Drop default container runtime capabilities

The restricted profile of Kubernetes' Pod Security Standards requires
dropping all POSIX capabilities.

Issue: [sc-10828]
See: https://docs.k8s.io/concepts/security/pod-security-standards/

Author: cbandy

internal/controller/postgrescluster/instance_test.go

@@ -563,6 +563,9 @@ func TestAddPGBackRestToInstancePodSpec(t *testing.T) {
   resources: {}
   securityContext:
     allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
@@ -610,6 +613,9 @@ func TestAddPGBackRestToInstancePodSpec(t *testing.T) {
   resources: {}
   securityContext:
     allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
@@ -665,6 +671,9 @@ func TestAddPGBackRestToInstancePodSpec(t *testing.T) {
       cpu: 5m
   securityContext:
     allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
@@ -712,6 +721,9 @@ func TestAddPGBackRestToInstancePodSpec(t *testing.T) {
   resources: {}
   securityContext:
     allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true

internal/controller/postgrescluster/pgbackrest_test.go

@@ -2505,6 +2505,9 @@ containers:
   resources: {}
   securityContext:
     allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true

internal/controller/postgrescluster/pgmonitor_test.go

@@ -96,6 +96,9 @@ func TestAddPGMonitorExporterToInstancePodSpec(t *testing.T) {
 		assert.Equal(t, container.ImagePullPolicy, corev1.PullAlways)
 		assert.DeepEqual(t, container.Resources, resources)
 		assert.DeepEqual(t, container.Command, []string{"/opt/cpm/bin/start.sh"})
+		assert.DeepEqual(t, container.SecurityContext.Capabilities, &corev1.Capabilities{
+			Drop: []corev1.Capability{"ALL"},
+		})
 		assert.Equal(t, *container.SecurityContext.Privileged, false)
 		assert.Equal(t, *container.SecurityContext.ReadOnlyRootFilesystem, true)
 		assert.Equal(t, *container.SecurityContext.AllowPrivilegeEscalation, false)

internal/controller/postgrescluster/volumes_test.go

@@ -775,6 +775,9 @@ containers:
       cpu: 1m
   securityContext:
     allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
@@ -828,6 +831,9 @@ containers:
       cpu: 1m
   securityContext:
     allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
@@ -883,6 +889,9 @@ containers:
       cpu: 1m
   securityContext:
     allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true

internal/initialize/security.go

@@ -35,6 +35,13 @@ func RestrictedSecurityContext() *corev1.SecurityContext {
 		// Prevent any container processes from gaining privileges.
 		AllowPrivilegeEscalation: Bool(false),
 
+		// Drop any capabilities granted by the container runtime.
+		// This must be uppercase to pass Pod Security Admission.
+		// - https://releases.k8s.io/v1.24.0/staging/src/k8s.io/pod-security-admission/policy/check_capabilities_restricted.go
+		Capabilities: &corev1.Capabilities{
+			Drop: []corev1.Capability{"ALL"},
+		},
+
 		// Processes in privileged containers are essentially root on the host.
 		Privileged: Bool(false),
 

internal/initialize/security_test.go

@@ -16,6 +16,7 @@
 package initialize_test
 
 import (
+	"fmt"
 	"testing"
 
 	"gotest.tools/v3/assert"
@@ -72,8 +73,10 @@ func TestRestrictedSecurityContext(t *testing.T) {
 				"Privileged Pods disable most security mechanisms and must be disallowed.")
 		}
 
-		assert.Assert(t, sc.Capabilities == nil,
-			"Adding additional capabilities beyond the default set must be disallowed.")
+		if assert.Check(t, sc.Capabilities != nil) {
+			assert.Assert(t, sc.Capabilities.Add == nil,
+				"Adding additional capabilities … must be disallowed.")
+		}
 
 		assert.Assert(t, sc.SELinuxOptions == nil,
 			"Setting custom SELinux options should be disallowed.")
@@ -92,6 +95,11 @@ func TestRestrictedSecurityContext(t *testing.T) {
 				"Privilege escalation (such as via set-user-ID or set-group-ID file mode) should not be allowed.")
 		}
 
+		if assert.Check(t, sc.Capabilities != nil) {
+			assert.Assert(t, fmt.Sprint(sc.Capabilities.Drop) == `[ALL]`,
+				"Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.")
+		}
+
 		if assert.Check(t, sc.RunAsNonRoot != nil) {
 			assert.Assert(t, *sc.RunAsNonRoot == true,
 				"Containers must be required to run as non-root users.")

internal/pgadmin/reconcile_test.go

@@ -238,6 +238,9 @@ containers:
   resources: {}
   securityContext:
     allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
@@ -275,6 +278,9 @@ initContainers:
   resources: {}
   securityContext:
     allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
@@ -470,6 +476,9 @@ containers:
       cpu: 100m
   securityContext:
     allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
@@ -511,6 +520,9 @@ initContainers:
       cpu: 100m
   securityContext:
     allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true

internal/pgbackrest/reconcile_test.go

@@ -567,6 +567,9 @@ func TestAddServerToInstancePod(t *testing.T) {
       cpu: 5m
   securityContext:
     allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
@@ -613,6 +616,9 @@ func TestAddServerToInstancePod(t *testing.T) {
       cpu: 17m
   securityContext:
     allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
@@ -697,6 +703,9 @@ func TestAddServerToRepoPod(t *testing.T) {
       cpu: 5m
   securityContext:
     allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
@@ -739,6 +748,9 @@ func TestAddServerToRepoPod(t *testing.T) {
       cpu: 19m
   securityContext:
     allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true

internal/pgbouncer/reconcile_test.go

@@ -142,6 +142,9 @@ containers:
   resources: {}
   securityContext:
     allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
@@ -170,6 +173,9 @@ containers:
   resources: {}
   securityContext:
     allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
@@ -246,6 +252,9 @@ containers:
       cpu: 100m
   securityContext:
     allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
@@ -279,6 +288,9 @@ containers:
       memory: 16Mi
   securityContext:
     allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
@@ -346,6 +358,9 @@ containers:
       cpu: 100m
   securityContext:
     allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
@@ -378,6 +393,9 @@ containers:
       cpu: 200m
   securityContext:
     allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true

internal/postgres/reconcile_test.go

@@ -144,6 +144,9 @@ containers:
       cpu: 9m
   securityContext:
     allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
@@ -182,6 +185,9 @@ containers:
       cpu: 21m
   securityContext:
     allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
@@ -248,6 +254,9 @@ initContainers:
       cpu: 9m
   securityContext:
     allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true