Fix for AllowPrivilegeEscalation : issue-1403 (zalando#1412)

* Fix for AllowPrivilegeEscalation : issue-1403

* fixed syntax error

* Aligned the value for parameter

* Aligned the value for parameter

* Update crds.go

* Aligned the parameter spilo_allow_privilege_escalation

* Parameters sorted in Alphabetical order in manifests yaml

* Parameters sorted in Alphabetical order in manifests yaml

* Update pkg/controller/operator_config.go

* Update docs/reference/operator_parameters.md

Co-authored-by: Neelam Sharma <[email protected]>
Co-authored-by: Felix Kunde <[email protected]>

Author: 3 people

charts/postgres-operator/crds/operatorconfigurations.yaml

@@ -264,6 +264,9 @@ spec:
                   secret_name_template:
                     type: string
                     default: "{username}.{cluster}.credentials.{tprkind}.{tprgroup}"
+                  spilo_allow_privilege_escalation:
+                    type: boolean
+                    default: true
                   spilo_runasuser:
                     type: integer
                   spilo_runasgroup:

charts/postgres-operator/values-crd.yaml

@@ -155,6 +155,9 @@ configKubernetes:
 
   # whether the Spilo container should run in privileged mode
   spilo_privileged: false
+  # whether the Spilo container should run with additional permissions other than parent.
+  # required by cron which needs setuid
+  spilo_allow_privilege_escalation: true
   # storage resize strategy, available options are: ebs, pvc, off
   storage_resize_mode: pvc
   # operator watches for postgres objects in the given namespace

charts/postgres-operator/values.yaml

@@ -147,6 +147,9 @@ configKubernetes:
 
   # whether the Spilo container should run in privileged mode
   spilo_privileged: "false"
+  # whether the Spilo container should run with additional permissions other than parent.
+  # required by cron which needs setuid
+  spilo_allow_privilege_escalation: true
   # storage resize strategy, available options are: ebs, pvc, off
   storage_resize_mode: pvc
   # operator watches for postgres objects in the given namespace

docs/reference/operator_parameters.md

@@ -374,6 +374,11 @@ configuration they are grouped under the `kubernetes` key.
   used for AWS volume resizing and not required if you don't need that
   capability. The default is `false`.
 
+* **spilo_allow_privilege_escalation**
+  Controls whether a process can gain more privileges than its parent
+  process. Required by cron which needs setuid. Without this parameter,
+  certification rotation & backups will not be done. The default is `true`.
+
 * **additional_pod_capabilities**
   list of additional capabilities to be added to the postgres container's
   SecurityContext (e.g. SYS_NICE etc.). Please, make sure first that the

manifests/configmap.yaml

@@ -114,6 +114,7 @@ data:
   secret_name_template: "{username}.{cluster}.credentials"
   # sidecar_docker_images: ""
   # set_memory_request_to_limit: "false"
+  spilo_allow_privilege_escalation: "true"
   # spilo_runasuser: 101
   # spilo_runasgroup: 103
   # spilo_fsgroup: 103

manifests/operatorconfiguration.crd.yaml

@@ -260,6 +260,9 @@ spec:
                   secret_name_template:
                     type: string
                     default: "{username}.{cluster}.credentials.{tprkind}.{tprgroup}"
+                  spilo_allow_privilege_escalation:
+                    type: boolean
+                    default: true
                   spilo_runasuser:
                     type: integer
                   spilo_runasgroup:

manifests/postgresql-operator-default-configuration.yaml

@@ -79,6 +79,7 @@ configuration:
     # pod_service_account_role_binding_definition: ""
     pod_terminate_grace_period: 5m
     secret_name_template: "{username}.{cluster}.credentials.{tprkind}.{tprgroup}"
+    spilo_allow_privilege_escalation: true
     # spilo_runasuser: 101
     # spilo_runasgroup: 103
     # spilo_fsgroup: 103

pkg/apis/acid.zalan.do/v1/crds.go

@@ -1162,6 +1162,9 @@ var OperatorConfigCRDResourceValidation = apiextv1.CustomResourceValidation{
 							"spilo_privileged": {
 								Type: "boolean",
 							},
+							"spilo_allow_privilege_escalation": {
+								Type: "boolean",
+							},
 							"storage_resize_mode": {
 								Type: "string",
 								Enum: []apiextv1.JSON{

pkg/apis/acid.zalan.do/v1/operator_configuration_type.go

@@ -56,6 +56,7 @@ type KubernetesMetaConfiguration struct {
 	PodServiceAccountRoleBindingDefinition string                       `json:"pod_service_account_role_binding_definition,omitempty"`
 	PodTerminateGracePeriod                Duration                     `json:"pod_terminate_grace_period,omitempty"`
 	SpiloPrivileged                        bool                         `json:"spilo_privileged,omitempty"`
+	SpiloAllowPrivilegeEscalation          bool                         `json:"spilo_allow_privilege_escalation,omitempty"`       
 	SpiloRunAsUser                         *int64                       `json:"spilo_runasuser,omitempty"`
 	SpiloRunAsGroup                        *int64                       `json:"spilo_runasgroup,omitempty"`
 	SpiloFSGroup                           *int64                       `json:"spilo_fsgroup,omitempty"`

pkg/cluster/k8sres.go

@@ -442,6 +442,7 @@ func generateContainer(
 	envVars []v1.EnvVar,
 	volumeMounts []v1.VolumeMount,
 	privilegedMode bool,
+	privilegeEscalationMode bool,
 	additionalPodCapabilities *v1.Capabilities,
 ) *v1.Container {
 	return &v1.Container{
@@ -466,7 +467,7 @@ func generateContainer(
 		VolumeMounts: volumeMounts,
 		Env:          envVars,
 		SecurityContext: &v1.SecurityContext{
-			AllowPrivilegeEscalation: &privilegedMode,
+			AllowPrivilegeEscalation: &privilegeEscalationMode,
 			Privileged:               &privilegedMode,
 			ReadOnlyRootFilesystem:   util.False(),
 			Capabilities:             additionalPodCapabilities,
@@ -1162,6 +1163,7 @@ func (c *Cluster) generateStatefulSet(spec *acidv1.PostgresSpec) (*appsv1.Statef
 		deduplicateEnvVars(spiloEnvVars, c.containerName(), c.logger),
 		volumeMounts,
 		c.OpConfig.Resources.SpiloPrivileged,
+		c.OpConfig.Resources.SpiloAllowPrivilegeEscalation,
 		generateCapabilities(c.OpConfig.AdditionalPodCapabilities),
 	)
 
@@ -1915,6 +1917,7 @@ func (c *Cluster) generateLogicalBackupJob() (*batchv1beta1.CronJob, error) {
 		envVars,
 		[]v1.VolumeMount{},
 		c.OpConfig.SpiloPrivileged, // use same value as for normal DB pods
+		c.OpConfig.SpiloAllowPrivilegeEscalation,
 		nil,
 	)