Add security context to statefulset

MathieuCesbron · MathieuCesbron · commit d3fdab3f7af0 · 2024-02-07T16:33:46.000+01:00
diff --git a/Makefile b/Makefile
@@ -1,4 +1,4 @@
-VERSION ?= 0.0.1
+VERSION ?= test
 IMG ?= ghcr.io/unagex/immudb-operator/controller:${VERSION}
 
 OPERATOR_SDK_VERSION ?= v1.33.0
diff --git a/charts/operator/Chart.yaml b/charts/operator/Chart.yaml
@@ -2,6 +2,6 @@ apiVersion: v2
 name: immudb-operator
 description: Helm chart to deploy [unagex-immudb-operator](https://github.com/unagex/immudb-operator)
 type: application
-version: 0.0.1
-appVersion: 0.0.1
+version: 0.0.2
+appVersion: 0.0.2
 home: https://github.com/unagex/immudb-operator
diff --git a/go.mod b/go.mod
@@ -9,6 +9,7 @@ require (
 	k8s.io/api v0.27.7
 	k8s.io/apimachinery v0.27.7
 	k8s.io/client-go v0.27.7
+	k8s.io/utils v0.0.0-20240102154912-e7106e64919e
 	sigs.k8s.io/controller-runtime v0.15.0
 )
 
@@ -68,7 +69,6 @@ require (
 	k8s.io/component-base v0.27.7 // indirect
 	k8s.io/klog/v2 v2.90.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect
-	k8s.io/utils v0.0.0-20230220204549-a5ecb0141aa5 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect
diff --git a/go.sum b/go.sum
@@ -279,8 +279,8 @@ k8s.io/klog/v2 v2.90.1 h1:m4bYOKall2MmOiRaR1J+We67Do7vm9KiQVlT96lnHUw=
 k8s.io/klog/v2 v2.90.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
 k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f h1:2kWPakN3i/k81b0gvD5C5FJ2kxm1WrQFanWchyKuqGg=
 k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f/go.mod h1:byini6yhqGC14c3ebc/QwanvYwhuMWF6yz2F8uwW8eg=
-k8s.io/utils v0.0.0-20230220204549-a5ecb0141aa5 h1:kmDqav+P+/5e1i9tFfHq1qcF3sOrDp+YEkVDAHu7Jwk=
-k8s.io/utils v0.0.0-20230220204549-a5ecb0141aa5/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/utils v0.0.0-20240102154912-e7106e64919e h1:eQ/4ljkx21sObifjzXwlPKpdGLrCfRziVtos3ofG/sQ=
+k8s.io/utils v0.0.0-20240102154912-e7106e64919e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 sigs.k8s.io/controller-runtime v0.15.0 h1:ML+5Adt3qZnMSYxZ7gAverBLNPSMQEibtzAgp0UPojU=
 sigs.k8s.io/controller-runtime v0.15.0/go.mod h1:7ngYvp1MLT+9GeZ+6lH3LOlcHkp/+tzA/fmHa4iq9kk=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
diff --git a/internal/controller/database.go b/internal/controller/database.go
@@ -12,6 +12,7 @@ import (
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/utils/ptr"
 
 	"k8s.io/apimachinery/pkg/types"
 )
@@ -100,6 +101,13 @@ func (r *ImmudbReconciler) GetStatefulset(immudb *unagexcomv1.Immudb) *appsv1.St
 							},
 						},
 					},
+					SecurityContext: &corev1.PodSecurityContext{
+						RunAsNonRoot:        ptr.To(true),
+						RunAsUser:           ptr.To[int64](3322),
+						RunAsGroup:          ptr.To[int64](3322),
+						FSGroup:             ptr.To[int64](3322),
+						FSGroupChangePolicy: ptr.To[corev1.PodFSGroupChangePolicy](corev1.FSGroupChangeOnRootMismatch),
+					},
 					Containers: []corev1.Container{
 						{
 							Image:           immudb.Spec.Image,

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-VERSION ?= 0.0.1`
	`1`	`+VERSION ?= test`
`2`	`2`	`IMG ?= ghcr.io/unagex/immudb-operator/controller:${VERSION}`
`3`	`3`
`4`	`4`	`OPERATOR_SDK_VERSION ?= v1.33.0`