postgres-operator icon indicating copy to clipboard operation
postgres-operator copied to clipboard
verified publisher icon zalando

Set Security Context in postgresql manifest

Open connorearl opened this issue 5 years ago • 4 comments

I don't see any way to set a securitycontext in the postgresql manifest so I can run the pods not as root. I know Spilo has support from rootless containers now, but without making a custom spilo image I don't have a way setting this. I also would like to implement Pod Security Policies and will need the pods to conform to them.

connorearl avatar Jul 08 '20 19:07 connorearl

Hi @connorearl , Well, this should be ok already now. E.g. OpenShift allocates the users and groups dynamically (based on scc), and their range is different in every namespace. And this operator, using the latest spilo (developed exactly for this) it's working without any issues. Do not have to set any parameter like spilo_fsgroup or like spiloFSGroup in either operator or cluster request. While you may not be looking exactly for openshift, by searching in the docs & discussions on this project for openshift should clarify few things.

ReSearchITEng avatar Aug 01 '20 05:08 ReSearchITEng

Hello! We're using v1.5.0 of the operator, and we require to run the pods as non root user. The mentioned PR seems to fix the issue, but it's not available on 1.5.0. We cannot upgrade to 1.6 yet because of kubernetes version (we're using 1.15 and we cannot update it yet). Is there a way to apply this to 1.5 without having to do a custom build? Thanks!

marcoslarsen avatar Jan 04 '21 17:01 marcoslarsen

Hi, are there any news on this? The Spilo-Image already runs as a non-root user, but the flag securityContext.runAsNonRoot cannot be set to true. Thanks!

ckotzbauer avatar Jun 09 '21 06:06 ckotzbauer

Hello is anyone still working on this topic?

kndoni avatar Jul 01 '24 13:07 kndoni