Connection pooler not starting when using psp restricted due to the lack of securityContext

[menardorama]

Please, answer some short questions which should help us to understand your problem / question better?

• Which image of the operator are you using? registry.opensource.zalan.do/acid/postgres-operator:v1.7.0
• Where do you run it - cloud or metal? Bare Metal K8s
• Are you running Postgres Operator in production? yes
• Type of issue? [Feature request]

We are succesfully using the postgres-operator in production for basic postgresql instances, but we are unable to use the connection pooler feature.

We are enforcing security using PSP which prevent users to run pods with privileged rights aka runAsNonRoot: true

pg bouncer is not starting with a CreateContainerConfigError and the describe of the created pod shows us

Error: container has runAsNonRoot and image has non-numeric user (pgbouncer), cannot verify user is non-root

Looking at the manifest generated, it occur that it lacks of securityContext information.

It would be great the it could be defined in the manifest (or defined by default by the operator)

[haslersn]

@menardorama Did it even create the PostgreSQL Pods? If I test this, no Pods are created, because they're missing:

securityContext:
  seccompProfile:
    type: RuntimeDefault

IMO the postgres-operator should add this to all Pods it creates.

Furthermore, according to this documentation, certification rotation & backups don't work without privilege escalation. This also needs to be fixed, IMO.