minio · dilverse · Dec 21, 2022 · Dec 16, 2022 · Dec 16, 2022 · Dec 16, 2022
diff --git a/examples/kustomization/base/tenant.yaml b/examples/kustomization/base/tenant.yaml
@@ -194,6 +194,11 @@ spec:
         runAsGroup: 1000
         runAsNonRoot: true
         fsGroup: 1000
+      ## Configure container security context
+      containerSecurityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        runAsNonRoot: true
   ## Enable automatic Kubernetes based certificate generation and signing as explained in
   ## https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster
   requestAutoCert: true

diff --git a/examples/kustomization/tenant-lite/tenant.yaml b/examples/kustomization/tenant-lite/tenant.yaml
@@ -24,3 +24,7 @@ spec:
           resources:
             requests:
               storage: 2Gi
+      containerSecurityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        runAsNonRoot: true
diff --git a/helm/tenant/templates/tenant.yaml b/helm/tenant/templates/tenant.yaml
@@ -74,6 +74,10 @@ spec:
       securityContext:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with (dig "containerSecurityContext" (dict) .) }}
+      containerSecurityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       {{- with (dig "topologySpreadConstraints" (list) .) }}
       topologySpreadConstraints:
         {{- toYaml . | nindent 8 }}

diff --git a/helm/tenant/values.yaml b/helm/tenant/values.yaml
@@ -61,6 +61,15 @@ tenant:
       topologySpreadConstraints: [ ]
       ## Configure Runtime Class
       # runtimeClassName: ""
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+        runAsNonRoot: true
+      containerSecurityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        runAsNonRoot: true
   ## Mount path where PV will be mounted inside container(s).
   mountPath: /export
   ## Sub path inside Mount path where MinIO stores data.

diff --git a/pkg/apis/minio.min.io/v2/types.go b/pkg/apis/minio.min.io/v2/types.go
@@ -628,10 +628,18 @@ type Pool struct {
 	//
 	// * `runAsUser` +
 	//
-	// * `seLinuxOptions` +
-	//
 	// +optional
 	SecurityContext *corev1.PodSecurityContext `json:"securityContext,omitempty"`
+	// Specify the https://kubernetes.io/docs/tasks/configure-pod-container/security-context/[Security Context] of containers in the pool. The Operator supports only the following container security fields: +
+	//
+	// * `runAsGroup` +
+	//
+	// * `runAsNonRoot` +
+	//
+	// * `runAsUser` +
+	//
+	// +optional
+	ContainerSecurityContext *corev1.SecurityContext `json:"containerSecurityContext,omitempty"`
 	// *Optional* +
 	//
 	// Specify custom labels and annotations to append to the Pool.

diff --git a/pkg/resources/statefulsets/minio-statefulset.go b/pkg/resources/statefulsets/minio-statefulset.go
@@ -344,6 +344,7 @@ func poolMinioServerContainer(t *miniov2.Tenant, wsSecret *v1.Secret, skipEnvVar
 		LivenessProbe:   t.Spec.Liveness,
 		ReadinessProbe:  t.Spec.Readiness,
 		StartupProbe:    t.Spec.Startup,
+		SecurityContext: poolContainerSecurityContext(pool),
 	}
 }
 
@@ -403,6 +404,24 @@ func poolSecurityContext(pool *miniov2.Pool, status *miniov2.PoolStatus) *v1.Pod
 	return &securityContext
 }
 
+// Builds the security context for containers in a Pool
+func poolContainerSecurityContext(pool *miniov2.Pool) *v1.SecurityContext {
+	runAsNonRoot := true
+	var runAsUser int64 = 1000
+	var runAsGroup int64 = 1000
+
+	securityContext := corev1.SecurityContext{
+		RunAsNonRoot: &runAsNonRoot,
+		RunAsUser:    &runAsUser,
+		RunAsGroup:   &runAsGroup,
+	}
+
+	if pool != nil && pool.ContainerSecurityContext != nil {
+		securityContext = *pool.ContainerSecurityContext
+	}
+	return &securityContext
+}
+
 // NewPool creates a new StatefulSet for the given Cluster.
 func NewPool(t *miniov2.Tenant, wsSecret *v1.Secret, skipEnvVars map[string][]byte, pool *miniov2.Pool, poolStatus *miniov2.PoolStatus, serviceName, hostsTemplate, operatorVersion string, operatorTLS bool, operatorCATLS bool) *appsv1.StatefulSet {
 	var podVolumes []corev1.Volume

diff --git a/resources/base/crds/minio.min.io_tenants.yaml b/resources/base/crds/minio.min.io_tenants.yaml
@@ -7647,6 +7647,67 @@ spec:
                       additionalProperties:
                         type: string
                       type: object
+                    containerSecurityContext:
+                      properties:
+                        allowPrivilegeEscalation:
+                          type: boolean
+                        capabilities:
+                          properties:
+                            add:
+                              items:
+                                type: string
+                              type: array
+                            drop:
+                              items:
+                                type: string
+                              type: array
+                          type: object
+                        privileged:
+                          type: boolean
+                        procMount:
+                          type: string
+                        readOnlyRootFilesystem:
+                          type: boolean
+                        runAsGroup:
+                          format: int64
+                          type: integer
+                        runAsNonRoot:
+                          type: boolean
+                        runAsUser:
+                          format: int64
+                          type: integer
+                        seLinuxOptions:
+                          properties:
+                            level:
+                              type: string
+                            role:
+                              type: string
+                            type:
+                              type: string
+                            user:
+                              type: string
+                          type: object
+                        seccompProfile:
+                          properties:
+                            localhostProfile:
+                              type: string
+                            type:
+                              type: string
+                          required:
+                          - type
+                          type: object
+                        windowsOptions:
+                          properties:
+                            gmsaCredentialSpec:
+                              type: string
+                            gmsaCredentialSpecName:
+                              type: string
+                            hostProcess:
+                              type: boolean
+                            runAsUserName:
+                              type: string
+                          type: object
+                      type: object
                     labels:
                       additionalProperties:
                         type: string

diff --git a/testing/deploy-tenant-upgrade.sh b/testing/deploy-tenant-upgrade.sh
@@ -135,13 +135,21 @@ function main() {
 
   setup_kind
 
-  if [ -n "$lower_version" ]
+  error=$( {
+    if [ -n "$lower_version" ]
+    then
+      # Test specific version of operator
+      install_operator_version $lower_version
+    else
+      # Test latest release
+      install_operator_version
+    fi
+  } 2>&1 )
+
+  echo "$error"
+  if [ -n "$error" ]
   then
-    # Test specific version of operator
-    install_operator_version $lower_version
-  else
-    # Test latest release
-    install_operator_version
+    install_operator
   fi
 
   install_tenant