Add securityContext to the user-specified containers

Signed-off-by: Masayuki Ishii <masa213f@gmail.com>
cybozu-go · Mar 16, 2022 · 0851e16 · 0851e16
1 parent 48e6de2
commit 0851e16
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 5 deletions.
diff --git a/controllers/mysql_container.go b/controllers/mysql_container.go
@@ -228,6 +228,8 @@ func (r *MySQLClusterReconciler) makeV1OptionalContainers(cluster *mocov1beta2.M
 			continue
 		}
 
+		updateContainerWithSecurityContext(&c)
+
 		switch *c.Name {
 		case constants.MysqldContainerName:
 		case constants.AgentContainerName:
@@ -280,16 +282,17 @@ func (r *MySQLClusterReconciler) makeV1InitContainer(cluster *mocov1beta2.MySQLC
 	spec := cluster.Spec.PodTemplate.Spec.DeepCopy()
 	for _, given := range spec.InitContainers {
 		ic := given
+		updateContainerWithSecurityContext(&ic)
 		initContainers = append(initContainers, &ic)
 	}
 	return initContainers
 }
 
 func updateContainerWithSecurityContext(container *corev1ac.ContainerApplyConfiguration) {
 	if container.SecurityContext == nil {
-		container.WithSecurityContext(corev1ac.SecurityContext().
-			WithRunAsUser(constants.ContainerUID).
-			WithRunAsGroup(constants.ContainerGID),
-		)
+		container.WithSecurityContext(corev1ac.SecurityContext())
 	}
+	container.SecurityContext.
+		WithRunAsUser(constants.ContainerUID).
+		WithRunAsGroup(constants.ContainerGID)
 }
diff --git a/controllers/mysqlcluster_controller_test.go b/controllers/mysqlcluster_controller_test.go
@@ -812,11 +812,16 @@ var _ = Describe("MySQLCluster reconciler", func() {
 		podSpec := corev1ac.PodSpec().
 			WithTerminationGracePeriodSeconds(512).
 			WithPriorityClassName("hoge").
-			WithContainers(corev1ac.Container().WithName("dummy").WithImage("dummy:latest")).
+			WithContainers(corev1ac.Container().WithName("dummy").WithImage("dummy:latest").
+				WithSecurityContext(corev1ac.SecurityContext().WithReadOnlyRootFilesystem(true))).
 			WithInitContainers(corev1ac.Container().WithName("init-dummy").WithImage("init-dummy:latest")).
 			WithVolumes(corev1ac.Volume().WithName("dummy-vol").WithEmptyDir(corev1ac.EmptyDirVolumeSource()))
 
 		for _, c := range cluster.Spec.PodTemplate.Spec.Containers {
+			switch *c.Name {
+			case constants.MysqldContainerName:
+				c.WithSecurityContext(corev1ac.SecurityContext().WithReadOnlyRootFilesystem(true))
+			}
 			podSpec.WithContainers(&c)
 		}
 
@@ -848,10 +853,17 @@ var _ = Describe("MySQLCluster reconciler", func() {
 		foundDummyContainer := false
 		for _, c := range sts.Spec.Template.Spec.Containers {
 			Expect(c.Name).NotTo(Equal(constants.SlowQueryLogAgentContainerName))
+			Expect(c.SecurityContext).NotTo(BeNil())
+			Expect(c.SecurityContext.RunAsUser).NotTo(BeNil())
+			Expect(*c.SecurityContext.RunAsUser).To(Equal(int64(constants.ContainerUID)))
+			Expect(c.SecurityContext.RunAsGroup).NotTo(BeNil())
+			Expect(*c.SecurityContext.RunAsGroup).To(Equal(int64(constants.ContainerGID)))
 			switch c.Name {
 			case constants.MysqldContainerName:
 				Expect(c.StartupProbe).NotTo(BeNil())
 				Expect(c.StartupProbe.FailureThreshold).To(Equal(int32(1)))
+				Expect(c.SecurityContext.ReadOnlyRootFilesystem).NotTo(BeNil())
+				Expect(*c.SecurityContext.ReadOnlyRootFilesystem).To(BeTrue())
 			case constants.AgentContainerName:
 				Expect(c.Args).To(ContainElement("20s"))
 				Expect(c.Args).To(ContainElement("0 * * * *"))
@@ -861,16 +873,25 @@ var _ = Describe("MySQLCluster reconciler", func() {
 				Expect(c.Args).To(HaveLen(3))
 			case "dummy":
 				foundDummyContainer = true
+				Expect(c.Image).To(Equal("dummy:latest"))
+				Expect(c.SecurityContext.ReadOnlyRootFilesystem).NotTo(BeNil())
+				Expect(*c.SecurityContext.ReadOnlyRootFilesystem).To(BeTrue())
 			}
 		}
 		Expect(foundExporter).To(BeTrue())
 		Expect(foundDummyContainer).To(BeTrue())
 
 		foundInitDummyContainer := false
 		for _, c := range sts.Spec.Template.Spec.InitContainers {
+			Expect(c.SecurityContext).NotTo(BeNil())
+			Expect(c.SecurityContext.RunAsUser).NotTo(BeNil())
+			Expect(*c.SecurityContext.RunAsUser).To(Equal(int64(constants.ContainerUID)))
+			Expect(c.SecurityContext.RunAsGroup).NotTo(BeNil())
+			Expect(*c.SecurityContext.RunAsGroup).To(Equal(int64(constants.ContainerGID)))
 			switch c.Name {
 			case "init-dummy":
 				foundInitDummyContainer = true
+				Expect(c.Image).To(Equal("init-dummy:latest"))
 			}
 		}
 		Expect(foundInitDummyContainer).To(BeTrue())