAG",
224+
"securityContext": {
225+
"allowPrivilegeEscalation": false
226+
},
215227
"livenessProbe": {
216228
"httpGet": {
217229
"path": "/ping",

installers/ansible/roles/pgo-operator/files/pgo-configs/backrest-job.json

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,9 @@
3535
"containers": [{
3636
"name": "backrest",
3737
"image": "{{.CCPImagePrefix}}/crunchy-pgbackrest:{{.CCPImageTag}}",
38+
"securityContext": {
39+
"allowPrivilegeEscalation": false
40+
},
3841
"volumeMounts": [
3942
{{.PgbackrestRestoreVolumeMounts}}
4043
],

installers/ansible/roles/pgo-operator/files/pgo-configs/cluster-bootstrap-job.json

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,9 @@
2929
"containers": [{
3030
"name": "database",
3131
"image": "{{.CCPImagePrefix}}/{{.CCPImage}}:{{.CCPImageTag}}",
32+
"securityContext": {
33+
"allowPrivilegeEscalation": false
34+
},
3235
{{.ContainerResources}}
3336
"env": [{
3437
"name": "PGHA_PG_PORT",

installers/ansible/roles/pgo-operator/files/pgo-configs/cluster-deployment.json

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,9 @@
4242
{
4343
"name": "database",
4444
"image": "{{.CCPImagePrefix}}/{{.CCPImage}}:{{.CCPImageTag}}",
45+
"securityContext": {
46+
"allowPrivilegeEscalation": false
47+
},
4548
"readinessProbe": {
4649
"exec": {
4750
"command": [

installers/ansible/roles/pgo-operator/files/pgo-configs/exporter.json

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,9 @@
11
{
22
"name": "exporter",
33
"image": "{{.PGOImagePrefix}}/crunchy-postgres-exporter:{{.PGOImageTag}}",
4+
"securityContext": {
5+
"allowPrivilegeEscalation": false
6+
},
47
"ports": [{
58
"containerPort": {{.ExporterPort}},
69
"protocol": "TCP"

installers/ansible/roles/pgo-operator/files/pgo-configs/pgadmin-template.json

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,9 @@
4343
"containers": [{
4444
"name": "pgadminweb",
4545
"image": "{{.CCPImagePrefix}}/crunchy-pgadmin4:{{.CCPImageTag}}",
46+
"securityContext": {
47+
"allowPrivilegeEscalation": false
48+
},
4649
"ports": [{
4750
"containerPort": {{.Port}},
4851
"protocol": "TCP"

installers/ansible/roles/pgo-operator/files/pgo-configs/pgbadger.json

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,9 @@
11
{
22
"name": "pgbadger",
33
"image": "{{.CCPImagePrefix}}/crunchy-pgbadger:{{.CCPImageTag}}",
4+
"securityContext": {
5+
"allowPrivilegeEscalation": false
6+
},
47
"ports": [ {
58
"containerPort": {{.PGBadgerPort}},
69
"protocol": "TCP"

installers/ansible/roles/pgo-operator/files/pgo-configs/pgbouncer-template.json

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,9 @@
4848
"containers": [{
4949
"name": "pgbouncer",
5050
"image": "{{.CCPImagePrefix}}/crunchy-pgbouncer:{{.CCPImageTag}}",
51+
"securityContext": {
52+
"allowPrivilegeEscalation": false
53+
},
5154
"ports": [{
5255
"containerPort": {{.Port}},
5356
"protocol": "TCP"

installers/ansible/roles/pgo-operator/files/pgo-configs/pgdump-job.json

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,9 @@
3737
"containers": [{
3838
"name": "pgdump",
3939
"image": "{{.CCPImagePrefix}}/crunchy-postgres-ha:{{.CCPImageTag}}",
40+
"securityContext": {
41+
"allowPrivilegeEscalation": false
42+
},
4043
"command": ["/opt/crunchy/bin/uid_postgres.sh"],
4144
"args": ["/opt/crunchy/bin/start.sh"],
4245
"volumeMounts": [

installers/ansible/roles/pgo-operator/files/pgo-configs/pgo-backrest-repo-template.json

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,9 @@
5252
"containers": [{
5353
"name": "database",
5454
"image": "{{.CCPImagePrefix}}/crunchy-pgbackrest-repo:{{.CCPImageTag}}",
55+
"securityContext": {
56+
"allowPrivilegeEscalation": false
57+
},
5558
"ports": [{
5659
"containerPort": {{.SshdPort}},
5760
"protocol": "TCP"

0 commit comments

Comments
 (0)