add pod security

Author: benjaminjb

internal/controller/postgrescluster/pgbouncer.go

@@ -25,6 +25,7 @@ import (
 	"github.com/crunchydata/postgres-operator/internal/pgbouncer"
 	"github.com/crunchydata/postgres-operator/internal/pki"
 	"github.com/crunchydata/postgres-operator/internal/postgres"
+	"github.com/crunchydata/postgres-operator/internal/util"
 	"github.com/crunchydata/postgres-operator/pkg/apis/postgres-operator.crunchydata.com/v1beta1"
 )
 
@@ -477,7 +478,7 @@ func (r *Reconciler) generatePGBouncerDeployment(
 	// Do not add environment variables describing services in this namespace.
 	deploy.Spec.Template.Spec.EnableServiceLinks = initialize.Bool(false)
 
-	deploy.Spec.Template.Spec.SecurityContext = initialize.PodSecurityContext()
+	deploy.Spec.Template.Spec.SecurityContext = util.PodSecurityContext(ctx, 2, cluster.Spec.SupplementalGroups)
 
 	// set the image pull secrets, if any exist
 	deploy.Spec.Template.Spec.ImagePullSecrets = cluster.Spec.ImagePullSecrets

internal/util/pod_security.go

@@ -0,0 +1,43 @@
+// Copyright 2017 - 2025 Crunchy Data Solutions, Inc.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package util
+
+import (
+	"context"
+
+	corev1 "k8s.io/api/core/v1"
+
+	"github.com/crunchydata/postgres-operator/internal/initialize"
+	"github.com/crunchydata/postgres-operator/internal/kubernetes"
+)
+
+// PodSecurityContext returns a v1.PodSecurityContext for cluster that can write
+// to PersistentVolumes.
+func PodSecurityContext(ctx context.Context, fsgroup int64, supplementalGroups []int64) *corev1.PodSecurityContext {
+	psc := initialize.PodSecurityContext()
+
+	// Use the specified supplementary groups except for root. The CRD has
+	// similar validation, but we should never emit a PodSpec with that group.
+	// - https://docs.k8s.io/concepts/security/pod-security-standards/
+	for i := range supplementalGroups {
+		if gid := supplementalGroups[i]; gid > 0 {
+			psc.SupplementalGroups = append(psc.SupplementalGroups, gid)
+		}
+	}
+
+	// OpenShift assigns a filesystem group based on a SecurityContextConstraint.
+	// Otherwise, set a filesystem group so PostgreSQL can write to files
+	// regardless of the UID or GID of a container.
+	// - https://cloud.redhat.com/blog/a-guide-to-openshift-and-uids
+	// - https://docs.k8s.io/tasks/configure-pod-container/security-context/
+	// - https://docs.openshift.com/container-platform/4.8/authentication/managing-security-context-constraints.html
+	if !kubernetes.Has(ctx, kubernetes.API{
+		Group: "security.openshift.io", Kind: "SecurityContextConstraints",
+	}) {
+		psc.FSGroup = initialize.Int64(fsgroup)
+	}
+
+	return psc
+}

internal/util/pod_security_test.go

@@ -0,0 +1,58 @@
+// Copyright 2017 - 2025 Crunchy Data Solutions, Inc.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package util
+
+import (
+	"context"
+	"testing"
+
+	"gotest.tools/v3/assert"
+
+	"github.com/crunchydata/postgres-operator/internal/kubernetes"
+	"github.com/crunchydata/postgres-operator/internal/testing/cmp"
+)
+
+func TestPodSecurityContext(t *testing.T) {
+	ctx := context.Background()
+	assert.Assert(t, cmp.MarshalMatches(PodSecurityContext(ctx, 2, []int64{}), `
+fsGroup: 2
+fsGroupChangePolicy: OnRootMismatch
+	`))
+
+	supplementalGroups := []int64{3, 4}
+	assert.Assert(t, cmp.MarshalMatches(PodSecurityContext(ctx, 26, supplementalGroups), `
+fsGroup: 26
+fsGroupChangePolicy: OnRootMismatch
+supplementalGroups:
+- 3
+- 4
+	`))
+
+	ctx = kubernetes.NewAPIContext(ctx, kubernetes.NewAPISet(kubernetes.API{
+		Group: "security.openshift.io", Version: "v1",
+		Kind: "SecurityContextConstraints",
+	}))
+	assert.Assert(t, cmp.MarshalMatches(PodSecurityContext(ctx, 2, []int64{}),
+		`fsGroupChangePolicy: OnRootMismatch`))
+
+	assert.Assert(t, cmp.MarshalMatches(PodSecurityContext(ctx, 2, supplementalGroups), `
+fsGroupChangePolicy: OnRootMismatch
+	`))
+
+	assert.Assert(t, cmp.MarshalMatches(PodSecurityContext(ctx, 2, supplementalGroups), `
+fsGroupChangePolicy: OnRootMismatch
+supplementalGroups:
+- 3
+- 4
+	`))
+
+	t.Run("NoRootGID", func(t *testing.T) {
+		supplementalGroups = []int64{999, 0, 100, 0}
+		assert.DeepEqual(t, []int64{999, 100}, PodSecurityContext(ctx, 2, supplementalGroups).SupplementalGroups)
+
+		supplementalGroups = []int64{0}
+		assert.Assert(t, PodSecurityContext(ctx, 2, supplementalGroups).SupplementalGroups == nil)
+	})
+}