Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions chart/templates/pgbouncer/pgbouncer-deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,9 @@
{{- $tolerations := or .Values.pgbouncer.tolerations .Values.tolerations }}
{{- $topologySpreadConstraints := or .Values.pgbouncer.topologySpreadConstraints .Values.topologySpreadConstraints }}
{{- $revisionHistoryLimit := or .Values.pgbouncer.revisionHistoryLimit .Values.revisionHistoryLimit }}
{{- $containerSecurityContext := include "containerSecurityContext" (list . .Values.pgbouncer) }}
{{- $containerSecurityContextMetricsExporter := include "containerSecurityContext" (list . .Values.pgbouncer.metricsExporterSidecar) }}
{{- $securityContext := include "localPodSecurityContext" .Values.pgbouncer }}
{{- $containerSecurityContext := include "externalContainerSecurityContext" .Values.pgbouncer }}
{{- $containerSecurityContextMetricsExporter := include "externalContainerSecurityContext" .Values.pgbouncer.metricsExporterSidecar }}
apiVersion: apps/v1
kind: Deployment
metadata:
Expand Down Expand Up @@ -82,8 +83,7 @@ spec:
tolerations: {{- toYaml $tolerations | nindent 8 }}
topologySpreadConstraints: {{- toYaml $topologySpreadConstraints | nindent 8 }}
serviceAccountName: {{ include "pgbouncer.serviceAccountName" . }}
securityContext:
runAsUser: {{ .Values.pgbouncer.uid }}
securityContext: {{ $securityContext | nindent 8 }}
restartPolicy: Always
{{- if or .Values.registry.secretName .Values.registry.connection }}
imagePullSecrets:
Expand Down
16 changes: 15 additions & 1 deletion chart/values.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -5080,10 +5080,24 @@
"$ref": "#/definitions/io.k8s.api.core.v1.ResourceRequirements"
},
"securityContexts": {
"description": "Security context definition for the PgBouncer. If not set, the values from global `securityContexts` will be used.",
"description": "Security context definition for the PgBouncer.",
"type": "object",
"x-docsSection": "Kubernetes",
"properties": {
"pod": {
"description": "Pod security context definition for the PgBouncer.",
"type": "object",
"$ref": "#/definitions/io.k8s.api.core.v1.PodSecurityContext",
"default": {},
"x-docsSection": "Kubernetes",
"examples": [
{
"runAsUser": 65534,
"runAsGroup": 0,
"fsGroup": 0
}
]
},
"container": {
"description": "Container security context definition for the PgBouncer.",
"type": "object",
Expand Down
1 change: 1 addition & 0 deletions chart/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1833,6 +1833,7 @@ pgbouncer:

# Detailed default security context for pgbouncer for container level
securityContexts:
pod: {}
container: {}

metricsExporterSidecar:
Expand Down
39 changes: 27 additions & 12 deletions helm_tests/security/test_security_context.py
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,14 @@ def test_check_statsd_uid(self):

assert 3000 == jmespath.search("spec.template.spec.securityContext.runAsUser", docs[0])

def test_check_pgbouncer_uid(self):
docs = render_chart(
values={"pgbouncer": {"enabled": True, "uid": 3000}},
show_only=["templates/pgbouncer/pgbouncer-deployment.yaml"],
)

assert 3000 == jmespath.search("spec.template.spec.securityContext.runAsUser", docs[0])

def test_check_cleanup_job(self):
docs = render_chart(
values={"uid": 3000, "gid": 30, "cleanup": {"enabled": True}},
Expand Down Expand Up @@ -219,7 +227,10 @@ def test_global_security_context(self):
ctx_value_pod = {"runAsUser": 7000}
ctx_value_container = {"allowPrivilegeEscalation": False}
docs = render_chart(
values={"securityContexts": {"containers": ctx_value_container, "pod": ctx_value_pod}},
values={
"securityContexts": {"containers": ctx_value_container, "pod": ctx_value_pod},
"pgbouncer": {"enabled": True},
},
show_only=[
"templates/flower/flower-deployment.yaml",
"templates/scheduler/scheduler-deployment.yaml",
Expand All @@ -228,31 +239,35 @@ def test_global_security_context(self):
"templates/jobs/create-user-job.yaml",
"templates/jobs/migrate-database-job.yaml",
"templates/triggerer/triggerer-deployment.yaml",
"templates/pgbouncer/pgbouncer-deployment.yaml",
"templates/statsd/statsd-deployment.yaml",
"templates/redis/redis-statefulset.yaml",
],
)

for index in range(len(docs) - 2):
for doc in docs[:-3]:
assert ctx_value_container == jmespath.search(
"spec.template.spec.containers[0].securityContext", docs[index]
"spec.template.spec.containers[0].securityContext", doc
)
assert ctx_value_pod == jmespath.search("spec.template.spec.securityContext", docs[index])
assert ctx_value_pod == jmespath.search("spec.template.spec.securityContext", doc)

# Global security context is not propagated to redis and statsd, so we test default value
# Global security context is not propagated to pgbouncer, redis and statsd, so we test default value
default_ctx_value_container = {"allowPrivilegeEscalation": False, "capabilities": {"drop": ["ALL"]}}
default_ctx_value_pod_pgbouncer = {"runAsUser": 65534}
default_ctx_value_pod_statsd = {"runAsUser": 65534}
default_ctx_value_pod_redis = {"runAsUser": 0}
for index in range(len(docs) - 2, len(docs)):
for doc in docs[-3:]:
assert default_ctx_value_container == jmespath.search(
"spec.template.spec.containers[0].securityContext", docs[index]
"spec.template.spec.containers[0].securityContext", doc
)
assert default_ctx_value_pod_statsd == jmespath.search(
"spec.template.spec.securityContext", docs[len(docs) - 2]
# Test pgbouncer metrics-exporter container
assert default_ctx_value_container == jmespath.search(
"spec.template.spec.containers[1].securityContext", docs[-3]
)
assert default_ctx_value_pod_redis == jmespath.search(
"spec.template.spec.securityContext", docs[len(docs) - 1]
assert default_ctx_value_pod_pgbouncer == jmespath.search(
"spec.template.spec.securityContext", docs[-3]
)
assert default_ctx_value_pod_statsd == jmespath.search("spec.template.spec.securityContext", docs[-2])
assert default_ctx_value_pod_redis == jmespath.search("spec.template.spec.securityContext", docs[-1])

# Test securityContexts for main containers
def test_main_container_setting(self):
Expand Down