Add webhook to prevent setting of runAsUser as root (vertica#565)

Vertica cannot run if the user is root (uid == 0). This adds a webhook preventing that setting from even being set.
rs-vertica · Oct 31, 2023 · 33f24b7 · 33f24b7
1 parent 4eac224
commit 33f24b7
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 0 deletions.
diff --git a/api/v1/verticadb_webhook.go b/api/v1/verticadb_webhook.go
@@ -170,6 +170,7 @@ func (v *VerticaDB) validateVerticaDBSpec() field.ErrorList {
 	allErrs = v.validateLocalStorage(allErrs)
 	allErrs = v.hasValidShardCount(allErrs)
 	allErrs = v.hasValidProbeOverrides(allErrs)
+	allErrs = v.hasValidPodSecurityContext(allErrs)
 	if len(allErrs) == 0 {
 		return nil
 	}
@@ -810,6 +811,22 @@ func (v *VerticaDB) hasValidProbeOverrides(allErrs field.ErrorList) field.ErrorL
 	return allErrs
 }
 
+func (v *VerticaDB) hasValidPodSecurityContext(allErrs field.ErrorList) field.ErrorList {
+	if v.Spec.PodSecurityContext == nil {
+		return allErrs
+	}
+
+	const RootUIDVal = 0
+	rootUID := int64(RootUIDVal)
+	if v.Spec.PodSecurityContext.RunAsUser != nil && *v.Spec.PodSecurityContext.RunAsUser == rootUID {
+		err := field.Invalid(field.NewPath("spec").Child("podSecurityContext").Child("runAsUser"),
+			v.Spec.PodSecurityContext.RunAsUser,
+			"cannot run vertica pods as root (uid == 0)")
+		allErrs = append(allErrs, err)
+	}
+	return allErrs
+}
+
 func (v *VerticaDB) hasValidProbeOverride(allErrs field.ErrorList, fieldPath *field.Path, probe *v1.Probe) field.ErrorList {
 	if probe == nil {
 		return allErrs

diff --git a/api/v1/verticadb_webhook_test.go b/api/v1/verticadb_webhook_test.go
@@ -824,6 +824,20 @@ var _ = Describe("verticadb_webhook", func() {
 		allErrs = newVdb.validateImmutableFields(oldVdb)
 		Ω(allErrs).ShouldNot(HaveLen(0))
 	})
+
+	It("should not allow setting of runAsUser as root", func() {
+		oldVdb := MakeVDB()
+		runAsUser := int64(0)
+		oldVdb.Spec.PodSecurityContext = &v1.PodSecurityContext{
+			RunAsUser: &runAsUser,
+		}
+		allErrs := oldVdb.validateVerticaDBSpec()
+		Ω(allErrs).ShouldNot(HaveLen(0))
+
+		runAsUser++ // Make it non-root
+		allErrs = oldVdb.validateVerticaDBSpec()
+		Ω(allErrs).Should(HaveLen(0))
+	})
 })
 
 func createVDBHelper() *VerticaDB {