Skip to content

Commit ae690db

Browse files
MirahImageMirahImage
committed
Add security context to RabbitMQ pods, containers, and init containers.
1 parent ddf89a4 commit ae690db

File tree

2 files changed

+77
-4
lines changed

2 files changed

+77
-4
lines changed

internal/resource/statefulset.go

Lines changed: 30 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -570,8 +570,12 @@ func (builder *StatefulSetBuilder) podTemplateSpec(previousPodAnnotations map[st
570570
Spec: corev1.PodSpec{
571571
TopologySpreadConstraints: builder.defaultTopologySpreadConstraints(),
572572
SecurityContext: &corev1.PodSecurityContext{
573-
FSGroup: ptr.To(int64(0)),
574-
RunAsUser: &rabbitmqUID,
573+
FSGroup: ptr.To(int64(0)),
574+
RunAsUser: &rabbitmqUID,
575+
RunAsNonRoot: ptr.To(bool(true)),
576+
SeccompProfile: &corev1.SeccompProfile{
577+
Type: corev1.SeccompProfileTypeRuntimeDefault,
578+
},
575579
},
576580
ImagePullSecrets: builder.Instance.Spec.ImagePullSecrets,
577581
TerminationGracePeriodSeconds: builder.Instance.Spec.TerminationGracePeriodSeconds,
@@ -640,6 +644,18 @@ func (builder *StatefulSetBuilder) podTemplateSpec(previousPodAnnotations map[st
640644
},
641645
},
642646
},
647+
SecurityContext: &corev1.SecurityContext{
648+
AllowPrivilegeEscalation: ptr.To(bool(false)),
649+
Capabilities: &corev1.Capabilities{
650+
Drop: []corev1.Capability{"ALL"},
651+
},
652+
ReadOnlyRootFilesystem: ptr.To(bool(true)),
653+
RunAsNonRoot: ptr.To((bool(true))),
654+
Privileged: ptr.To(bool(false)),
655+
SeccompProfile: &corev1.SeccompProfile{
656+
Type: corev1.SeccompProfileTypeRuntimeDefault,
657+
},
658+
},
643659
},
644660
},
645661
},
@@ -786,6 +802,18 @@ func setupContainer(instance *rabbitmqv1beta1.RabbitmqCluster) corev1.Container
786802
MountPath: "/var/lib/rabbitmq/mnesia/",
787803
},
788804
},
805+
SecurityContext: &corev1.SecurityContext{
806+
AllowPrivilegeEscalation: ptr.To(bool(false)),
807+
Capabilities: &corev1.Capabilities{
808+
Drop: []corev1.Capability{"ALL"},
809+
},
810+
Privileged: ptr.To(bool(false)),
811+
ReadOnlyRootFilesystem: ptr.To(bool(true)),
812+
RunAsNonRoot: ptr.To(bool(true)),
813+
SeccompProfile: &corev1.SeccompProfile{
814+
Type: corev1.SeccompProfileTypeRuntimeDefault,
815+
},
816+
},
789817
}
790818

791819
if instance.VaultDefaultUserSecretEnabled() {

internal/resource/statefulset_test.go

Lines changed: 47 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1357,8 +1357,12 @@ default_pass = {{ .Data.data.password }}
13571357
rmqUID := int64(999)
13581358

13591359
expectedPodSecurityContext := &corev1.PodSecurityContext{
1360-
FSGroup: ptr.To(int64(0)),
1361-
RunAsUser: &rmqUID,
1360+
FSGroup: ptr.To(int64(0)),
1361+
RunAsUser: &rmqUID,
1362+
RunAsNonRoot: ptr.To(bool(true)),
1363+
SeccompProfile: &corev1.SeccompProfile{
1364+
Type: corev1.SeccompProfileTypeRuntimeDefault,
1365+
},
13621366
}
13631367

13641368
Expect(statefulSet.Spec.Template.Spec.SecurityContext).To(Equal(expectedPodSecurityContext))
@@ -1419,6 +1423,18 @@ default_pass = {{ .Data.data.password }}
14191423
SubPath: "default_user.conf",
14201424
},
14211425
}),
1426+
"SecurityContext": BeEquivalentTo(&corev1.SecurityContext{
1427+
AllowPrivilegeEscalation: ptr.To(bool(false)),
1428+
Capabilities: &corev1.Capabilities{
1429+
Drop: []corev1.Capability{"ALL"},
1430+
},
1431+
Privileged: ptr.To(bool(false)),
1432+
ReadOnlyRootFilesystem: ptr.To(bool(true)),
1433+
RunAsNonRoot: ptr.To(bool(true)),
1434+
SeccompProfile: &corev1.SeccompProfile{
1435+
Type: corev1.SeccompProfileTypeRuntimeDefault,
1436+
},
1437+
}),
14221438
}))
14231439
})
14241440

@@ -1518,6 +1534,35 @@ default_pass = {{ .Data.data.password }}
15181534
})
15191535
})
15201536

1537+
It("sets the container security context", func() {
1538+
instance.Spec.Resources = &corev1.ResourceRequirements{
1539+
Requests: corev1.ResourceList{},
1540+
Limits: corev1.ResourceList{},
1541+
}
1542+
1543+
builder = &resource.RabbitmqResourceBuilder{
1544+
Instance: &instance,
1545+
Scheme: scheme,
1546+
}
1547+
1548+
stsBuilder := builder.StatefulSet()
1549+
Expect(stsBuilder.Update(statefulSet)).To(Succeed())
1550+
1551+
container := extractContainer(statefulSet.Spec.Template.Spec.Containers, "rabbitmq")
1552+
Expect(container.SecurityContext).To(BeEquivalentTo(&corev1.SecurityContext{
1553+
AllowPrivilegeEscalation: ptr.To(bool(false)),
1554+
Capabilities: &corev1.Capabilities{
1555+
Drop: []corev1.Capability{"ALL"},
1556+
},
1557+
Privileged: ptr.To(bool(false)),
1558+
ReadOnlyRootFilesystem: ptr.To(bool(true)),
1559+
RunAsNonRoot: ptr.To(bool(true)),
1560+
SeccompProfile: &corev1.SeccompProfile{
1561+
Type: corev1.SeccompProfileTypeRuntimeDefault,
1562+
},
1563+
}))
1564+
})
1565+
15211566
It("sets the replica count of the StatefulSet to the instance value", func() {
15221567
instance.Spec.Replicas = ptr.To(int32(3))
15231568
builder = &resource.RabbitmqResourceBuilder{

0 commit comments

Comments
 (0)