Revert "Enable seccomp on containers (CrunchyData#3193)" (CrunchyData#3215)

benjaminjb · web-flow · commit c45bcb65320f · 2022-05-18T10:47:05.000-05:00
* Revert "Enable seccomp on containers (CrunchyData#3193)" This reverts commit 6193560. * update Release notes
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -38,6 +38,4 @@ spec:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
           runAsNonRoot: true
-          seccompProfile:
-            type: RuntimeDefault
       serviceAccountName: pgo
diff --git a/docs/content/releases/5.1.1.md b/docs/content/releases/5.1.1.md
@@ -22,7 +22,3 @@ Read more about how you can [get started]({{< relref "quickstart/_index.md" >}})
 
 - It is now possible to perform major PostgreSQL version upgrades when using an external WAL directory.
 - The documentation for pgAdmin 4 now clearly states that any pgAdmin user created by PGO will have a `@pgo` suffix.
-
-## Changes
-
-- The `seccompProfile` field in the `securityContext` for all containers is now set to `RuntimeDefault` in order to properly restrict syscalls.
diff --git a/internal/controller/postgrescluster/instance_test.go b/internal/controller/postgrescluster/instance_test.go
@@ -563,8 +563,6 @@ func TestAddPGBackRestToInstancePodSpec(t *testing.T) {
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    seccompProfile:
-      type: RuntimeDefault
   volumeMounts:
   - mountPath: /etc/pgbackrest/server
     name: pgbackrest-server
@@ -612,8 +610,6 @@ func TestAddPGBackRestToInstancePodSpec(t *testing.T) {
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    seccompProfile:
-      type: RuntimeDefault
   volumeMounts:
   - mountPath: /etc/pgbackrest/server
     name: pgbackrest-server
@@ -669,8 +665,6 @@ func TestAddPGBackRestToInstancePodSpec(t *testing.T) {
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    seccompProfile:
-      type: RuntimeDefault
   volumeMounts:
   - mountPath: /etc/pgbackrest/server
     name: pgbackrest-server
@@ -718,8 +712,6 @@ func TestAddPGBackRestToInstancePodSpec(t *testing.T) {
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    seccompProfile:
-      type: RuntimeDefault
   volumeMounts:
   - mountPath: /etc/pgbackrest/server
     name: pgbackrest-server
diff --git a/internal/controller/postgrescluster/pgbackrest_test.go b/internal/controller/postgrescluster/pgbackrest_test.go
@@ -2510,8 +2510,6 @@ containers:
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    seccompProfile:
-      type: RuntimeDefault
   volumeMounts:
   - mountPath: /etc/pgbackrest/conf.d
     name: pgbackrest-config
diff --git a/internal/controller/postgrescluster/volumes_test.go b/internal/controller/postgrescluster/volumes_test.go
@@ -991,8 +991,6 @@ containers:
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    seccompProfile:
-      type: RuntimeDefault
   terminationMessagePath: /dev/termination-log
   terminationMessagePolicy: File
   volumeMounts:
@@ -1046,8 +1044,6 @@ containers:
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    seccompProfile:
-      type: RuntimeDefault
   terminationMessagePath: /dev/termination-log
   terminationMessagePolicy: File
   volumeMounts:
@@ -1103,8 +1099,6 @@ containers:
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    seccompProfile:
-      type: RuntimeDefault
   terminationMessagePath: /dev/termination-log
   terminationMessagePolicy: File
   volumeMounts:
diff --git a/internal/initialize/security.go b/internal/initialize/security.go
@@ -20,9 +20,6 @@ import (
 )
 
 // RestrictedPodSecurityContext returns a v1.PodSecurityContext with safe defaults.
-// Note: All current containers have security context set by `RestrictedSecurityContext`
-// which has recommended limits; if more pods/containers are added
-// make sure to set the SC on the container
 // See https://docs.k8s.io/concepts/security/pod-security-standards/
 func RestrictedPodSecurityContext() *corev1.PodSecurityContext {
 	return &corev1.PodSecurityContext{
@@ -46,12 +43,5 @@ func RestrictedSecurityContext() *corev1.SecurityContext {
 
 		// Fail to start the container if its image runs as UID 0 (root).
 		RunAsNonRoot: Bool(true),
-
-		// Restrict syscalls with RuntimeDefault seccomp.
-		// Set this on the container-level to avoid interfering
-		// with sidecars and injected containers.
-		SeccompProfile: &corev1.SeccompProfile{
-			Type: corev1.SeccompProfileTypeRuntimeDefault,
-		},
 	}
 }
diff --git a/internal/initialize/security_test.go b/internal/initialize/security_test.go
@@ -97,11 +97,8 @@ func TestRestrictedSecurityContext(t *testing.T) {
 				"Containers must be required to run as non-root users.")
 		}
 
-		if assert.Check(t, sc.SeccompProfile != nil) {
-			assert.Assert(t, sc.SeccompProfile.Type == "RuntimeDefault",
-				"Seccomp profile must be explicitly set to one of the allowed values.")
-		}
-
+		assert.Assert(t, sc.SeccompProfile == nil,
+			"The RuntimeDefault seccomp profile must be required, or allow specific additional profiles.")
 	})
 
 	if assert.Check(t, sc.ReadOnlyRootFilesystem != nil) {
diff --git a/internal/pgadmin/reconcile_test.go b/internal/pgadmin/reconcile_test.go
@@ -241,8 +241,6 @@ containers:
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    seccompProfile:
-      type: RuntimeDefault
   volumeMounts:
   - mountPath: /etc/pgadmin
     name: pgadmin-startup
@@ -280,8 +278,6 @@ initContainers:
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    seccompProfile:
-      type: RuntimeDefault
   volumeMounts:
   - mountPath: /etc/pgadmin
     name: pgadmin-startup
@@ -477,8 +473,6 @@ containers:
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    seccompProfile:
-      type: RuntimeDefault
   volumeMounts:
   - mountPath: /etc/pgadmin
     name: pgadmin-startup
@@ -520,8 +514,6 @@ initContainers:
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    seccompProfile:
-      type: RuntimeDefault
   volumeMounts:
   - mountPath: /etc/pgadmin
     name: pgadmin-startup
diff --git a/internal/pgbackrest/reconcile_test.go b/internal/pgbackrest/reconcile_test.go
@@ -571,8 +571,6 @@ func TestAddServerToInstancePod(t *testing.T) {
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    seccompProfile:
-      type: RuntimeDefault
   volumeMounts:
   - mountPath: /etc/pgbackrest/server
     name: pgbackrest-server
@@ -619,8 +617,6 @@ func TestAddServerToInstancePod(t *testing.T) {
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    seccompProfile:
-      type: RuntimeDefault
   volumeMounts:
   - mountPath: /etc/pgbackrest/server
     name: pgbackrest-server
@@ -705,8 +701,6 @@ func TestAddServerToRepoPod(t *testing.T) {
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    seccompProfile:
-      type: RuntimeDefault
   volumeMounts:
   - mountPath: /etc/pgbackrest/server
     name: pgbackrest-server
@@ -749,8 +743,6 @@ func TestAddServerToRepoPod(t *testing.T) {
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    seccompProfile:
-      type: RuntimeDefault
   volumeMounts:
   - mountPath: /etc/pgbackrest/server
     name: pgbackrest-server
diff --git a/internal/pgbouncer/reconcile_test.go b/internal/pgbouncer/reconcile_test.go
@@ -141,8 +141,6 @@ containers:
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    seccompProfile:
-      type: RuntimeDefault
   volumeMounts:
   - mountPath: /etc/pgbouncer
     name: pgbouncer-config
@@ -171,8 +169,6 @@ containers:
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    seccompProfile:
-      type: RuntimeDefault
   volumeMounts:
   - mountPath: /etc/pgbouncer
     name: pgbouncer-config
@@ -249,8 +245,6 @@ containers:
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    seccompProfile:
-      type: RuntimeDefault
   volumeMounts:
   - mountPath: /etc/pgbouncer
     name: pgbouncer-config
@@ -284,8 +278,6 @@ containers:
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    seccompProfile:
-      type: RuntimeDefault
   volumeMounts:
   - mountPath: /etc/pgbouncer
     name: pgbouncer-config
@@ -353,8 +345,6 @@ containers:
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    seccompProfile:
-      type: RuntimeDefault
   volumeMounts:
   - mountPath: /etc/pgbouncer
     name: pgbouncer-config
@@ -387,8 +377,6 @@ containers:
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    seccompProfile:
-      type: RuntimeDefault
   volumeMounts:
   - mountPath: /etc/pgbouncer
     name: pgbouncer-config
diff --git a/internal/postgres/reconcile_test.go b/internal/postgres/reconcile_test.go
@@ -143,8 +143,6 @@ containers:
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    seccompProfile:
-      type: RuntimeDefault
   volumeMounts:
   - mountPath: /pgconf/tls
     name: cert-volume
@@ -183,8 +181,6 @@ containers:
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    seccompProfile:
-      type: RuntimeDefault
   volumeMounts:
   - mountPath: /pgconf/tls
     name: cert-volume
@@ -251,8 +247,6 @@ initContainers:
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    seccompProfile:
-      type: RuntimeDefault
   volumeMounts:
   - mountPath: /pgconf/tls
     name: cert-volume
diff --git a/testing/kuttl/e2e/security-context/00-assert.yaml b/testing/kuttl/e2e/security-context/00-assert.yaml
