Explicitly set Pod security policies to run as non root

The containers are already running as non-root users, so this makes it explicit that this is / must be enforced. Issue: [ch10570]

Author: Jonathan S. Katz

deploy/deployment.json

@@ -24,6 +24,9 @@
  },
  "spec": {
  "serviceAccountName": "postgres-operator",
+ "securityContext": {
+ "runAsNonRoot": true
+ },
  "containers": [
  {
  "name": "apiserver",

installers/ansible/roles/pgo-operator/files/pgo-configs/pgadmin-template.json

@@ -34,11 +34,12 @@
  },
  "spec": {
  "serviceAccountName": "pgo-default",
- {{ if not .DisableFSGroup }}
  "securityContext": {
- "fsGroup": 2
+ {{ if not .DisableFSGroup }}
+ "fsGroup": 2,
+ {{ end }}
+ "runAsNonRoot": true
  },
- {{ end }}
  "containers": [{
  "name": "pgadminweb",
  "image": "{{.CCPImagePrefix}}/crunchy-pgadmin4:{{.CCPImageTag}}",

installers/ansible/roles/pgo-operator/files/pgo-configs/pgbouncer-template.json

@@ -39,11 +39,12 @@
  },
  "spec": {
  "serviceAccountName": "pgo-default",
- {{ if not .DisableFSGroup }}
  "securityContext": {
- "fsGroup": 2
+ {{ if not .DisableFSGroup }}
+ "fsGroup": 2,
+ {{ end }}
+ "runAsNonRoot": true
  },
- {{ end }}
  "containers": [{
  "name": "pgbouncer",
  "image": "{{.CCPImagePrefix}}/crunchy-pgbouncer:{{.CCPImageTag}}",

installers/ansible/roles/pgo-operator/files/pgo-configs/pgo.sqlrunner-template.json

@@ -21,6 +21,9 @@
  },
  "spec": {
  "serviceAccountName": "pgo-default",
+ "securityContext": {
+ "runAsNonRoot": true
+ },
  {{ if .Tolerations }}
  "tolerations": {{ .Tolerations }},
  {{ end }}

installers/ansible/roles/pgo-operator/files/pgo-configs/rmdata-job.json

@@ -21,6 +21,9 @@
  },
  "spec": {
  "serviceAccountName": "pgo-target",
+ "securityContext": {
+ "runAsNonRoot": true
+ },
  {{ if .Tolerations }}
  "tolerations": {{ .Tolerations }},
  {{ end }}

installers/ansible/roles/pgo-operator/templates/deployment.json.j2

@@ -24,6 +24,9 @@
  },
  "spec": {
  "serviceAccountName": "postgres-operator",
+ "securityContext": {
+ "runAsNonRoot": true
+ },
  "containers": [
  {
  "name": "apiserver",

installers/metrics/ansible/roles/pgo-metrics/templates/alertmanager-deployment.json.j2

@@ -30,7 +30,8 @@
 {% if not (disable_fsgroup | default(false) | bool) %}
  {% if (alertmanager_supplemental_groups | default('')) != '' %},{% endif -%}
  "fsGroup": 26,
- "runAsUser": 2
+ "runAsUser": 2,
+ "runAsNonRoot": true
 {% endif %}
  },
  "serviceAccountName": "alertmanager",

installers/metrics/ansible/roles/pgo-metrics/templates/grafana-deployment.json.j2

@@ -30,7 +30,8 @@
 {% if not (disable_fsgroup | default(false) | bool) %}
  {% if (grafana_supplemental_groups | default('')) != '' %},{% endif -%}
  "fsGroup": 26,
- "runAsUser": 2
+ "runAsUser": 2,
+ "runAsNonRoot": true
 {% endif %}
  },
  "serviceAccountName": "grafana",

installers/metrics/ansible/roles/pgo-metrics/templates/prometheus-deployment.json.j2

@@ -30,7 +30,8 @@
 {% if not (disable_fsgroup | default(false) | bool) %}
  {% if (prometheus_supplemental_groups | default('')) != '' %},{% endif -%}
  "fsGroup": 26,
- "runAsUser": 2
+ "runAsUser": 2,
+ "runAsNonRoot": true,
 {% endif %}
  },
  "serviceAccountName": "prometheus-sa",

installers/olm/postgresoperator.csv.yaml

@@ -200,6 +200,8 @@ spec:
  vendor: crunchydata
  spec:
  serviceAccountName: postgres-operator
+ securityContext:
+ runAsNonRoot: true
  containers:
  - name: apiserver
  image: '${PGO_IMAGE_PREFIX}/pgo-apiserver:${PGO_IMAGE_TAG}'