configurable container capabilities (zalando#1336)

* configurable container capabilities

* revert change on TestTLS

* fix e2e test

* minor fix

Author: FxKu

charts/postgres-operator/crds/operatorconfigurations.yaml

@@ -130,6 +130,10 @@ spec:
               kubernetes:
                 type: object
                 properties:
+                  additional_pod_capabilities:
+                    type: array
+                    items:
+                      type: string
                   cluster_domain:
                     type: string
                     default: "cluster.local"

charts/postgres-operator/values-crd.yaml

@@ -59,6 +59,10 @@ configUsers:
   super_username: postgres
 
 configKubernetes:
+  # list of additional capabilities for postgres container
+  # additional_pod_capabilities:
+  # - "SYS_NICE"
+
   # default DNS domain of K8s cluster where operator is running
   cluster_domain: cluster.local
   # additional labels assigned to the cluster objects

charts/postgres-operator/values.yaml

@@ -61,6 +61,9 @@ configUsers:
   super_username: postgres
 
 configKubernetes:
+  # list of additional capabilities for postgres container
+  # additional_pod_capabilities: "SYS_NICE"
+
   # default DNS domain of K8s cluster where operator is running
   cluster_domain: cluster.local
   # additional labels assigned to the cluster objects

docs/reference/operator_parameters.md

@@ -351,6 +351,12 @@ configuration they are grouped under the `kubernetes` key.
   used for AWS volume resizing and not required if you don't need that
   capability. The default is `false`.
 
+* **additional_pod_capabilities**
+  list of additional capabilities to be added to the postgres container's
+  SecurityContext (e.g. SYS_NICE etc.). Please, make sure first that the
+  PodSecruityPolicy allows the capabilities listed here. Otherwise, the
+  container will not start. The default is empty.
+
 * **master_pod_move_timeout**
   The period of time to wait for the success of migration of master pods from
   an unschedulable node. The migration includes Patroni switchovers to

e2e/tests/k8s_api.py

@@ -182,6 +182,10 @@ def count_running_pods(self, labels='application=spilo,cluster-name=acid-minimal
         pods = self.api.core_v1.list_namespaced_pod(namespace, label_selector=labels).items
         return len(list(filter(lambda x: x.status.phase == 'Running', pods)))
 
+    def count_pods_with_container_capabilities(self, capabilities, labels, namespace='default'):
+        pods = self.api.core_v1.list_namespaced_pod(namespace, label_selector=labels).items
+        return len(list(filter(lambda x: x.spec.containers[0].security_context.capabilities.add == capabilities, pods)))
+
     def wait_for_pod_failover(self, failover_targets, labels, namespace='default'):
         pod_phase = 'Failing over'
         new_pod_node = ''
@@ -433,6 +437,10 @@ def count_running_pods(self, labels='application=spilo,cluster-name=acid-minimal
         pods = self.api.core_v1.list_namespaced_pod(namespace, label_selector=labels).items
         return len(list(filter(lambda x: x.status.phase == 'Running', pods)))
 
+    def count_pods_with_container_capabilities(self, capabilities, labels, namespace='default'):
+        pods = self.api.core_v1.list_namespaced_pod(namespace, label_selector=labels).items
+        return len(list(filter(lambda x: x.spec.containers[0].security_context.capabilities.add == capabilities, pods)))
+
     def wait_for_pod_failover(self, failover_targets, labels, namespace='default'):
         pod_phase = 'Failing over'
         new_pod_node = ''

e2e/tests/test_e2e.py

@@ -155,6 +155,25 @@ def setUpClass(cls):
             print('Operator log: {}'.format(k8s.get_operator_log()))
             raise
 
+    @timeout_decorator.timeout(TEST_TIMEOUT_SEC)
+    def test_additional_pod_capabilities(self):
+        '''
+           Extend postgres container capabilities
+        '''
+        cluster_label = 'application=spilo,cluster-name=acid-minimal-cluster'
+        capabilities = ["SYS_NICE","CHOWN"]
+        patch_capabilities = {
+            "data": {
+                "additional_pod_capabilities": ','.join(capabilities),
+            },
+        }
+        self.k8s.update_config(patch_capabilities)
+        self.eventuallyEqual(lambda: self.k8s.get_operator_state(), {"0": "idle"},
+                             "Operator does not get in sync")
+        
+        self.eventuallyEqual(lambda: self.k8s.count_pods_with_container_capabilities(capabilities, cluster_label),
+                             2, "Container capabilities not updated")
+
     @timeout_decorator.timeout(TEST_TIMEOUT_SEC)
     def test_overwrite_pooler_deployment(self):
         self.k8s.create_with_kubectl("manifests/minimal-fake-pooler-deployment.yaml")

manifests/configmap.yaml

@@ -3,6 +3,7 @@ kind: ConfigMap
 metadata:
   name: postgres-operator
 data:
+  # additional_pod_capabilities: "SYS_NICE"
   # additional_secret_mount: "some-secret-name"
   # additional_secret_mount_path: "/some/dir"
   api_port: "8080"

manifests/operatorconfiguration.crd.yaml

@@ -126,6 +126,10 @@ spec:
               kubernetes:
                 type: object
                 properties:
+                  additional_pod_capabilities:
+                    type: array
+                    items:
+                      type: string
                   cluster_domain:
                     type: string
                     default: "cluster.local"

manifests/postgresql-operator-default-configuration.yaml

@@ -26,6 +26,8 @@ configuration:
     replication_username: standby
     super_username: postgres
   kubernetes:
+    # additional_pod_capabilities:
+    # - "SYS_NICE"
     cluster_domain: cluster.local
     cluster_labels:
       application: spilo

pkg/apis/acid.zalan.do/v1/crds.go

@@ -968,6 +968,14 @@ var OperatorConfigCRDResourceValidation = apiextv1.CustomResourceValidation{
 					"kubernetes": {
 						Type: "object",
 						Properties: map[string]apiextv1.JSONSchemaProps{
+							"additional_pod_capabilities": {
+								Type: "array",
+								Items: &apiextv1.JSONSchemaPropsOrArray{
+									Schema: &apiextv1.JSONSchemaProps{
+										Type: "string",
+									},
+								},
+							},
 							"cluster_domain": {
 								Type: "string",
 							},