Skip to content

Commit d6372ad

Browse files
author
Jonathan S. Katz
committed
Revert "Fully support readOnlyRootFilesystem for each deployed container"
There are issues running with this configuration when using the default "restricted" SecurityContextConstraint in an OpenShift environment. Rather than applying this configuration in a patch release, this will be addressed in a newer version. While this patch does work in essentially every other environment, in order to maintain maximum compatibiltiy with the default SCC, it makes sense to revert it. This reverts commit 000f58c.
1 parent 5dc8817 commit d6372ad

15 files changed

+34
-274
lines changed

deploy/deployment.json

Lines changed: 8 additions & 35 deletions
Original file line numberDiff line numberDiff line change
@@ -34,8 +34,7 @@
3434
"imagePullPolicy": "IfNotPresent",
3535
"securityContext": {
3636
"allowPrivilegeEscalation": false,
37-
"privileged": false,
38-
"readOnlyRootFilesystem": true
37+
"privileged": false
3938
},
4039
"ports": [
4140
{ "containerPort": $PGO_APISERVER_PORT }
@@ -112,20 +111,14 @@
112111
"value": "localhost:4150"
113112
}
114113
],
115-
"volumeMounts": [
116-
{
117-
"mountPath": "/tmp",
118-
"name": "tmp"
119-
}
120-
]
114+
"volumeMounts": []
121115
}, {
122116
"name": "operator",
123117
"image": "$PGO_IMAGE_PREFIX/postgres-operator:$PGO_IMAGE_TAG",
124118
"imagePullPolicy": "IfNotPresent",
125119
"securityContext": {
126120
"allowPrivilegeEscalation": false,
127-
"privileged": false,
128-
"readOnlyRootFilesystem": true
121+
"privileged": false
129122
},
130123
"readinessProbe": {
131124
"exec": {
@@ -181,8 +174,7 @@
181174
"image": "$PGO_IMAGE_PREFIX/pgo-scheduler:$PGO_IMAGE_TAG",
182175
"securityContext": {
183176
"allowPrivilegeEscalation": false,
184-
"privileged": false,
185-
"readOnlyRootFilesystem": true
177+
"privileged": false
186178
},
187179
"livenessProbe": {
188180
"exec": {
@@ -226,21 +218,15 @@
226218
"value": "localhost:4150"
227219
}
228220
],
229-
"volumeMounts": [
230-
{
231-
"mountPath": "/tmp",
232-
"name": "tmp"
233-
}
234-
],
221+
"volumeMounts": [],
235222
"imagePullPolicy": "IfNotPresent"
236223
},
237224
{
238225
"name": "event",
239226
"image": "$PGO_IMAGE_PREFIX/pgo-event:$PGO_IMAGE_TAG",
240227
"securityContext": {
241228
"allowPrivilegeEscalation": false,
242-
"privileged": false,
243-
"readOnlyRootFilesystem": true
229+
"privileged": false
244230
},
245231
"livenessProbe": {
246232
"httpGet": {
@@ -256,24 +242,11 @@
256242
"value": "3600"
257243
}
258244
],
259-
"volumeMounts": [
260-
{
261-
"mountPath": "/tmp",
262-
"name": "tmp"
263-
}
264-
],
245+
"volumeMounts": [],
265246
"imagePullPolicy": "IfNotPresent"
266247
}
267248
],
268-
"volumes": [
269-
{
270-
"name": "tmp",
271-
"emptyDir": {
272-
"medium": "Memory",
273-
"sizeLimit": "16Mi"
274-
}
275-
}
276-
]
249+
"volumes": []
277250
}
278251
}
279252
}

installers/ansible/roles/pgo-operator/files/pgo-configs/backrest-job.json

Lines changed: 1 addition & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -25,13 +25,6 @@
2525
},
2626
"spec": {
2727
"volumes": [
28-
{
29-
"name": "tmp",
30-
"emptyDir": {
31-
"medium": "Memory",
32-
"sizeLimit": "16Mi"
33-
}
34-
}{{ if .PgbackrestRestoreVolumes }},{{ end }}
3528
{{.PgbackrestRestoreVolumes}}
3629
],
3730
"securityContext": {{.SecurityContext}},
@@ -44,14 +37,9 @@
4437
"image": "{{.CCPImagePrefix}}/crunchy-pgbackrest:{{.CCPImageTag}}",
4538
"securityContext": {
4639
"allowPrivilegeEscalation": false,
47-
"privileged": false,
48-
"readOnlyRootFilesystem": true
40+
"privileged": false
4941
},
5042
"volumeMounts": [
51-
{
52-
"mountPath": "/tmp",
53-
"name": "tmp"
54-
}{{ if .PgbackrestRestoreVolumeMounts }},{{ end }}
5543
{{.PgbackrestRestoreVolumeMounts}}
5644
],
5745
"env": [{

installers/ansible/roles/pgo-operator/files/pgo-configs/cluster-bootstrap-job.json

Lines changed: 1 addition & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -31,8 +31,7 @@
3131
"image": "{{.CCPImagePrefix}}/{{.CCPImage}}:{{.CCPImageTag}}",
3232
"securityContext": {
3333
"allowPrivilegeEscalation": false,
34-
"privileged": false,
35-
"readOnlyRootFilesystem": true
34+
"privileged": false
3635
},
3736
{{.ContainerResources}}
3837
"env": [{
@@ -139,14 +138,6 @@
139138
}, {
140139
"mountPath": "/dev/shm",
141140
"name": "dshm"
142-
},
143-
{
144-
"mountPath": "/tmp",
145-
"name": "tmp"
146-
},
147-
{
148-
"mountPath": "/var/lib/pgsql/.ssh",
149-
"name": "pgbackrest-ssh"
150141
}, {
151142
"mountPath": "/etc/pgbackrest/conf.d",
152143
"name": "pgbackrest-config"
@@ -179,13 +170,6 @@
179170
"secretName": "{{.RestoreFrom}}-backrest-repo-config"
180171
}
181172
},
182-
{
183-
"name": "pgbackrest-ssh",
184-
"emptyDir": {
185-
"medium": "Memory",
186-
"sizeLimit": "128Ki"
187-
}
188-
},
189173
{{if .TLSEnabled}}
190174
{
191175
"name": "tls-server",
@@ -235,13 +219,6 @@
235219
}
236220
]
237221
}
238-
},
239-
{
240-
"name": "tmp",
241-
"emptyDir": {
242-
"medium": "Memory",
243-
"sizeLimit": "16Mi"
244-
}
245222
}
246223
{{.TablespaceVolumes}}],
247224
"affinity": {

installers/ansible/roles/pgo-operator/files/pgo-configs/cluster-deployment.json

Lines changed: 1 addition & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -44,8 +44,7 @@
4444
"image": "{{.CCPImagePrefix}}/{{.CCPImage}}:{{.CCPImageTag}}",
4545
"securityContext": {
4646
"allowPrivilegeEscalation": false,
47-
"privileged": false,
48-
"readOnlyRootFilesystem": true
47+
"privileged": false
4948
},
5049
"readinessProbe": {
5150
"exec": {
@@ -193,14 +192,6 @@
193192
{
194193
"mountPath": "/etc/podinfo",
195194
"name": "podinfo"
196-
},
197-
{
198-
"mountPath": "/tmp",
199-
"name": "tmp"
200-
},
201-
{
202-
"mountPath": "/var/lib/pgsql/.ssh",
203-
"name": "pgbackrest-ssh"
204195
}
205196
{{.TablespaceVolumeMounts}}
206197
],
@@ -304,20 +295,6 @@
304295
"medium": "Memory"
305296
}
306297
},
307-
{
308-
"name": "tmp",
309-
"emptyDir": {
310-
"medium": "Memory",
311-
"sizeLimit": "16Mi"
312-
}
313-
},
314-
{
315-
"name": "pgbackrest-ssh",
316-
"emptyDir": {
317-
"medium": "Memory",
318-
"sizeLimit": "128Ki"
319-
}
320-
},
321298
{
322299
"name": "pgbackrest-config",
323300
"projected": { "sources": [] }

installers/ansible/roles/pgo-operator/files/pgo-configs/exporter.json

Lines changed: 1 addition & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -3,8 +3,7 @@
33
"image": "{{.PGOImagePrefix}}/crunchy-postgres-exporter:{{.PGOImageTag}}",
44
"securityContext": {
55
"allowPrivilegeEscalation": false,
6-
"privileged": false,
7-
"readOnlyRootFilesystem": true
6+
"privileged": false
87
},
98
"ports": [{
109
"containerPort": {{.ExporterPort}},
@@ -54,11 +53,5 @@
5453
}
5554
}
5655
}
57-
],
58-
"volumeMounts": [
59-
{
60-
"mountPath": "/tmp",
61-
"name": "tmp"
62-
}
6356
]
6457
}

installers/ansible/roles/pgo-operator/files/pgo-configs/pgadmin-template.json

Lines changed: 4 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -45,8 +45,7 @@
4545
"image": "{{.CCPImagePrefix}}/crunchy-pgadmin4:{{.CCPImageTag}}",
4646
"securityContext": {
4747
"allowPrivilegeEscalation": false,
48-
"privileged": false,
49-
"readOnlyRootFilesystem": true
48+
"privileged": false
5049
},
5150
"ports": [{
5251
"containerPort": {{.Port}},
@@ -60,37 +59,12 @@
6059
"value": "{{.InitPass}}"
6160
}],
6261
"volumeMounts": [{
63-
"name": "tmp",
64-
"mountPath": "/tmp"
65-
},
66-
{
67-
"name": "pgadmin-log",
68-
"mountPath": "/var/log/pgadmin"
69-
},
70-
{
71-
"name": "tmp",
72-
"mountPath": "/etc/httpd/run"
73-
},
74-
{
7562
"name": "pgadmin-datadir",
76-
"mountPath": "/var/lib/pgadmin"
77-
}]
63+
"mountPath": "/var/lib/pgadmin",
64+
"readOnly": false
65+
}]
7866
}],
7967
"volumes": [{
80-
"name": "tmp",
81-
"emptyDir": {
82-
"medium": "Memory",
83-
"sizeLimit": "16Mi"
84-
}
85-
},
86-
{
87-
"name": "pgadmin-log",
88-
"emptyDir": {
89-
"medium": "Memory",
90-
"sizeLimit": "16Mi"
91-
}
92-
},
93-
{
9468
"name": "pgadmin-datadir",
9569
"persistentVolumeClaim": {
9670
"claimName": "{{.PVCName}}"

installers/ansible/roles/pgo-operator/files/pgo-configs/pgbadger.json

Lines changed: 1 addition & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -3,8 +3,7 @@
33
"image": "{{.CCPImagePrefix}}/crunchy-pgbadger:{{.CCPImageTag}}",
44
"securityContext": {
55
"allowPrivilegeEscalation": false,
6-
"privileged": false,
7-
"readOnlyRootFilesystem": true
6+
"privileged": false
87
},
98
"ports": [ {
109
"containerPort": {{.PGBadgerPort}},
@@ -32,10 +31,6 @@
3231
}
3332
},
3433
"volumeMounts": [
35-
{
36-
"mountPath": "/tmp",
37-
"name": "tmp"
38-
},
3934
{
4035
"mountPath": "/pgdata",
4136
"name": "pgdata",

installers/ansible/roles/pgo-operator/files/pgo-configs/pgbouncer-template.json

Lines changed: 1 addition & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -50,8 +50,7 @@
5050
"image": "{{.CCPImagePrefix}}/crunchy-pgbouncer:{{.CCPImageTag}}",
5151
"securityContext": {
5252
"allowPrivilegeEscalation": false,
53-
"privileged": false,
54-
"readOnlyRootFilesystem": true
53+
"privileged": false
5554
},
5655
"ports": [{
5756
"containerPort": {{.Port}},
@@ -71,10 +70,6 @@
7170
"value": "{{.PrimaryServiceName}}"
7271
}],
7372
"volumeMounts": [
74-
{
75-
"mountPath": "/tmp",
76-
"name": "tmp"
77-
},
7873
{{if .TLSEnabled}}
7974
{
8075
"mountPath": "/pgconf/tls/pgbouncer",
@@ -89,13 +84,6 @@
8984
]
9085
}],
9186
"volumes": [
92-
{
93-
"name": "tmp",
94-
"emptyDir": {
95-
"medium": "Memory",
96-
"sizeLimit": "1Mi"
97-
}
98-
},
9987
{{if .TLSEnabled}}
10088
{
10189
"name": "tls-pgbouncer",

installers/ansible/roles/pgo-operator/files/pgo-configs/pgdump-job.json

Lines changed: 3 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -22,13 +22,6 @@
2222
},
2323
"spec": {
2424
"volumes": [
25-
{
26-
"name": "tmp",
27-
"emptyDir": {
28-
"medium": "Memory",
29-
"sizeLimit": "1Mi"
30-
}
31-
},
3225
{
3326
"name": "pgdata",
3427
"persistentVolumeClaim": {
@@ -46,19 +39,15 @@
4639
"image": "{{.CCPImagePrefix}}/crunchy-postgres-ha:{{.CCPImageTag}}",
4740
"securityContext": {
4841
"allowPrivilegeEscalation": false,
49-
"privileged": false,
50-
"readOnlyRootFilesystem": true
42+
"privileged": false
5143
},
5244
"command": ["/opt/crunchy/bin/uid_postgres.sh"],
5345
"args": ["/opt/crunchy/bin/start.sh"],
5446
"volumeMounts": [
55-
{
56-
"mountPath": "/tmp",
57-
"name": "tmp"
58-
},
5947
{
6048
"mountPath": "/pgdata",
61-
"name": "pgdata"
49+
"name": "pgdata",
50+
"readOnly": false
6251
}
6352
],
6453
"env": [

0 commit comments

Comments
 (0)