From d543dbed5d61c90648bff0632e765d6d762cd7ca Mon Sep 17 00:00:00 2001
From: Felix Kunde <felix-kunde@gmx.de>
Date: Mon, 25 Jan 2021 10:18:09 +0100
Subject: [PATCH 1/4] set allowPrivilegeEscalation for deployment templates

---
 charts/postgres-operator/templates/deployment.yaml |  2 ++
 charts/postgres-operator/values-crd.yaml           | 14 ++++++++++----
 charts/postgres-operator/values.yaml               | 14 ++++++++++----
 manifests/postgres-operator.yaml                   |  1 +
 pkg/cluster/connection_pooler.go                   |  3 +++
 5 files changed, 26 insertions(+), 8 deletions(-)

diff --git a/charts/postgres-operator/templates/deployment.yaml b/charts/postgres-operator/templates/deployment.yaml
index 9841bf1bc..da80676d2 100644
--- a/charts/postgres-operator/templates/deployment.yaml
+++ b/charts/postgres-operator/templates/deployment.yaml
@@ -62,6 +62,8 @@ spec:
 {{ toYaml .Values.affinity | indent 8 }}
       nodeSelector:
 {{ toYaml .Values.nodeSelector | indent 8 }}
+      securityContext:
+{{ toYaml .Values.securityContext| indent 8 }}
       tolerations:
 {{ toYaml .Values.tolerations | indent 8 }}
     {{- if .Values.priorityClassName }}
diff --git a/charts/postgres-operator/values-crd.yaml b/charts/postgres-operator/values-crd.yaml
index 3593dd276..f3115dc8e 100644
--- a/charts/postgres-operator/values-crd.yaml
+++ b/charts/postgres-operator/values-crd.yaml
@@ -359,18 +359,24 @@ resources:
     cpu: 100m
     memory: 250Mi
 
+securityContext:
+  runAsUser: 1000
+  runAsNonRoot: true
+  readOnlyRootFilesystem: true
+  allowPrivilegeEscalation: false
+
 # Affinity for pod assignment
 # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
 affinity: {}
 
-# Tolerations for pod assignment
-# Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
-tolerations: []
-
 # Node labels for pod assignment
 # Ref: https://kubernetes.io/docs/user-guide/node-selection/
 nodeSelector: {}
 
+# Tolerations for pod assignment
+# Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+tolerations: []
+
 controllerID:
   # Specifies whether a controller ID should be defined for the operator
   # Note, all postgres manifest must then contain the following annotation to be found by this operator
diff --git a/charts/postgres-operator/values.yaml b/charts/postgres-operator/values.yaml
index 15f13df7e..e8a330d4b 100644
--- a/charts/postgres-operator/values.yaml
+++ b/charts/postgres-operator/values.yaml
@@ -354,18 +354,24 @@ resources:
     cpu: 100m
     memory: 250Mi
 
+securityContext:
+  runAsUser: 1000
+  runAsNonRoot: true
+  readOnlyRootFilesystem: true
+  allowPrivilegeEscalation: false
+
 # Affinity for pod assignment
 # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
 affinity: {}
 
-# Tolerations for pod assignment
-# Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
-tolerations: []
-
 # Node labels for pod assignment
 # Ref: https://kubernetes.io/docs/user-guide/node-selection/
 nodeSelector: {}
 
+# Tolerations for pod assignment
+# Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+tolerations: []
+
 controllerID:
   # Specifies whether a controller ID should be defined for the operator
   # Note, all postgres manifest must then contain the following annotation to be found by this operator
diff --git a/manifests/postgres-operator.yaml b/manifests/postgres-operator.yaml
index da4ca7fc6..a03959805 100644
--- a/manifests/postgres-operator.yaml
+++ b/manifests/postgres-operator.yaml
@@ -32,6 +32,7 @@ spec:
           runAsUser: 1000
           runAsNonRoot: true
           readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
         env:
         # provided additional ENV vars can overwrite individual config map entries
         - name: CONFIG_MAP_NAME
diff --git a/pkg/cluster/connection_pooler.go b/pkg/cluster/connection_pooler.go
index 2e3f04876..212f6c892 100644
--- a/pkg/cluster/connection_pooler.go
+++ b/pkg/cluster/connection_pooler.go
@@ -280,6 +280,9 @@ func (c *Cluster) generateConnectionPoolerPodTemplate(role PostgresRole) (
 				},
 			},
 		},
+		SecurityContext: &v1.SecurityContext{
+			AllowPrivilegeEscalation: util.False(),
+		},
 	}
 
 	podTemplate := &v1.PodTemplateSpec{

From 78a29a21d6932ed65299d4b407c8e68cf9d7af29 Mon Sep 17 00:00:00 2001
From: Felix Kunde <felix-kunde@gmx.de>
Date: Mon, 25 Jan 2021 10:30:51 +0100
Subject: [PATCH 2/4] securityContext of container, not pod

---
 charts/postgres-operator/templates/deployment.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/charts/postgres-operator/templates/deployment.yaml b/charts/postgres-operator/templates/deployment.yaml
index da80676d2..2249c4677 100644
--- a/charts/postgres-operator/templates/deployment.yaml
+++ b/charts/postgres-operator/templates/deployment.yaml
@@ -54,6 +54,8 @@ spec:
       {{- end }}
         resources:
 {{ toYaml .Values.resources | indent 10 }}
+        securityContext:
+{{ toYaml .Values.securityContext| indent 10 }}
       {{- if .Values.imagePullSecrets }}
       imagePullSecrets:
 {{ toYaml .Values.imagePullSecrets | indent 8 }}
@@ -62,8 +64,6 @@ spec:
 {{ toYaml .Values.affinity | indent 8 }}
       nodeSelector:
 {{ toYaml .Values.nodeSelector | indent 8 }}
-      securityContext:
-{{ toYaml .Values.securityContext| indent 8 }}
       tolerations:
 {{ toYaml .Values.tolerations | indent 8 }}
     {{- if .Values.priorityClassName }}

From 4b07d2578ec0c5791effb53030a5e2b324b2a017 Mon Sep 17 00:00:00 2001
From: Felix Kunde <felix-kunde@gmx.de>
Date: Mon, 25 Jan 2021 10:36:52 +0100
Subject: [PATCH 3/4] aligning

---
 charts/postgres-operator/templates/deployment.yaml | 2 +-
 manifests/complete-postgres-manifest.yaml          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/charts/postgres-operator/templates/deployment.yaml b/charts/postgres-operator/templates/deployment.yaml
index 2249c4677..89500ae94 100644
--- a/charts/postgres-operator/templates/deployment.yaml
+++ b/charts/postgres-operator/templates/deployment.yaml
@@ -55,7 +55,7 @@ spec:
         resources:
 {{ toYaml .Values.resources | indent 10 }}
         securityContext:
-{{ toYaml .Values.securityContext| indent 10 }}
+{{ toYaml .Values.securityContext | indent 10 }}
       {{- if .Values.imagePullSecrets }}
       imagePullSecrets:
 {{ toYaml .Values.imagePullSecrets | indent 8 }}
diff --git a/manifests/complete-postgres-manifest.yaml b/manifests/complete-postgres-manifest.yaml
index f721f0ccb..9f2d19639 100644
--- a/manifests/complete-postgres-manifest.yaml
+++ b/manifests/complete-postgres-manifest.yaml
@@ -45,7 +45,7 @@ spec:
     size: 1Gi
 #    storageClass: my-sc
 #    iops: 1000  # for EBS gp3
- #   throughput: 250  # in MB/s for EBS gp3
+#    throughput: 250  # in MB/s for EBS gp3
   additionalVolumes:
     - name: empty
       mountPath: /opt/empty

From 8c88031ccd2057dffe1ef6dfdeeb69a0c6293708 Mon Sep 17 00:00:00 2001
From: Felix Kunde <felix-kunde@gmx.de>
Date: Mon, 25 Jan 2021 14:13:16 +0100
Subject: [PATCH 4/4] default service account for pooler

---
 pkg/cluster/connection_pooler.go | 1 -
 1 file changed, 1 deletion(-)

diff --git a/pkg/cluster/connection_pooler.go b/pkg/cluster/connection_pooler.go
index 212f6c892..db4f1f56d 100644
--- a/pkg/cluster/connection_pooler.go
+++ b/pkg/cluster/connection_pooler.go
@@ -292,7 +292,6 @@ func (c *Cluster) generateConnectionPoolerPodTemplate(role PostgresRole) (
 			Annotations: c.annotationsSet(c.generatePodAnnotations(spec)),
 		},
 		Spec: v1.PodSpec{
-			ServiceAccountName:            c.OpConfig.PodServiceAccountName,
 			TerminationGracePeriodSeconds: &gracePeriod,
 			Containers:                    []v1.Container{poolerContainer},
 			// TODO: add tolerations to scheduler pooler on the same node