This is an automated email from the ASF dual-hosted git repository.
jedcunningham pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new 4afcef919b Chart: Add pod security context to pgbouncer (#32662)
4afcef919b is described below
commit 4afcef919ba76f57fb5dbd97a24e65836be5b0cc
Author: Mikaƫl Ducharme <[email protected]>
AuthorDate: Tue Jul 18 17:16:27 2023 -0400
Chart: Add pod security context to pgbouncer (#32662)
---
.../templates/pgbouncer/pgbouncer-deployment.yaml | 8 ++---
chart/values.schema.json | 16 ++++++++-
chart/values.yaml | 1 +
helm_tests/security/test_security_context.py | 39 +++++++++++++++-------
4 files changed, 47 insertions(+), 17 deletions(-)
diff --git a/chart/templates/pgbouncer/pgbouncer-deployment.yaml
b/chart/templates/pgbouncer/pgbouncer-deployment.yaml
index fde07807c4..14665692fc 100644
--- a/chart/templates/pgbouncer/pgbouncer-deployment.yaml
+++ b/chart/templates/pgbouncer/pgbouncer-deployment.yaml
@@ -26,8 +26,9 @@
{{- $tolerations := or .Values.pgbouncer.tolerations .Values.tolerations }}
{{- $topologySpreadConstraints := or
.Values.pgbouncer.topologySpreadConstraints .Values.topologySpreadConstraints }}
{{- $revisionHistoryLimit := or .Values.pgbouncer.revisionHistoryLimit
.Values.revisionHistoryLimit }}
-{{- $containerSecurityContext := include "containerSecurityContext" (list .
.Values.pgbouncer) }}
-{{- $containerSecurityContextMetricsExporter := include
"containerSecurityContext" (list . .Values.pgbouncer.metricsExporterSidecar) }}
+{{- $securityContext := include "localPodSecurityContext" .Values.pgbouncer }}
+{{- $containerSecurityContext := include "externalContainerSecurityContext"
.Values.pgbouncer }}
+{{- $containerSecurityContextMetricsExporter := include
"externalContainerSecurityContext" .Values.pgbouncer.metricsExporterSidecar }}
apiVersion: apps/v1
kind: Deployment
metadata:
@@ -82,8 +83,7 @@ spec:
tolerations: {{- toYaml $tolerations | nindent 8 }}
topologySpreadConstraints: {{- toYaml $topologySpreadConstraints |
nindent 8 }}
serviceAccountName: {{ include "pgbouncer.serviceAccountName" . }}
- securityContext:
- runAsUser: {{ .Values.pgbouncer.uid }}
+ securityContext: {{ $securityContext | nindent 8 }}
restartPolicy: Always
{{- if or .Values.registry.secretName .Values.registry.connection }}
imagePullSecrets:
diff --git a/chart/values.schema.json b/chart/values.schema.json
index a4a329321a..ce116a2ea7 100644
--- a/chart/values.schema.json
+++ b/chart/values.schema.json
@@ -5080,10 +5080,24 @@
"$ref":
"#/definitions/io.k8s.api.core.v1.ResourceRequirements"
},
"securityContexts": {
- "description": "Security context definition for the
PgBouncer. If not set, the values from global `securityContexts` will be used.",
+ "description": "Security context definition for the
PgBouncer.",
"type": "object",
"x-docsSection": "Kubernetes",
"properties": {
+ "pod": {
+ "description": "Pod security context definition
for the PgBouncer.",
+ "type": "object",
+ "$ref":
"#/definitions/io.k8s.api.core.v1.PodSecurityContext",
+ "default": {},
+ "x-docsSection": "Kubernetes",
+ "examples": [
+ {
+ "runAsUser": 65534,
+ "runAsGroup": 0,
+ "fsGroup": 0
+ }
+ ]
+ },
"container": {
"description": "Container security context
definition for the PgBouncer.",
"type": "object",
diff --git a/chart/values.yaml b/chart/values.yaml
index 53d9630007..9569ec2d82 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -1833,6 +1833,7 @@ pgbouncer:
# Detailed default security context for pgbouncer for container level
securityContexts:
+ pod: {}
container: {}
metricsExporterSidecar:
diff --git a/helm_tests/security/test_security_context.py
b/helm_tests/security/test_security_context.py
index f7693af198..72fba4a4fb 100644
--- a/helm_tests/security/test_security_context.py
+++ b/helm_tests/security/test_security_context.py
@@ -57,6 +57,14 @@ class TestSCBackwardsCompatibility:
assert 3000 ==
jmespath.search("spec.template.spec.securityContext.runAsUser", docs[0])
+ def test_check_pgbouncer_uid(self):
+ docs = render_chart(
+ values={"pgbouncer": {"enabled": True, "uid": 3000}},
+ show_only=["templates/pgbouncer/pgbouncer-deployment.yaml"],
+ )
+
+ assert 3000 ==
jmespath.search("spec.template.spec.securityContext.runAsUser", docs[0])
+
def test_check_cleanup_job(self):
docs = render_chart(
values={"uid": 3000, "gid": 30, "cleanup": {"enabled": True}},
@@ -219,7 +227,10 @@ class TestSecurityContext:
ctx_value_pod = {"runAsUser": 7000}
ctx_value_container = {"allowPrivilegeEscalation": False}
docs = render_chart(
- values={"securityContexts": {"containers": ctx_value_container,
"pod": ctx_value_pod}},
+ values={
+ "securityContexts": {"containers": ctx_value_container, "pod":
ctx_value_pod},
+ "pgbouncer": {"enabled": True},
+ },
show_only=[
"templates/flower/flower-deployment.yaml",
"templates/scheduler/scheduler-deployment.yaml",
@@ -228,31 +239,35 @@ class TestSecurityContext:
"templates/jobs/create-user-job.yaml",
"templates/jobs/migrate-database-job.yaml",
"templates/triggerer/triggerer-deployment.yaml",
+ "templates/pgbouncer/pgbouncer-deployment.yaml",
"templates/statsd/statsd-deployment.yaml",
"templates/redis/redis-statefulset.yaml",
],
)
-
- for index in range(len(docs) - 2):
+ for doc in docs[:-3]:
assert ctx_value_container == jmespath.search(
- "spec.template.spec.containers[0].securityContext", docs[index]
+ "spec.template.spec.containers[0].securityContext", doc
)
- assert ctx_value_pod ==
jmespath.search("spec.template.spec.securityContext", docs[index])
+ assert ctx_value_pod ==
jmespath.search("spec.template.spec.securityContext", doc)
- # Global security context is not propagated to redis and statsd, so we
test default value
+ # Global security context is not propagated to pgbouncer, redis and
statsd, so we test default value
default_ctx_value_container = {"allowPrivilegeEscalation": False,
"capabilities": {"drop": ["ALL"]}}
+ default_ctx_value_pod_pgbouncer = {"runAsUser": 65534}
default_ctx_value_pod_statsd = {"runAsUser": 65534}
default_ctx_value_pod_redis = {"runAsUser": 0}
- for index in range(len(docs) - 2, len(docs)):
+ for doc in docs[-3:]:
assert default_ctx_value_container == jmespath.search(
- "spec.template.spec.containers[0].securityContext", docs[index]
+ "spec.template.spec.containers[0].securityContext", doc
)
- assert default_ctx_value_pod_statsd == jmespath.search(
- "spec.template.spec.securityContext", docs[len(docs) - 2]
+ # Test pgbouncer metrics-exporter container
+ assert default_ctx_value_container == jmespath.search(
+ "spec.template.spec.containers[1].securityContext", docs[-3]
)
- assert default_ctx_value_pod_redis == jmespath.search(
- "spec.template.spec.securityContext", docs[len(docs) - 1]
+ assert default_ctx_value_pod_pgbouncer == jmespath.search(
+ "spec.template.spec.securityContext", docs[-3]
)
+ assert default_ctx_value_pod_statsd ==
jmespath.search("spec.template.spec.securityContext", docs[-2])
+ assert default_ctx_value_pod_redis ==
jmespath.search("spec.template.spec.securityContext", docs[-1])
# Test securityContexts for main containers
def test_main_container_setting(self):
