feat: Specify the security context on the proxy container. (#698)

hessjcg · web-flow · commit 05130f0ab326 · 2025-08-26T11:20:42.000-06:00
This adds a new field to the AuthProxyWorkload spec: authProxyContainer.securityContext. This field will override the default security in the auth proxy container. Fixes #694 See also #641
diff --git a/docs/api.md b/docs/api.md
@@ -50,6 +50,7 @@ _Appears in:_
 | --- | --- | --- | --- |
 | `container` _[Container](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core)_ | Container is debugging parameter that when specified will override the<br />proxy container with a completely custom Container spec. |  | Optional: \{\} <br /> |
 | `resources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#resourcerequirements-v1-core)_ | Resources specifies the resources required for the proxy pod. |  | Optional: \{\} <br /> |
+| `securityContext` _[SecurityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#securitycontext-v1-core)_ | SecurityContext specifies the security context for the proxy container. |  | Optional: \{\} <br /> |
 | `telemetry` _[TelemetrySpec](#telemetryspec)_ | Telemetry specifies how the proxy should expose telemetry.<br />Optional, by default |  | Optional: \{\} <br /> |
 | `adminServer` _[AdminServerSpec](#adminserverspec)_ | AdminServer specifies the config for the proxy's admin service which is<br />available to other containers in the same pod. |  |  |
 | `authentication` _[AuthenticationSpec](#authenticationspec)_ | Authentication specifies the config for how the proxy authenticates itself<br />to the Google Cloud API. |  |  |
diff --git a/internal/api/v1/authproxyworkload_types.go b/internal/api/v1/authproxyworkload_types.go
@@ -154,6 +154,10 @@ type AuthProxyContainerSpec struct {
 	//+kubebuilder:validation:Optional
 	Resources *corev1.ResourceRequirements `json:"resources,omitempty"`
 
+	// SecurityContext specifies the security context for the proxy container.
+	//+kubebuilder:validation:Optional
+	SecurityContext *corev1.SecurityContext `json:"securityContext,omitempty"`
+
 	// Telemetry specifies how the proxy should expose telemetry.
 	// Optional, by default
 	//+kubebuilder:validation:Optional
diff --git a/internal/workload/podspec_updates.go b/internal/workload/podspec_updates.go
@@ -737,7 +737,9 @@ func (s *updateState) applyContainerSpec(p *cloudsqlapi.AuthProxyWorkload, c *co
 		// Do not allow privilege escalation
 		AllowPrivilegeEscalation: &f,
 	}
-
+	if p.Spec.AuthProxyContainer != nil && p.Spec.AuthProxyContainer.SecurityContext != nil {
+		c.SecurityContext = p.Spec.AuthProxyContainer.SecurityContext.DeepCopy()
+	}
 	if p.Spec.AuthProxyContainer == nil {
 		return
 	}
diff --git a/internal/workload/podspec_updates_test.go b/internal/workload/podspec_updates_test.go
@@ -513,6 +513,54 @@ func TestResourcesFromSpec(t *testing.T) {
 
 }
 
+func TestSecurityContextFromSpec(t *testing.T) {
+	var (
+		wantsInstanceName   = "project:server:db"
+		wantSecurityContext = &corev1.SecurityContext{
+			Privileged: ptr(true),
+			RunAsUser:  ptr(int64(1000)),
+			RunAsGroup: ptr(int64(1000)),
+			Capabilities: &corev1.Capabilities{
+				Add: []corev1.Capability{"NET_ADMIN"},
+			},
+		}
+
+		u = workload.NewUpdater("cloud-sql-proxy-operator/dev", workload.DefaultProxyImage, false)
+	)
+
+	// Create a pod
+	wl := podWorkload()
+	wl.Pod.Spec.Containers[0].Ports =
+		[]corev1.ContainerPort{{Name: "http", ContainerPort: 8080}}
+
+	// Create a AuthProxyWorkload that matches the deployment
+	csqls := []*cloudsqlapi.AuthProxyWorkload{simpleAuthProxy("instance1", wantsInstanceName)}
+	csqls[0].Spec.AuthProxyContainer = &cloudsqlapi.AuthProxyContainerSpec{SecurityContext: wantSecurityContext}
+
+	// update the containers
+	err := configureProxies(u, wl, csqls)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// ensure that the new container exists
+	if len(wl.Pod.Spec.Containers) != 2 {
+		t.Fatalf("got %v, wants 1. deployment containers length", len(wl.Pod.Spec.Containers))
+	}
+
+	// test that the instancename matches the new expected instance name.
+	csqlContainer, err := findContainer(wl, fmt.Sprintf("csql-default-%s", csqls[0].GetName()))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// test that resources was set
+	if !reflect.DeepEqual(csqlContainer.SecurityContext, wantSecurityContext) {
+		t.Errorf("got %v, want %v for proxy container command", csqlContainer.SecurityContext, wantSecurityContext)
+	}
+
+}
+
 func TestProxyCLIArgs(t *testing.T) {
 	wantTrue := true
 	wantFalse := false

Original file line number	Diff line number	Diff line change
`@@ -737,7 +737,9 @@ func (s updateState) applyContainerSpec(p cloudsqlapi.AuthProxyWorkload, c *co`
`737`	`737`	`// Do not allow privilege escalation`
`738`	`738`	`AllowPrivilegeEscalation: &f,`
`739`	`739`	`}`
`740`		`-`
	`740`	`+ if p.Spec.AuthProxyContainer != nil && p.Spec.AuthProxyContainer.SecurityContext != nil {`
	`741`	`+ c.SecurityContext = p.Spec.AuthProxyContainer.SecurityContext.DeepCopy()`
	`742`	`+ }`
`741`	`743`	`if p.Spec.AuthProxyContainer == nil {`
`742`	`744`	`return`
`743`	`745`	`}`