chore: avoid setting seccompProfile when not supported (cloudnative-pg#930)

With this patch the operator will avoid setting a seccomp profile for Kubernetes older than 1.24, where this feature is not yet supported.

seccomp profiles are still supported for Kubernetes 1.24 and beyond.

Signed-off-by: Jonathan Gonzalez V <jonathan.gonzalez@enterprisedb.com>
Signed-off-by: Jaime Silvela <jaime.silvela@enterprisedb.com>
Signed-off-by: Niccolò Fei <niccolo.fei@enterprisedb.com>
Signed-off-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>

Co-authored-by: Jaime Silvela <jaime.silvela@enterprisedb.com>
Co-authored-by: Niccolò Fei <niccolo.fei@enterprisedb.com>
Co-authored-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>

Author: 4 people

internal/cmd/manager/controller/controller.go

@@ -202,6 +202,12 @@ func RunController(
 		return err
 	}
 
+	// Detect if we support SeccompProfile
+	if err = utils.DetectSeccompSupport(discoveryClient); err != nil {
+		setupLog.Error(err, "unable to detect SeccompProfile support")
+		return err
+	}
+
 	// Retrieve the Kubernetes cluster system UID
 	if err = utils.DetectKubeSystemUID(ctx, clientSet); err != nil {
 		setupLog.Error(err, "unable to retrieve the Kubernetes cluster system UID")
@@ -210,7 +216,8 @@ func RunController(
 
 	setupLog.Info("Kubernetes system metadata",
 		"systemUID", utils.GetKubeSystemUID(),
-		"haveSCC", utils.HaveSecurityContextConstraints())
+		"haveSCC", utils.HaveSecurityContextConstraints(),
+		"haveSeccompProfile", utils.HaveSeccompSupport())
 
 	if err := ensurePKI(ctx, mgr.GetWebhookServer().CertDir); err != nil {
 		return err

pkg/specs/containers.go

@@ -23,6 +23,7 @@ import (
 
 	apiv1 "github.com/cloudnative-pg/cloudnative-pg/api/v1"
 	"github.com/cloudnative-pg/cloudnative-pg/internal/configuration"
+	"github.com/cloudnative-pg/cloudnative-pg/pkg/utils"
 )
 
 // createBootstrapContainer creates the init container bootstrapping the operator
@@ -60,6 +61,13 @@ func CreateContainerSecurityContext() *corev1.SecurityContext {
 	trueValue := true
 	falseValue := false
 
+	seccompProfile := &corev1.SeccompProfile{
+		Type: corev1.SeccompProfileTypeRuntimeDefault,
+	}
+	if !utils.HaveSeccompSupport() {
+		seccompProfile = nil
+	}
+
 	return &corev1.SecurityContext{
 		Capabilities: &corev1.Capabilities{
 			Drop: []corev1.Capability{
@@ -70,8 +78,6 @@ func CreateContainerSecurityContext() *corev1.SecurityContext {
 		RunAsNonRoot:             &trueValue,
 		ReadOnlyRootFilesystem:   &trueValue,
 		AllowPrivilegeEscalation: &falseValue,
-		SeccompProfile: &corev1.SeccompProfile{
-			Type: corev1.SeccompProfileTypeRuntimeDefault,
-		},
+		SeccompProfile:           seccompProfile,
 	}
 }

pkg/specs/pods.go

@@ -280,15 +280,20 @@ func CreatePodSecurityContext(user, group int64) *corev1.PodSecurityContext {
 		return nil
 	}
 
+	seccompProfile := &corev1.SeccompProfile{
+		Type: corev1.SeccompProfileTypeRuntimeDefault,
+	}
+	if !utils.HaveSeccompSupport() {
+		seccompProfile = nil
+	}
+
 	trueValue := true
 	return &corev1.PodSecurityContext{
-		RunAsNonRoot: &trueValue,
-		RunAsUser:    &user,
-		RunAsGroup:   &group,
-		FSGroup:      &group,
-		SeccompProfile: &corev1.SeccompProfile{
-			Type: corev1.SeccompProfileTypeRuntimeDefault,
-		},
+		RunAsNonRoot:   &trueValue,
+		RunAsUser:      &user,
+		RunAsGroup:     &group,
+		FSGroup:        &group,
+		SeccompProfile: seccompProfile,
 	}
 }
 

pkg/utils/discovery.go

@@ -17,14 +17,19 @@ limitations under the License.
 package utils
 
 import (
+	"strconv"
+
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/client-go/discovery"
 	ctrl "sigs.k8s.io/controller-runtime"
 )
 
-// This variable store the result of the DetectSecurityContextConstraints check
+// This variable stores the result of the DetectSecurityContextConstraints check
 var haveSCC bool
 
+// This variable specifies whether we should set the SeccompProfile or not in the pods
+var supportSeccomp bool
+
 // GetDiscoveryClient creates a discovery client or return error
 func GetDiscoveryClient() (*discovery.DiscoveryClient, error) {
 	config, err := ctrl.GetConfig()
@@ -86,3 +91,30 @@ func PodMonitorExist(client *discovery.DiscoveryClient) (bool, error) {
 
 	return exist, nil
 }
+
+// HaveSeccompSupport returns true if Seccomp is supported. If it is, we should
+// set the SeccompProfile in the pods
+func HaveSeccompSupport() bool {
+	return supportSeccomp
+}
+
+// DetectSeccompSupport checks the version of Kubernetes in the cluster to determine
+// whether Seccomp is supported
+func DetectSeccompSupport(client *discovery.DiscoveryClient) (err error) {
+	supportSeccomp = false
+	kubernetesVersion, err := client.ServerVersion()
+	if err != nil {
+		return err
+	}
+
+	minor, err := strconv.Atoi(kubernetesVersion.Minor)
+	if err != nil {
+		return err
+	}
+
+	if minor >= 24 {
+		supportSeccomp = true
+	}
+
+	return
+}

tests/utils/azurite.go

@@ -25,6 +25,7 @@ import (
 	"k8s.io/utils/pointer"
 
 	"github.com/cloudnative-pg/cloudnative-pg/pkg/certs"
+	"github.com/cloudnative-pg/cloudnative-pg/pkg/utils"
 )
 
 const (
@@ -104,6 +105,13 @@ func InstallAzCli(namespace string, env *TestingEnvironment) error {
 
 // getAzuriteClientPod get the cli client pod
 func getAzuriteClientPod(namespace string) corev1.Pod {
+	seccompProfile := &corev1.SeccompProfile{
+		Type: corev1.SeccompProfileTypeRuntimeDefault,
+	}
+	if !utils.HaveSeccompSupport() {
+		seccompProfile = nil
+	}
+
 	cliClientPod := corev1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "az-cli",
@@ -149,7 +157,7 @@ func getAzuriteClientPod(namespace string) corev1.Pod {
 					},
 					SecurityContext: &corev1.SecurityContext{
 						AllowPrivilegeEscalation: pointer.Bool(false),
-						SeccompProfile:           &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
+						SeccompProfile:           seccompProfile,
 					},
 				},
 			},
@@ -176,7 +184,7 @@ func getAzuriteClientPod(namespace string) corev1.Pod {
 				},
 			},
 			SecurityContext: &corev1.PodSecurityContext{
-				SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
+				SeccompProfile: seccompProfile,
 			},
 		},
 	}
@@ -210,6 +218,13 @@ func getAzuriteService(namespace string) corev1.Service {
 // getAzuriteDeployment get the deployment for Azurite
 func getAzuriteDeployment(namespace string) apiv1.Deployment {
 	replicas := int32(1)
+	seccompProfile := &corev1.SeccompProfile{
+		Type: corev1.SeccompProfileTypeRuntimeDefault,
+	}
+	if !utils.HaveSeccompSupport() {
+		seccompProfile = nil
+	}
+
 	azuriteDeployment := apiv1.Deployment{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "azurite",
@@ -266,7 +281,7 @@ func getAzuriteDeployment(namespace string) apiv1.Deployment {
 							},
 							SecurityContext: &corev1.SecurityContext{
 								AllowPrivilegeEscalation: pointer.Bool(false),
-								SeccompProfile:           &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
+								SeccompProfile:           seccompProfile,
 							},
 						},
 					},
@@ -297,7 +312,7 @@ func getAzuriteDeployment(namespace string) apiv1.Deployment {
 						},
 					},
 					SecurityContext: &corev1.PodSecurityContext{
-						SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
+						SeccompProfile: seccompProfile,
 					},
 				},
 			},

tests/utils/curl.go

@@ -22,10 +22,19 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/utils/pointer"
+
+	"github.com/cloudnative-pg/cloudnative-pg/pkg/utils"
 )
 
 // CurlClient returns the Pod definition for a curl client
 func CurlClient(namespace string) corev1.Pod {
+	seccompProfile := &corev1.SeccompProfile{
+		Type: corev1.SeccompProfileTypeRuntimeDefault,
+	}
+	if !utils.HaveSeccompSupport() {
+		seccompProfile = nil
+	}
+
 	curlPod := corev1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: namespace,
@@ -40,14 +49,14 @@ func CurlClient(namespace string) corev1.Pod {
 					Command: []string{"sleep", "3600"},
 					SecurityContext: &corev1.SecurityContext{
 						AllowPrivilegeEscalation: pointer.Bool(false),
-						SeccompProfile:           &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
+						SeccompProfile:           seccompProfile,
 					},
 				},
 			},
 			DNSPolicy:     corev1.DNSClusterFirst,
 			RestartPolicy: corev1.RestartPolicyAlways,
 			SecurityContext: &corev1.PodSecurityContext{
-				SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
+				SeccompProfile: seccompProfile,
 			},
 		},
 	}

tests/utils/environment.go

@@ -109,6 +109,16 @@ func NewTestingEnvironment() (*TestingEnvironment, error) {
 		env.PreserveNamespaces = strings.Fields(preserveNamespaces)
 	}
 
+	clientDiscovery, err := utils.GetDiscoveryClient()
+	if err != nil {
+		return nil, fmt.Errorf("could not get the discovery client: %w", err)
+	}
+
+	err = utils.DetectSeccompSupport(clientDiscovery)
+	if err != nil {
+		return nil, fmt.Errorf("could not detect SeccompProfile support: %w", err)
+	}
+
 	return &env, nil
 }
 

tests/utils/minio.go

@@ -34,6 +34,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/cloudnative-pg/cloudnative-pg/pkg/postgres"
+	"github.com/cloudnative-pg/cloudnative-pg/pkg/utils"
 )
 
 const (
@@ -113,6 +114,13 @@ func MinioDefaultSetup(namespace string) (MinioSetup, error) {
 
 // MinioDefaultDeployment returns a default Deployment for minio
 func MinioDefaultDeployment(namespace string, minioPVC corev1.PersistentVolumeClaim) appsv1.Deployment {
+	seccompProfile := &corev1.SeccompProfile{
+		Type: corev1.SeccompProfileTypeRuntimeDefault,
+	}
+	if !utils.HaveSeccompSupport() {
+		seccompProfile = nil
+	}
+
 	minioDeployment := appsv1.Deployment{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "minio",
@@ -189,12 +197,12 @@ func MinioDefaultDeployment(namespace string, minioPVC corev1.PersistentVolumeCl
 							},
 							SecurityContext: &corev1.SecurityContext{
 								AllowPrivilegeEscalation: pointer.Bool(false),
-								SeccompProfile:           &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
+								SeccompProfile:           seccompProfile,
 							},
 						},
 					},
 					SecurityContext: &corev1.PodSecurityContext{
-						SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
+						SeccompProfile: seccompProfile,
 					},
 				},
 			},
@@ -324,6 +332,13 @@ func MinioSSLSetup(namespace string) (MinioSetup, error) {
 
 // MinioDefaultClient returns the default Pod definition for a minio client
 func MinioDefaultClient(namespace string) corev1.Pod {
+	seccompProfile := &corev1.SeccompProfile{
+		Type: corev1.SeccompProfileTypeRuntimeDefault,
+	}
+	if !utils.HaveSeccompSupport() {
+		seccompProfile = nil
+	}
+
 	minioClient := corev1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: namespace,
@@ -365,13 +380,13 @@ func MinioDefaultClient(namespace string) corev1.Pod {
 					},
 					SecurityContext: &corev1.SecurityContext{
 						AllowPrivilegeEscalation: pointer.Bool(false),
-						SeccompProfile:           &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
+						SeccompProfile:           seccompProfile,
 					},
 					Command: []string{"sleep", "3600"},
 				},
 			},
 			SecurityContext: &corev1.PodSecurityContext{
-				SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
+				SeccompProfile: seccompProfile,
 			},
 			DNSPolicy:     corev1.DNSClusterFirst,
 			RestartPolicy: corev1.RestartPolicyAlways,

tests/utils/webapp.go

@@ -20,11 +20,20 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/utils/pointer"
+
+	"github.com/cloudnative-pg/cloudnative-pg/pkg/utils"
 )
 
 // DefaultWebapp returns a struct representing a
 func DefaultWebapp(namespace string, name string, rootCASecretName string, tlsSecretName string) corev1.Pod {
 	var secretMode int32 = 0o600
+	seccompProfile := &corev1.SeccompProfile{
+		Type: corev1.SeccompProfileTypeRuntimeDefault,
+	}
+	if !utils.HaveSeccompSupport() {
+		seccompProfile = nil
+	}
+
 	return corev1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: namespace,
@@ -72,12 +81,12 @@ func DefaultWebapp(namespace string, name string, rootCASecretName string, tlsSe
 					},
 					SecurityContext: &corev1.SecurityContext{
 						AllowPrivilegeEscalation: pointer.Bool(false),
-						SeccompProfile:           &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
+						SeccompProfile:           seccompProfile,
 					},
 				},
 			},
 			SecurityContext: &corev1.PodSecurityContext{
-				SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
+				SeccompProfile: seccompProfile,
 			},
 		},
 	}