custom securityContext

Author: nikitka

api/v1alpha1/database_types.go

@@ -168,6 +168,8 @@ type DatabaseNodeSpec struct {
 	// (Optional) Additional custom resource annotations that are added to all resources
 	// +optional
 	AdditionalAnnotations map[string]string `json:"additionalAnnotations,omitempty"`
+
+	SecurityContext *corev1.SecurityContext `json:"securityContext,omitempty"`
 }
 
 type DatabaseResources struct {

api/v1alpha1/storage_types.go

@@ -165,6 +165,8 @@ type StorageNodeSpec struct {
 	// (Optional) Additional custom resource annotations that are added to all resources
 	// +optional
 	AdditionalAnnotations map[string]string `json:"additionalAnnotations,omitempty"`
+
+	SecurityContext *corev1.SecurityContext `json:"securityContext,omitempty"`
 }
 
 type StorageInitJobSpec struct {

api/v1alpha1/zz_generated.deepcopy.go

@@ -211,6 +211,7 @@ func (b *DatabaseBuilder) GetResourceBuilders(restConfig *rest.Config) []Resourc
 			optionalBuilders,
 			&DatabaseStatefulSetBuilder{
 				Database:   b.Unwrap(),
+				Storage:    b.Storage,
 				RestConfig: restConfig,
 
 				Name:        b.Name,

internal/resources/database.go

@@ -22,6 +22,7 @@ import (
 
 type DatabaseStatefulSetBuilder struct {
 	*api.Database
+	Storage    *api.Storage
 	RestConfig *rest.Config
 
 	Name        string
@@ -395,12 +396,22 @@ func (b *DatabaseStatefulSetBuilder) buildEncryptionVolumes() []corev1.Volume {
 	return []corev1.Volume{encryptionKeySecret, encryptionKeyConfig}
 }
 
+func (b *DatabaseStatefulSetBuilder) buildSecurityContext() *corev1.SecurityContext {
+	if b.Spec.SecurityContext != nil {
+		return mergeSecurityContextWithDefaults(b.Spec.SecurityContext)
+	} else {
+		return mergeSecurityContextWithDefaults(b.Storage.Spec.SecurityContext)
+	}
+
+}
+
 func (b *DatabaseStatefulSetBuilder) buildContainer() corev1.Container {
 	command, args := b.buildContainerArgs()
 	imagePullPolicy := corev1.PullIfNotPresent
 	if b.Spec.Image.PullPolicyName != nil {
 		imagePullPolicy = *b.Spec.Image.PullPolicyName
 	}
+
 	container := corev1.Container{
 		Name:            "ydb-dynamic",
 		Image:           b.Spec.Image.Name,
@@ -409,13 +420,8 @@ func (b *DatabaseStatefulSetBuilder) buildContainer() corev1.Container {
 		Args:            args,
 		Env:             b.buildEnv(),
 
-		VolumeMounts: b.buildVolumeMounts(),
-		SecurityContext: &corev1.SecurityContext{
-			Privileged: ptr.Bool(false),
-			Capabilities: &corev1.Capabilities{
-				Add: []corev1.Capability{"SYS_RAWIO"},
-			},
-		},
+		VolumeMounts:    b.buildVolumeMounts(),
+		SecurityContext: b.buildSecurityContext(),
 	}
 
 	if value, ok := b.ObjectMeta.Annotations[api.AnnotationDisableLivenessProbe]; !ok || value != api.AnnotationValueTrue {

internal/resources/database_statefulset.go

@@ -0,0 +1,45 @@
+package resources
+
+import (
+	"github.com/ydb-platform/ydb-kubernetes-operator/internal/ptr"
+	corev1 "k8s.io/api/core/v1"
+)
+
+func contains(s []corev1.Capability, v corev1.Capability) bool {
+	for _, vs := range s {
+		if vs == v {
+			return true
+		}
+	}
+	return false
+}
+
+func mergeSecurityContextWithDefaults(new *corev1.SecurityContext) *corev1.SecurityContext {
+	var context *corev1.SecurityContext
+
+	if new != nil {
+		context = new.DeepCopy()
+	} else {
+		context = &corev1.SecurityContext{}
+	}
+
+	// set defaults
+
+	if context.Privileged == nil {
+		context.Privileged = ptr.Bool(false)
+	}
+
+	if context.Capabilities == nil {
+		context.Capabilities = &corev1.Capabilities{
+			Add: []corev1.Capability{},
+		}
+	}
+
+	for _, defaultCapability := range []corev1.Capability{"SYS_RAWIO"} {
+		if !contains(context.Capabilities.Add, defaultCapability) {
+			context.Capabilities.Add = append(context.Capabilities.Add, defaultCapability)
+		}
+	}
+
+	return context
+}

internal/resources/security_context.go

@@ -0,0 +1,53 @@
+package resources
+
+import (
+	"github.com/ydb-platform/ydb-kubernetes-operator/internal/ptr"
+	corev1 "k8s.io/api/core/v1"
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+func TestSecurityContextMerge(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "SecurityContext builder")
+}
+
+var _ = Describe("SecurityContext builder", func() {
+	It("no securityContext passed", func() {
+		Expect(mergeSecurityContextWithDefaults(nil)).Should(BeEquivalentTo(&corev1.SecurityContext{
+			Privileged: ptr.Bool(false),
+			Capabilities: &corev1.Capabilities{
+				Add: []corev1.Capability{"SYS_RAWIO"},
+			},
+		}))
+	})
+	It("securityContext with Capabilities passed", func() {
+		ctx := &corev1.SecurityContext{
+			Privileged: ptr.Bool(false),
+			Capabilities: &corev1.Capabilities{
+				Add: []corev1.Capability{"SYS_PTRACE"},
+			},
+		}
+		Expect(mergeSecurityContextWithDefaults(ctx)).Should(BeEquivalentTo(&corev1.SecurityContext{
+			Privileged: ptr.Bool(false),
+			Capabilities: &corev1.Capabilities{
+				Add: []corev1.Capability{"SYS_PTRACE", "SYS_RAWIO"},
+			},
+		}))
+	})
+	It("securityContext without Capabilities passed", func() {
+		ctx := &corev1.SecurityContext{
+			Privileged: ptr.Bool(true),
+			RunAsUser:  ptr.Int64(10),
+		}
+		Expect(mergeSecurityContextWithDefaults(ctx)).Should(BeEquivalentTo(&corev1.SecurityContext{
+			Privileged: ptr.Bool(true),
+			RunAsUser:  ptr.Int64(10),
+			Capabilities: &corev1.Capabilities{
+				Add: []corev1.Capability{"SYS_RAWIO"},
+			},
+		}))
+	})
+})

internal/resources/security_context_test.go

@@ -360,12 +360,7 @@ func (b *StorageStatefulSetBuilder) buildContainer() corev1.Container { // todo
 		Command:         command,
 		Args:            args,
 
-		SecurityContext: &corev1.SecurityContext{
-			Privileged: ptr.Bool(false),
-			Capabilities: &corev1.Capabilities{
-				Add: []corev1.Capability{"SYS_RAWIO"},
-			},
-		},
+		SecurityContext: mergeSecurityContextWithDefaults(b.Spec.SecurityContext),
 
 		Ports: []corev1.ContainerPort{{
 			Name: "grpc", ContainerPort: api.GRPCPort,