FEATURE/allow-to-customize-security-context (#526)

Author: ajanikow

CHANGELOG.md

@@ -1,6 +1,9 @@
 # Change Log
 
 ## [master](https://github.com/arangodb/kube-arangodb/tree/master) (N/A)
+- Add Customizable SecurityContext for ArangoDeployment pods
+
+## [0.4.4](https://github.com/arangodb/kube-arangodb/tree/0.4.4) (2020-02-27)
 - Add new VolumeResize mode to be compatible with Azure flow
 - Allow to customize probe configuration options
 - Add new upgrade flag for ArangoDB 3.6.0<=

pkg/apis/deployment/v1/server_group_spec.go

@@ -68,6 +68,71 @@ type ServerGroupSpec struct {
 	VolumeResizeMode *PVCResizeMode `json:"pvcResizeMode,omitempty"`
 	// Sidecars specifies a list of additional containers to be started
 	Sidecars []v1.Container `json:"sidecars,omitempty"`
+	// SecurityContext specifies security context for group
+	SecurityContext *ServerGroupSpecSecurityContext `json:"securityContext,omitempty"`
+}
+
+// ServerGroupSpecSecurityContext contains specification for pod security context
+type ServerGroupSpecSecurityContext struct {
+	// DropAllCapabilities specifies if capabilities should be dropped for this pod containers
+	//
+	// Deprecated: This field is added for backward compatibility. Will be removed in 1.0.0.
+	DropAllCapabilities *bool `json:"dropAllCapabilities,omitempty"`
+	// AddCapabilities add new capabilities to containers
+	AddCapabilities []v1.Capability `json:"addCapabilities,omitempty"`
+}
+
+// GetDropAllCapabilities returns flag if capabilities should be dropped
+//
+// Deprecated: This function is added for backward compatibility. Will be removed in 1.0.0.
+func (s *ServerGroupSpecSecurityContext) GetDropAllCapabilities() bool {
+	if s == nil {
+		return true
+	}
+
+	if s.DropAllCapabilities == nil {
+		return true
+	}
+
+	return *s.DropAllCapabilities
+}
+
+// GetAddCapabilities add capabilities to pod context
+func (s *ServerGroupSpecSecurityContext) GetAddCapabilities() []v1.Capability {
+	if s == nil {
+		return nil
+	}
+
+	if s.AddCapabilities == nil {
+		return nil
+	}
+
+	return s.AddCapabilities
+}
+
+// NewSecurityContext creates new security context
+func (s *ServerGroupSpecSecurityContext) NewSecurityContext() *v1.SecurityContext {
+	r := &v1.SecurityContext{}
+
+	capabilities := &v1.Capabilities{}
+
+	if s.GetDropAllCapabilities() {
+		capabilities.Drop = []v1.Capability{
+			"ALL",
+		}
+	}
+
+	if caps := s.GetAddCapabilities(); caps != nil {
+		capabilities.Add = []v1.Capability{}
+
+		for _, capability := range caps {
+			capabilities.Add = append(capabilities.Add, capability)
+		}
+	}
+
+	r.Capabilities = capabilities
+
+	return r
 }
 
 // ServerGroupProbesSpec contains specification for probes for pods of the server group

pkg/apis/deployment/v1/zz_generated.deepcopy.go

@@ -305,6 +305,10 @@ func (i *ImageUpdatePod) GetTolerations() []v1.Toleration {
 	return tolerations
 }
 
+func (a *ArangoDImageUpdateContainer) GetSecurityContext() *v1.SecurityContext {
+	return nil
+}
+
 func (i *ImageUpdatePod) IsDeploymentMode() bool {
 	return true
 }

pkg/deployment/images.go

@@ -207,6 +207,11 @@ func createPlan(log zerolog.Logger, apiObject k8sutil.APIObject,
 		plan = createRotateServerStoragePlan(log, apiObject, spec, status, context.GetPvc, context.CreateEvent)
 	}
 
+	// Adjust security
+	if plan.IsEmpty() {
+		plan = createRotateServerSecurityPlan(log, spec, status, pods)
+	}
+
 	// Check for the need to rotate TLS CA certificate and all members
 	if plan.IsEmpty() {
 		plan = createRotateTLSCAPlan(log, apiObject, spec, status, context.GetTLSCA, context.CreateEvent)

pkg/deployment/reconcile/plan_builder.go

@@ -0,0 +1,154 @@
+//
+// DISCLAIMER
+//
+// Copyright 2020 ArangoDB GmbH, Cologne, Germany
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Copyright holder is ArangoDB GmbH, Cologne, Germany
+//
+// Author Adam Janikowski
+//
+
+package reconcile
+
+import (
+	"github.com/rs/zerolog"
+	core "k8s.io/api/core/v1"
+
+	api "github.com/arangodb/kube-arangodb/pkg/apis/deployment/v1"
+	"github.com/arangodb/kube-arangodb/pkg/util/k8sutil"
+)
+
+// createRotateServerStoragePlan creates plan to rotate a server and its volume because of a
+// different storage class or a difference in storage resource requirements.
+func createRotateServerSecurityPlan(log zerolog.Logger, spec api.DeploymentSpec, status api.DeploymentStatus,
+	pods []core.Pod) api.Plan {
+	var plan api.Plan
+	status.Members.ForeachServerGroup(func(group api.ServerGroup, members api.MemberStatusList) error {
+		for _, m := range members {
+			if !plan.IsEmpty() {
+				// Only 1 change at a time
+				continue
+			}
+
+			groupSpec := spec.GetServerGroupSpec(group)
+
+			pod, found := k8sutil.GetPodByName(pods, m.PodName)
+			if !found {
+				continue
+			}
+
+			container, ok := getServerContainer(pod.Spec.Containers)
+			if !ok {
+				// We do not have server container in pod, which is not desired
+				continue
+			}
+
+			groupSC := groupSpec.SecurityContext.NewSecurityContext()
+			containerSC := container.SecurityContext
+
+			if !compareSC(groupSC, containerSC) {
+				log.Info().Str("member", m.ID).Str("group", group.AsRole()).Msg("Rotating security context")
+				plan = append(plan,
+					api.NewAction(api.ActionTypeRotateMember, group, m.ID),
+					api.NewAction(api.ActionTypeWaitForMemberUp, group, m.ID),
+				)
+			}
+		}
+		return nil
+	})
+	return plan
+}
+
+func getServerContainer(containers []core.Container) (core.Container, bool) {
+	for _, container := range containers {
+		if container.Name == k8sutil.ServerContainerName {
+			return container, true
+		}
+	}
+
+	return core.Container{}, false
+}
+
+func compareSC(a,b *core.SecurityContext) bool {
+	if a == nil && b == nil {
+		return true
+	}
+
+	if a == nil || b == nil {
+		return false
+	}
+
+	if ok := compareCapabilities(a.Capabilities, b.Capabilities); !ok {
+		return false
+	}
+
+	return true
+}
+
+func compareCapabilities(a,b *core.Capabilities) bool {
+	if a == nil && b == nil {
+		return true
+	}
+
+	if a == nil || b == nil {
+		return false
+	}
+
+	if ok := compareCapabilityLists(a.Add, b.Add); !ok {
+		return false
+	}
+
+	if ok := compareCapabilityLists(a.Drop, b.Drop); !ok {
+		return false
+	}
+
+	return true
+}
+
+func compareCapabilityLists(a, b []core.Capability) bool {
+	if a == nil && b == nil {
+		return true
+	}
+
+	if a == nil || b == nil {
+		return false
+	}
+
+	if len(a) != len(b) {
+		return false
+	}
+
+	checked := map[core.Capability]bool{}
+
+	for _, capability := range a {
+		checked[capability] = false
+	}
+
+	for _, capability := range b {
+		if _, ok := checked[capability]; !ok {
+			return false
+		}
+
+		checked[capability] = true
+	}
+
+	for _, check := range checked {
+		if !check {
+			return false
+		}
+	}
+
+	return true
+}

pkg/deployment/reconcile/plan_builder_security.go

@@ -33,7 +33,7 @@ import (
 
 // ArangodbExporterContainer creates metrics container
 func ArangodbExporterContainer(image string, args []string, livenessProbe *k8sutil.HTTPProbeConfig,
-	resources v1.ResourceRequirements) v1.Container {
+	resources v1.ResourceRequirements, securityContext *v1.SecurityContext) v1.Container {
 
 	c := v1.Container{
 		Name:    k8sutil.ExporterContainerName,
@@ -48,7 +48,7 @@ func ArangodbExporterContainer(image string, args []string, livenessProbe *k8sut
 		},
 		Resources:       k8sutil.ExtractPodResourceRequirement(resources),
 		ImagePullPolicy: v1.PullIfNotPresent,
-		SecurityContext: k8sutil.SecurityContextWithoutCapabilities(),
+		SecurityContext: securityContext,
 	}
 
 	if livenessProbe != nil {

pkg/deployment/resources/exporter.go

@@ -61,6 +61,10 @@ func (a *ArangoDContainer) GetExecutor() string {
 	return ArangoDExecutor
 }
 
+func (a *ArangoDContainer) GetSecurityContext() *v1.SecurityContext {
+	return a.groupSpec.SecurityContext.NewSecurityContext()
+}
+
 func (a *ArangoDContainer) GetProbes() (*v1.Probe, *v1.Probe, error) {
 	var liveness, readiness *v1.Probe
 
@@ -169,7 +173,8 @@ func (m *MemberArangoDPod) GetSidecars(pod *v1.Pod) {
 		}
 
 		c := ArangodbExporterContainer(image, createExporterArgs(m.spec.IsSecure()),
-			createExporterLivenessProbe(m.spec.IsSecure()), m.spec.Metrics.Resources)
+			createExporterLivenessProbe(m.spec.IsSecure()), m.spec.Metrics.Resources,
+			m.groupSpec.SecurityContext.NewSecurityContext())
 
 		if m.spec.Metrics.GetJWTTokenSecretName() != "" {
 			c.VolumeMounts = append(c.VolumeMounts, k8sutil.ExporterJWTVolumeMount())
@@ -253,7 +258,8 @@ func (m *MemberArangoDPod) GetInitContainers() ([]v1.Container, error) {
 
 	lifecycleImage := m.resources.context.GetLifecycleImage()
 	if lifecycleImage != "" {
-		c, err := k8sutil.InitLifecycleContainer(lifecycleImage, &m.spec.Lifecycle.Resources)
+		c, err := k8sutil.InitLifecycleContainer(lifecycleImage, &m.spec.Lifecycle.Resources,
+			m.groupSpec.SecurityContext.NewSecurityContext())
 		if err != nil {
 			return nil, err
 		}
@@ -265,7 +271,8 @@ func (m *MemberArangoDPod) GetInitContainers() ([]v1.Container, error) {
 		engine := m.spec.GetStorageEngine().AsArangoArgument()
 		requireUUID := m.group == api.ServerGroupDBServers && m.status.IsInitialized
 
-		c := k8sutil.ArangodInitContainer("uuid", m.status.ID, engine, alpineImage, requireUUID)
+		c := k8sutil.ArangodInitContainer("uuid", m.status.ID, engine, alpineImage, requireUUID,
+			m.groupSpec.SecurityContext.NewSecurityContext())
 		initContainers = append(initContainers, c)
 	}
 

pkg/deployment/resources/pod_creator_arangod.go

@@ -60,6 +60,10 @@ func (a *ArangoSyncContainer) GetExecutor() string {
 	return ArangoSyncExecutor
 }
 
+func (a *ArangoSyncContainer) GetSecurityContext() *v1.SecurityContext {
+	return a.groupSpec.SecurityContext.NewSecurityContext()
+}
+
 func (a *ArangoSyncContainer) GetProbes() (*v1.Probe, *v1.Probe, error) {
 	var liveness, readiness *v1.Probe
 
@@ -206,7 +210,8 @@ func (m *MemberSyncPod) GetInitContainers() ([]v1.Container, error) {
 
 	lifecycleImage := m.resources.context.GetLifecycleImage()
 	if lifecycleImage != "" {
-		c, err := k8sutil.InitLifecycleContainer(lifecycleImage, &m.spec.Lifecycle.Resources)
+		c, err := k8sutil.InitLifecycleContainer(lifecycleImage, &m.spec.Lifecycle.Resources,
+			m.groupSpec.SecurityContext.NewSecurityContext())
 		if err != nil {
 			return nil, err
 		}