Configuring securityContext using Percona MongoDB Operator

MongoDB Percona Operator for MongoDB
1

Hi everyone,

We’re trying to secure our MongoDB operator and cluster deployments using securityContext parameters. We have seen in the operator documentation and in the operator CRD that it is possible to use podSecurityContext, containerSecurityContext and securityContext.

We have managed to apply this security configuration to all Docker containers in the 3-node pods (operator, mongod, backup and our custom sidecar container running MongoDB exporter), except for the mongo-init container.

Can you please help us out configuring the securityContext properly, so that we can apply this to the init container as well?

Thanks in advance!

Current configuration:

Operator:

spec:
  template:
    spec:
      containers:
        securityContext:
          allowPrivilegeEscalation: false
          privileged: false
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          capabilities:
            drop:
              - ALL

MongoDB cluster:

spec:
  replsets:
    podSecurityContext:
      runAsNonRoot: true
    containerSecurityContext:
      allowPrivilegeEscalation: false
      privileged: false
      readOnlyRootFilesystem: true
      runAsNonRoot: true
      capabilities:
        drop:
          - ALL
    replsets:
      securityContext:
        allowPrivilegeEscalation: false
        privileged: false
        readOnlyRootFilesystem: true
        runAsNonRoot: true
        capabilities:
          drop:
            - ALL
  backup:
    securityContext:
      allowPrivilegeEscalation: false
      privileged: false
      readOnlyRootFilesystem: true
      runAsNonRoot: true
      capabilities:
        drop:
          - ALL
1 Like
2

Hi @azam !

At the current moment I’m not aware that it can be set for init container.
Could you please open a Jira ticket in K8SPSMDB project in our Jira: https://jira.percona.com/projects/K8SPSMDB

Thanks!

2 Likes
3

Hi @Tomislav_Plavcic ,

Thanks for your quick reply :smiley:

I have created [K8SPSMDB-708] Add possibility to configure securityContext for init container - Percona JIRA.
Please review it whether I filled in everything correctly.

Could you let me know whether this can be included in the next version of the operator?

2 Likes
4

Hi @azam !
Thanks for opening a ticket.
I cannot say right now if it will be included because our product managers are deciding which things go into release, but I would advise you to watch the ticket and if it will be updated with 1.13.0 or some future version in “Fix Version/s” ticket field.
If at some point you will think that the ticket somehow got forgotten just leave a comment and it should bring the attention again to it (hopefully this will not happen, but just saying).

2 Likes