zalando · stephan2012 · Oct 25, 2022 · Oct 25, 2022 · Oct 25, 2022 · Oct 25, 2022
@@ -2,8 +2,6 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   name: operatorconfigurations.acid.zalan.do
-  labels:
-    app.kubernetes.io/name: postgres-operator
 spec:
   group: acid.zalan.do
   names:
@@ -311,6 +309,11 @@ spec:
                   pod_terminate_grace_period:
                     type: string
                     default: "5m"
+                  pod_fs_group_change_policy:
+                    type: string
+                    enum:
+                      - OnRootMismatch
+                      - Always
                   secret_name_template:
                     type: string
                     default: "{username}.{cluster}.credentials.{tprkind}.{tprgroup}"

@@ -193,13 +193,19 @@ configKubernetes:
   secret_name_template: "{username}.{cluster}.credentials.{tprkind}.{tprgroup}"
   # sharing unix socket of PostgreSQL (`pg_socket`) with the sidecars
   share_pgsocket_with_sidecars: false
+
   # set user and group for the spilo container (required to run Spilo as non-root process)
   # spilo_runasuser: 101
   # spilo_runasgroup: 103
 
   # group ID with write-access to volumes (required to run Spilo as non-root process)
   # spilo_fsgroup: 103
 
+  # Configure volume permission and the ownership change policy for Pods
+  # Valid options are undefined, OnRootMismatch, Always
+  # See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods
+  # pod_fs_group_change_policy: OnRootMismatch
+
   # whether the Spilo container should run in privileged mode
   spilo_privileged: false
   # whether the Spilo container should run with additional permissions other than parent.

@@ -431,7 +431,7 @@ configuration they are grouped under the `kubernetes` key.
   environment if they not if conflict with the environment variables generated
   by the operator. The WAL location (bucket path) can be overridden, though.
   The default is empty.
-  
+
 * **pod_environment_secret**
   similar to pod_environment_configmap but referencing a secret with custom
   environment variables. Because the secret is not allowed to exist in a
@@ -459,6 +459,15 @@ configuration they are grouped under the `kubernetes` key.
   non-root process, but requires a custom Spilo image. Note the FSGroup of a Pod
   cannot be changed without recreating a new Pod.
 
+* **pod_fs_group_change_policy**
+  Configure the `fsGroupChangePolicy` in the Pod `securityContext` to
+  avoid invalid volume permissions after `kubelet` restarts. See *[Configure volume permission and ownership change policy for Pods](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods)*
+  for details. If specified, valid options are `OnRootMismatch`
+  (change permissions and ownership if the permission and the
+  ownership of root directory does not match with expected permissions
+  of the volume) and `Always` (always change permission and ownership
+  of the volume when volume is mounted).
+
 * **spilo_privileged**
   whether the Spilo container should run in privileged mode. Privileged mode is
   used for AWS volume resizing and not required if you don't need that
@@ -558,7 +567,7 @@ effect, and the parameters are grouped under the `timeouts` key in the
 CRD-based configuration.
 
 * **PatroniAPICheckInterval**
-  the interval between consecutive attempts waiting for the return of 
+  the interval between consecutive attempts waiting for the return of
   Patroni Api. The default is `1s`.
 
 * **PatroniAPICheckTimeout**
@@ -797,7 +806,7 @@ grouped under the `logical_backup` key.
   is specified, no argument will be passed to `aws s3` command. Default: "AES256".
 
 * **logical_backup_s3_retention_time**
-  Specify a retention time for logical backups stored in S3. Backups older than the specified retention 
+  Specify a retention time for logical backups stored in S3. Backups older than the specified retention
   time will be deleted after a new backup was uploaded. If empty, all backups will be kept. Example values are
   "3 days", "2 weeks", or "1 month". The default is empty.
 

@@ -151,6 +151,7 @@ data:
   # spilo_runasuser: 101
   # spilo_runasgroup: 103
   # spilo_fsgroup: 103
+  # pod_fs_group_change_policy: OnRootMismatch
   spilo_privileged: "false"
   storage_resize_mode: "pvc"
   super_username: postgres

@@ -309,6 +309,11 @@ spec:
                   pod_terminate_grace_period:
                     type: string
                     default: "5m"
+                  pod_fs_group_change_policy:
+                    type: string
+                    enum:
+                      - OnRootMismatch
+                      - Always
                   secret_name_template:
                     type: string
                     default: "{username}.{cluster}.credentials.{tprkind}.{tprgroup}"

@@ -1429,6 +1429,17 @@ var OperatorConfigCRDResourceValidation = apiextv1.CustomResourceValidation{
 							"pod_terminate_grace_period": {
 								Type: "string",
 							},
+							"pod_fs_group_change_policy": {
+								Type: "string",
+								Enum: []apiextv1.JSON{
+									{
+										Raw: []byte(`"OnRootMismatch"`),
+									},
+									{
+										Raw: []byte(`"Always"`),
+									},
+								},
+							},
 							"secret_name_template": {
 								Type: "string",
 							},

@@ -60,6 +60,7 @@ type KubernetesMetaConfiguration struct {
 	PodServiceAccountDefinition            string                       `json:"pod_service_account_definition,omitempty"`
 	PodServiceAccountRoleBindingDefinition string                       `json:"pod_service_account_role_binding_definition,omitempty"`
 	PodTerminateGracePeriod                Duration                     `json:"pod_terminate_grace_period,omitempty"`
+	PodFsGroupChangePolicy                 v1.PodFSGroupChangePolicy    `json:"pod_fs_group_change_policy,omitempty"`
 	SpiloPrivileged                        bool                         `json:"spilo_privileged,omitempty"`
 	SpiloAllowPrivilegeEscalation          *bool                        `json:"spilo_allow_privilege_escalation,omitempty"`
 	SpiloRunAsUser                         *int64                       `json:"spilo_runasuser,omitempty"`

@@ -778,6 +778,7 @@ func (c *Cluster) generatePodTemplate(
 	nodeAffinity *v1.Affinity,
 	schedulerName *string,
 	terminateGracePeriod int64,
+	podFsGroupChangePolicy v1.PodFSGroupChangePolicy,
 	podServiceAccountName string,
 	kubeIAMRole string,
 	priorityClassName string,
@@ -807,6 +808,10 @@ func (c *Cluster) generatePodTemplate(
 		securityContext.FSGroup = spiloFSGroup
 	}
 
+	if len(podFsGroupChangePolicy) > 0 {
+		securityContext.FSGroupChangePolicy = &podFsGroupChangePolicy
+	}
+
 	podSpec := v1.PodSpec{
 		ServiceAccountName:            podServiceAccountName,
 		TerminationGracePeriodSeconds: &terminateGracePeriodSeconds,
@@ -1284,6 +1289,8 @@ func (c *Cluster) generateStatefulSet(spec *acidv1.PostgresSpec) (*appsv1.Statef
 		effectiveFSGroup = spec.SpiloFSGroup
 	}
 
+	fsGroupChangePolicy := c.OpConfig.PodFsGroupChangePolicy
+
 	volumeMounts := generateVolumeMounts(spec.Volume)
 
 	// configure TLS with a custom secret volume
@@ -1434,6 +1441,7 @@ func (c *Cluster) generateStatefulSet(spec *acidv1.PostgresSpec) (*appsv1.Statef
 		c.nodeAffinity(c.OpConfig.NodeReadinessLabel, spec.NodeAffinity),
 		spec.SchedulerName,
 		int64(c.OpConfig.PodTerminateGracePeriod.Seconds()),
+		fsGroupChangePolicy,
 		c.OpConfig.PodServiceAccountName,
 		c.OpConfig.KubeIAMRole,
 		effectivePodPriorityClassName,
@@ -2188,6 +2196,7 @@ func (c *Cluster) generateLogicalBackupJob() (*batchv1.CronJob, error) {
 		c.nodeAffinity(c.OpConfig.NodeReadinessLabel, nil),
 		nil,
 		int64(c.OpConfig.PodTerminateGracePeriod.Seconds()),
+		"",
 		c.OpConfig.PodServiceAccountName,
 		c.OpConfig.KubeIAMRole,
 		"",

@@ -73,6 +73,7 @@ func (c *Controller) importConfigurationFromCRD(fromCRD *acidv1.OperatorConfigur
 	result.PodEnvironmentConfigMap = fromCRD.Kubernetes.PodEnvironmentConfigMap
 	result.PodEnvironmentSecret = fromCRD.Kubernetes.PodEnvironmentSecret
 	result.PodTerminateGracePeriod = util.CoalesceDuration(time.Duration(fromCRD.Kubernetes.PodTerminateGracePeriod), "5m")
+	result.PodFsGroupChangePolicy = fromCRD.Kubernetes.PodFsGroupChangePolicy
 	result.SpiloPrivileged = fromCRD.Kubernetes.SpiloPrivileged
 	result.SpiloAllowPrivilegeEscalation = util.CoalesceBool(fromCRD.Kubernetes.SpiloAllowPrivilegeEscalation, util.True())
 	result.SpiloRunAsUser = fromCRD.Kubernetes.SpiloRunAsUser