Skip to content

Commit 4ea0b5f

Browse files
FxKuFxKu
authored
set AllowPrivilegeEscalation on container securityContext (zalando#1326)
1 parent a9b677c commit 4ea0b5f

File tree

4 files changed

+26
-21
lines changed

4 files changed

+26
-21
lines changed

charts/postgres-operator/templates/clusterrole-postgres-pod.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -63,6 +63,7 @@ rules:
6363
- services
6464
verbs:
6565
- create
66+
{{- if toString .Values.configKubernetes.spilo_privileged | eq "true" }}
6667
# to run privileged pods
6768
- apiGroups:
6869
- extensions
@@ -72,4 +73,5 @@ rules:
7273
- privileged
7374
verbs:
7475
- use
76+
{{- end }}
7577
{{ end }}

charts/postgres-operator/templates/clusterrole.yaml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -228,7 +228,8 @@ rules:
228228
verbs:
229229
- get
230230
- create
231-
# to grant privilege to run privileged pods
231+
{{- if toString .Values.configKubernetes.spilo_privileged | eq "true" }}
232+
# to run privileged pods
232233
- apiGroups:
233234
- extensions
234235
resources:
@@ -237,4 +238,5 @@ rules:
237238
- privileged
238239
verbs:
239240
- use
241+
{{- end }}
240242
{{ end }}

manifests/operator-service-account-rbac.yaml

Lines changed: 18 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -203,15 +203,15 @@ rules:
203203
verbs:
204204
- get
205205
- create
206-
# to grant privilege to run privileged pods
207-
- apiGroups:
208-
- extensions
209-
resources:
210-
- podsecuritypolicies
211-
resourceNames:
212-
- privileged
213-
verbs:
214-
- use
206+
# to grant privilege to run privileged pods (not needed by default)
207+
#- apiGroups:
208+
# - extensions
209+
# resources:
210+
# - podsecuritypolicies
211+
# resourceNames:
212+
# - privileged
213+
# verbs:
214+
# - use
215215

216216
---
217217
apiVersion: rbac.authorization.k8s.io/v1
@@ -265,12 +265,12 @@ rules:
265265
- services
266266
verbs:
267267
- create
268-
# to run privileged pods
269-
- apiGroups:
270-
- extensions
271-
resources:
272-
- podsecuritypolicies
273-
resourceNames:
274-
- privileged
275-
verbs:
276-
- use
268+
# to grant privilege to run privileged pods (not needed by default)
269+
#- apiGroups:
270+
# - extensions
271+
# resources:
272+
# - podsecuritypolicies
273+
# resourceNames:
274+
# - privileged
275+
# verbs:
276+
# - use

pkg/cluster/k8sres.go

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -453,8 +453,9 @@ func generateContainer(
453453
VolumeMounts: volumeMounts,
454454
Env: envVars,
455455
SecurityContext: &v1.SecurityContext{
456-
Privileged: &privilegedMode,
457-
ReadOnlyRootFilesystem: util.False(),
456+
AllowPrivilegeEscalation: &privilegedMode,
457+
Privileged: &privilegedMode,
458+
ReadOnlyRootFilesystem: util.False(),
458459
},
459460
}
460461
}

0 commit comments

Comments
 (0)