Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bitnami/postgresql-ha] To use TLS on pgpool, why not mount the certificate files with mode 0600 instead of an initcontainer that runs as root? #30467

Open
caspereijkens opened this issue Nov 14, 2024 · 0 comments
Open

[bitnami/postgresql-ha] To use TLS on pgpool, why not mount the certificate files with mode 0600 instead of an initcontainer that runs as root? #30467

caspereijkens opened this issue Nov 14, 2024 · 0 comments
Assignees
@javsalgar
Labels
feature-request triage Triage is needed

Comments

@caspereijkens
Copy link

caspereijkens commented Nov 14, 2024
edited
Loading

Name and Version

bitnami/postgresql-ha

What is the problem this feature will solve?

In our org, we have rather strict policies regarding the pod security context.
To enable TLS, I see that the chart adds an init container that does some chmod'ing of certificate files. For that to happen, the securityContext of the init container is currently:

        securityContext:
          runAsGroup: 0
          runAsNonRoot: false
          runAsUser: 0
          seccompProfile:
            type: RuntimeDefault

In our org, we are not allowed to choose user/group 0 and cannot run containers as root either. My org wants:

    securityContext:                                                                                                    
      allowPrivilegeEscalation: false                                                                                   
      capabilities:                                                                                                     
        drop:                                                                                                           
        - ALL                                                                                                           
      readOnlyRootFilesystem: true                                                                                      
      runAsGroup: 1000                                                                                                  
      runAsNonRoot: true                                                                                                
      runAsUser: 100                                                                                                    
      seccompProfile:                                                                                                   
        type: RuntimeDefault

But this leads to

+ cp /tmp/certs/ca.crt /tmp/certs/tls.crt /tmp/certs/tls.key /opt/bitnami/pgpool/certs/                                 
+ chown -R 1001:1001 /opt/bitnami/pgpool/certs/                                                                         
chown: changing ownership of '/opt/bitnami/pgpool/certs/': Operation not permitted                                      
+ chmod 600 /opt/bitnami/pgpool/certs/tls.crt

What is the feature you are proposing to solve the problem?

Why not just directly mount the certificates with mode 0600?

I'm curious about the choice for the initContainer that does:

          cp /tmp/certs/* /opt/bitnami/pgpool/certs/
          chown -R 1001:1001 /opt/bitnami/pgpool/certs/
          chmod 600 /opt/bitnami/pgpool/certs/tls.crt

What alternatives have you considered?

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@javsalgar javsalgar

Labels
feature-request triage Triage is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@javsalgar @caspereijkens