Create a default security context for Coherence Pods (#764)

The Operator configures a default Pod securityContext if one is not configured in the Coherence resource spec

Author: thegridman

api/v1/coherenceresourcespec_types.go

@@ -193,6 +193,15 @@ type CoherenceResourceSpec struct {
 	// +optional
 	Tolerations []corev1.Toleration `json:"tolerations,omitempty"`
 	// SecurityContext is the PodSecurityContext that will be added to all the Pods in this deployment.
+	// If no security context is specified the Operator will create one with the following spec
+	//
+	//   securityContext:
+	//     runAsNonRoot: true
+	//     runAsUser: 1000
+	//     runAsGroup: 2000
+	//     fsGroup: 2000
+	//     fsGroupChangePolicy: "OnRootMismatch"
+	//
 	// See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
 	// +optional
 	SecurityContext *corev1.PodSecurityContext `json:"securityContext,omitempty"`
@@ -739,7 +748,7 @@ func (in *CoherenceResourceSpec) CreatePodTemplateSpec(deployment CoherenceResou
 			ReadinessGates:               in.ReadinessGates,
 			RuntimeClassName:             in.RuntimeClassName,
 			SchedulerName:                notNilString(in.SchedulerName),
-			SecurityContext:              in.SecurityContext,
+			SecurityContext:              in.GetSecurityContext(),
 			ServiceAccountName:           in.GetServiceAccountName(),
 			ShareProcessNamespace:        in.ShareProcessNamespace,
 			Tolerations:                  in.Tolerations,
@@ -821,6 +830,24 @@ func (in *CoherenceResourceSpec) GetImagePullSecrets() []corev1.LocalObjectRefer
 	return secrets
 }
 
+// GetSecurityContext returns the Pod security context to use.
+func (in *CoherenceResourceSpec) GetSecurityContext() *corev1.PodSecurityContext {
+	if in == nil || in.SecurityContext == nil {
+		return DefaultSecurityContext()
+	}
+	return in.SecurityContext
+}
+
+func DefaultSecurityContext() *corev1.PodSecurityContext {
+	return &corev1.PodSecurityContext{
+		RunAsNonRoot:        ptr.To(DefaultRunAsNonRoot),
+		RunAsUser:           ptr.To(DefaultRunAsUser),
+		RunAsGroup:          ptr.To(DefaultRunAsGroup),
+		FSGroup:             ptr.To(DefaultFsGroup),
+		FSGroupChangePolicy: ptr.To(DefaultFSGroupChangePolicy),
+	}
+}
+
 // GetServiceAccountName returns the service account name for the cluster.
 func (in *CoherenceResourceSpec) GetServiceAccountName() string {
 	if in != nil {

api/v1/common_test.go

@@ -503,6 +503,7 @@ func createMinimalExpectedPodSpec(deployment coh.CoherenceResource) corev1.PodTe
 					VolumeSource: emptyVolume,
 				},
 			},
+			SecurityContext:           coh.DefaultSecurityContext(),
 			TopologySpreadConstraints: spec.EnsureTopologySpreadConstraints(deployment),
 			Affinity:                  spec.CreateDefaultPodAffinity(deployment),
 			ServiceAccountName:        spec.GetServiceAccountName(),

api/v1/constants.go

@@ -6,7 +6,10 @@
 
 package v1
 
-import "github.com/oracle/coherence-operator/pkg/operator"
+import (
+	"github.com/oracle/coherence-operator/pkg/operator"
+	corev1 "k8s.io/api/core/v1"
+)
 
 const (
 	// DefaultReplicas is the default number of replicas that will be created for a deployment if no value is specified in the spec
@@ -74,6 +77,17 @@ const (
 	// DefaultServiceAccount is the default k8s service account name.
 	DefaultServiceAccount = "default"
 
+	// DefaultRunAsNonRoot is the default value for the runAsNonRoot field in the Pod security context
+	DefaultRunAsNonRoot = true
+	// DefaultRunAsUser is the default value for the runAsUser field in the Pod security context
+	DefaultRunAsUser int64 = 1000
+	// DefaultRunAsGroup is the default value for the runAsGroup field in the Pod security context
+	DefaultRunAsGroup int64 = 2000
+	// DefaultFsGroup is the default value for the fsGroup field in the Pod security context
+	DefaultFsGroup int64 = DefaultRunAsGroup
+	// DefaultFSGroupChangePolicy is the default value for the fsGroup field in the Pod security context
+	DefaultFSGroupChangePolicy = corev1.FSGroupChangeOnRootMismatch
+
 	// ContainerNameCoherence is the Coherence container name
 	ContainerNameCoherence = "coherence"
 	// ContainerNameOperatorInit is the Operator init-container name

api/v1/create_statefulset_test.go

@@ -405,8 +405,8 @@ func TestCreateStatefulSetWithTolerations(t *testing.T) {
 
 func TestCreateStatefulSetWithSecurityContext(t *testing.T) {
 	ctx := corev1.PodSecurityContext{
-		RunAsUser:    ptr.To(int64(1000)),
-		RunAsNonRoot: boolPtr(true),
+		RunAsUser:    ptr.To(int64(5000)),
+		RunAsNonRoot: boolPtr(false),
 	}
 
 	spec := coh.CoherenceResourceSpec{

docs/about/04_coherence_spec.adoc

@@ -332,7 +332,16 @@ For example: +
     effect: "NoSchedule" + +
  +
   ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + m| []https://{k8s-doc-link}/#toleration-v1-core[corev1.Toleration] | false
-m| securityContext | SecurityContext is the PodSecurityContext that will be added to all the Pods in this deployment. See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ m| *https://{k8s-doc-link}/#podsecuritycontext-v1-core[corev1.PodSecurityContext] | false
+m| securityContext | SecurityContext is the PodSecurityContext that will be added to all the Pods in this deployment. If no security context is specified the Operator will create one with the following spec +
+ +
+  securityContext: + +
+    runAsNonRoot: true + +
+    runAsUser: 1000 + +
+    runAsGroup: 2000 + +
+    fsGroup: 2000 + +
+    fsGroupChangePolicy: "OnRootMismatch" + +
+ +
+See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ m| *https://{k8s-doc-link}/#podsecuritycontext-v1-core[corev1.PodSecurityContext] | false
 m| containerSecurityContext | ContainerSecurityContext is the SecurityContext that will be added to the Coherence container in each Pod in this deployment. See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ m| *https://{k8s-doc-link}/#securitycontext-v1-core[corev1.SecurityContext] | false
 m| shareProcessNamespace | Share a single process namespace between all the containers in a pod. When this is set containers will be able to view and signal processes from other containers in the same pod, and the first process in each container will not be assigned PID 1. HostPID and ShareProcessNamespace cannot both be set. Optional: Default to false. m| *bool | false
 m| hostIPC | Use the host's ipc namespace. Optional: Default to false. m| *bool | false

docs/other/045_security_context.adoc

@@ -16,6 +16,20 @@ Kubernetes allows you to configure a https://kubernetes.io/docs/tasks/configure-
 
 For more details see the Kubernetes https://kubernetes.io/docs/tasks/configure-pod-container/security-context/[Security Context] documentation.
 
+The Coherence Operator configures a default security context for the Coherence Pods is none is specified in the `Coherence` resource yaml.
+The default security context looks like this:
+[source,yaml]
+----
+securityContext:
+  runAsNonRoot: true
+  runAsUser: 1000
+  runAsGroup: 2000
+  fsGroup: 2000
+  fsGroupChangePolicy: "OnRootMismatch"
+----
+
+It is possible to override this as described below.
+
 === Setting the Pod Security Context
 
 To specify security settings for a Pod, include the `securityContext` field in the Coherence resource specification.

test/e2e/remote/persistence-on-demand.yaml

@@ -16,6 +16,7 @@ spec:
   jvm:
     args:
       - "-Dcoherence.operator.health.logs=true"
+      - "-Dcoherence.distributed.persistence.base.dir=/coherence"
   application:
     main: com.oracle.coherence.k8s.testing.RestServer
   ports: