Security context by Schmaetz · Pull Request #88 · cybertec-postgresql/CYBERTEC-pg-operator

Schmaetz · 2025-09-05T08:43:06Z

Preparation for SecurityContext modifications.

Step 1 included here: postgres-exporter sidecar, initcontainer and backup-job-container ready for ReadOnlyRootFilesystem: true

Modifications for postgres-pod and pgbackrest-repo host will follow in step 2 including cleanup and removing compatibility-code

…eadOnlyRootFilesystem-parameter

…m True - exporter changed to ReadOnlyRootFilesystem=true

…for nss_wrapper - cleanup

ants · 2025-10-09T09:48:30Z

+		FailureThreshold: 6,
+		ProbeHandler: v1.ProbeHandler{
+			HTTPGet: &v1.HTTPGetAction{
+				Path:   "/health",


The correct endpoint is /liveness. This checks that Patroni is working, but ignores postgres. Checking /health will break during maintenance mode, upgrade and if starting postgres takes too long.

fixed with a7fee6f

ants · 2025-10-09T10:02:19Z

+	// 		},
+	// 		TargetContainers: []string{"postgres-exporter"},
+	// 	})
+	// }


addEmptyDirVolume() handles this, so this can be cleaned up.

fixed with 04f8519

Schmaetz added 6 commits September 3, 2025 20:47

added liveness probe for postgres-container

292353f

add SecuityContext for Monitoring-Sidecar

a149991

prepare for ReadOnlyRootFilesystem - add /tmp & /run emptyDir - add R…

82cfc2a

…eadOnlyRootFilesystem-parameter

add func for emptyDir-Volumes - preparation for ReadOnlyRootFilesyste…

afb7aff

…m True - exporter changed to ReadOnlyRootFilesystem=true

modifications for ReadOnlyRootFilesystem

03305a2

change pgbackrest jobs to readOnlyRootFilesystem:true

b8f098e

Schmaetz requested a review from ants September 5, 2025 08:43

Schmaetz added 4 commits September 5, 2025 10:51

use emptyDir for /run - preparation for ReadOnlyRootFilesystem:true

93d3fae

add tmp for postgres-container if ReadOnlyRootFilesystem=true

63e1183

correct wrong changes

1e686eb

add ReadOnlyRootFilesystem for postgres container and add needed env …

6ede073

…for nss_wrapper - cleanup

ants reviewed Oct 9, 2025

View reviewed changes

Schmaetz added 2 commits October 9, 2025 14:05

change LivenessProbe to patroni /liveness api-endpoint

a7fee6f

cleanup old code

04f8519

Schmaetz changed the base branch from main to release-candidate October 10, 2025 08:41

Schmaetz merged commit 6568409 into release-candidate Oct 10, 2025
0 of 2 checks passed

Schmaetz deleted the securityContext branch October 10, 2025 08:41

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security context#88

Security context#88
Schmaetz merged 12 commits intorelease-candidatefrom
securityContext

Schmaetz commented Sep 5, 2025

Uh oh!

ants Oct 9, 2025

Uh oh!

Schmaetz Oct 9, 2025 •

edited

Loading

Uh oh!

ants Oct 9, 2025

Uh oh!

Schmaetz Oct 9, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

Schmaetz commented Sep 5, 2025

Uh oh!

ants Oct 9, 2025

Choose a reason for hiding this comment

Uh oh!

Schmaetz Oct 9, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

ants Oct 9, 2025

Choose a reason for hiding this comment

Uh oh!

Schmaetz Oct 9, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Schmaetz Oct 9, 2025 •

edited

Loading