CLOUDP-347194 - enable Pod Security Admission at restricted level

MaciejKaras · MaciejKaras · commit 2f9b4eed7557 · 2025-09-24T14:27:21.000+02:00
diff --git a/controllers/operator/construct/database_construction_test.go b/controllers/operator/construct/database_construction_test.go
@@ -45,6 +45,9 @@ func Test_buildDatabaseInitContainer(t *testing.T) {
 		SecurityContext: &corev1.SecurityContext{
 			ReadOnlyRootFilesystem:   ptr.To(true),
 			AllowPrivilegeEscalation: ptr.To(false),
+			Capabilities: &corev1.Capabilities{
+				Drop: []corev1.Capability{"ALL"},
+			},
 		},
 	}
 	assert.Equal(t, expectedContainer, container)
diff --git a/controllers/operator/construct/opsmanager_construction_test.go b/controllers/operator/construct/opsmanager_construction_test.go
@@ -46,6 +46,9 @@ func Test_buildOpsManagerAndBackupInitContainer(t *testing.T) {
 		SecurityContext: &corev1.SecurityContext{
 			ReadOnlyRootFilesystem:   ptr.To(true),
 			AllowPrivilegeEscalation: ptr.To(false),
+			Capabilities: &corev1.Capabilities{
+				Drop: []corev1.Capability{"ALL"},
+			},
 		},
 	}
 	assert.Equal(t, expectedContainer, containerObj)
diff --git a/docker/mongodb-kubernetes-tests/kubetester/__init__.py b/docker/mongodb-kubernetes-tests/kubetester/__init__.py
@@ -273,6 +273,13 @@ def delete_namespace(name: str):
     c = client.CoreV1Api()
     c.delete_namespace(name, body=c.V1DeleteOptions())
 
+def label_namespace(name: str, labels: dict):
+    body = {
+        "metadata": {
+            "labels": labels
+        }
+    }
+    client.CoreV1Api().patch_namespace(name, body)
 
 def get_deployments(namespace: str):
     return client.AppsV1Api().list_namespaced_deployment(namespace)
diff --git a/docker/mongodb-kubernetes-tests/kubetester/helm.py b/docker/mongodb-kubernetes-tests/kubetester/helm.py
@@ -28,7 +28,8 @@ def helm_template(
     args = ("helm", "template", *(command_args), _helm_chart_dir(helm_chart_path))
     logger.info(" ".join(args))
 
-    yaml_file_name = "{}.yaml".format(str(uuid.uuid4()))
+    home = os.getenv("HOME")
+    yaml_file_name = os.path.join(home, "{}.yaml".format(str(uuid.uuid4())))
     with open(yaml_file_name, "w") as output:
         process_run_and_check(" ".join(args), stdout=output, check=True, shell=True)
 
diff --git a/docker/mongodb-kubernetes-tests/tests/opsmanager/om_ops_manager_backup_sharded_cluster.py b/docker/mongodb-kubernetes-tests/tests/opsmanager/om_ops_manager_backup_sharded_cluster.py
@@ -6,7 +6,7 @@
     create_or_update_secret,
     get_default_storage_class,
     try_load,
-    wait_until,
+    wait_until, create_or_update_namespace, label_namespace,
 )
 from kubetester.awss3client import AwsS3Client
 from kubetester.kubetester import KubernetesTester, ensure_ent_version
@@ -53,6 +53,12 @@ def ops_manager(
         yaml_fixture("om_ops_manager_backup.yaml"), namespace=namespace
     )
 
+    # Change pod-security mode from warn to enforce. This will make test fail if operator and deployments don't support enforce mode
+    label_namespace(namespace, {
+        "pod-security.kubernetes.io/enforce": None,
+        "pod-security.kubernetes.io/warn": "restricted"
+    })
+
     try_load(resource)
     return resource
 
@@ -235,7 +241,7 @@ def test_om_failed_oplog_no_user_ref(self, ops_manager: MongoDBOpsManager):
         ops_manager.backup_status().assert_reaches_phase(
             Phase.Failed,
             msg_regexp=".*is configured to use SCRAM-SHA authentication mode, the user "
-            "must be specified using 'mongodbUserRef'",
+                       "must be specified using 'mongodbUserRef'",
         )
 
     def test_fix_om(self, ops_manager: MongoDBOpsManager, oplog_user: MongoDBUser):
diff --git a/helm_chart/templates/operator.yaml b/helm_chart/templates/operator.yaml
@@ -36,8 +36,10 @@ spec:
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
+        seccompProfile:
+          type: RuntimeDefault
 {{- end }}
-{{- if .Values.registry.imagePullSecrets}}
+{{- if .Values.registry.imagePullSecrets }}
       imagePullSecrets:
         - name: {{ .Values.registry.imagePullSecrets }}
 {{- end }}
@@ -74,6 +76,13 @@ spec:
             requests:
               cpu: {{ .Values.operator.resources.requests.cpu }}
               memory: {{ .Values.operator.resources.requests.memory }}
+          {{- if not .Values.managedSecurityContext }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+          {{- end }}
           env:
             - name: OPERATOR_ENV
               value: {{ .Values.operator.env }}
diff --git a/mongodb-community-operator/pkg/kube/container/containers.go b/mongodb-community-operator/pkg/kube/container/containers.go
@@ -206,5 +206,11 @@ func WithSecurityContext(context corev1.SecurityContext) Modification {
 func DefaultSecurityContext() corev1.SecurityContext {
 	readOnlyRootFilesystem := true
 	allowPrivilegeEscalation := false
-	return corev1.SecurityContext{ReadOnlyRootFilesystem: &readOnlyRootFilesystem, AllowPrivilegeEscalation: &allowPrivilegeEscalation}
+	return corev1.SecurityContext{
+		ReadOnlyRootFilesystem:   &readOnlyRootFilesystem,
+		AllowPrivilegeEscalation: &allowPrivilegeEscalation,
+		Capabilities: &corev1.Capabilities{
+			Drop: []corev1.Capability{"ALL"},
+		},
+	}
 }
diff --git a/mongodb-community-operator/pkg/kube/podtemplatespec/podspec_template.go b/mongodb-community-operator/pkg/kube/podtemplatespec/podspec_template.go
@@ -197,7 +197,13 @@ func DefaultPodSecurityContext() corev1.PodSecurityContext {
 	runAsNonRoot := true
 	runAsUser := int64(2000)
 	fsGroup := int64(2000)
-	return corev1.PodSecurityContext{RunAsUser: &runAsUser, RunAsNonRoot: &runAsNonRoot, FSGroup: &fsGroup}
+
+	return corev1.PodSecurityContext{
+		RunAsUser:      &runAsUser,
+		RunAsNonRoot:   &runAsNonRoot,
+		FSGroup:        &fsGroup,
+		SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
+	}
 }
 
 // WithImagePullSecrets adds an ImagePullSecrets local reference with the given name
diff --git a/mongodb-community-operator/pkg/kube/podtemplatespec/podspec_template_test.go b/mongodb-community-operator/pkg/kube/podtemplatespec/podspec_template_test.go
@@ -4,6 +4,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"k8s.io/utils/ptr"
 
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -441,6 +442,12 @@ func TestMergeContainer(t *testing.T) {
 			},
 		},
 		ReadinessProbe: otherDefaultContainer.ReadinessProbe,
+		SecurityContext: &corev1.SecurityContext{
+			AllowPrivilegeEscalation: ptr.To(false),
+			Capabilities: &corev1.Capabilities{
+				Drop: []corev1.Capability{"ALL"},
+			},
+		},
 	}
 	assert.Equal(t, secondExpected, mergedSpec.Spec.Containers[2])
 }
diff --git a/mongodb-community-operator/scripts/dev/e2e.py b/mongodb-community-operator/scripts/dev/e2e.py
@@ -45,7 +45,9 @@ def _prepare_test_environment(namespace) -> None:
 
     print("Creating Namespace")
     k8s_conditions.ignore_if_already_exists(
-        lambda: corev1.create_namespace(client.V1Namespace(metadata=dict(name=namespace)))
+        lambda: corev1.create_namespace(
+            client.V1Namespace(metadata=dict(name=namespace, labels={"pod-security.kubernetes.io/warn": "restricted"}))
+        )
     )
 
     print("Creating Cluster Role Binding and Service Account for test pod")
diff --git a/public/mongodb-kubernetes-multi-cluster.yaml b/public/mongodb-kubernetes-multi-cluster.yaml
@@ -329,6 +329,8 @@ spec:
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
+        seccompProfile:
+          type: RuntimeDefault
       containers:
         - name: mongodb-kubernetes-operator-multi-cluster
           image: "quay.io/mongodb/mongodb-kubernetes:1.4.0"
@@ -353,6 +355,11 @@ spec:
             requests:
               cpu: 500m
               memory: 200Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
           env:
             - name: OPERATOR_ENV
               value: prod
diff --git a/public/mongodb-kubernetes.yaml b/public/mongodb-kubernetes.yaml
@@ -329,6 +329,8 @@ spec:
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
+        seccompProfile:
+          type: RuntimeDefault
       containers:
         - name: mongodb-kubernetes-operator
           image: "quay.io/mongodb/mongodb-kubernetes:1.4.0"
@@ -349,6 +351,11 @@ spec:
             requests:
               cpu: 500m
               memory: 200Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
           env:
             - name: OPERATOR_ENV
               value: prod
diff --git a/scripts/evergreen/deployments/test-app/templates/mongodb-enterprise-tests.yaml b/scripts/evergreen/deployments/test-app/templates/mongodb-enterprise-tests.yaml
@@ -42,6 +42,8 @@ spec:
       emptyDir: { }
     - name: diagnostics
       emptyDir: { }
+    - name: tests-home-dir
+      emptyDir: { }
   {{ if .Values.multiCluster.memberClusters }}
     - name: kube-config-volume
       secret:
@@ -52,6 +54,12 @@ spec:
         defaultMode: 420
         secretName: test-pod-multi-cluster-config
   {{ end }}
+  securityContext:
+    runAsNonRoot: true
+    runAsUser: 2000
+    fsGroup: 2000
+    seccompProfile:
+      type: RuntimeDefault
   containers:
   - image: public.ecr.aws/docker/library/busybox:1.37.0
     name: keepalive
@@ -61,6 +69,11 @@ spec:
         mountPath: /tmp/results
       - name: diagnostics
         mountPath: /tmp/diagnostics
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
   - name: mongodb-enterprise-operator-tests
     env:
     # OTEL env vars can either be used to construct custom spans or are used by pytest opentelemetry dynamic instrumentation
@@ -190,6 +203,9 @@ spec:
       value: {{ .Values.cognito_workload_url }}
     - name: cognito_workload_user_id
       value: {{ .Values.cognito_workload_user_id }}
+    # Used by helm to create .config and .cache directories. Also used by some tests that need to write files.
+    - name: HOME
+      value: /home/tests-home
     image: {{ .Values.repo }}/mongodb-kubernetes-tests:{{ .Values.tag }}
     # Options to pytest command should go in the pytest.ini file.
     command: ["pytest"]
@@ -206,9 +222,16 @@ spec:
         mountPath: /tmp/results
       - name: diagnostics
         mountPath: /tmp/diagnostics
+      - name: tests-home-dir
+        mountPath: /home/tests-home
     {{ if .Values.multiCluster.memberClusters }}
       - mountPath: /etc/config
         name: kube-config-volume
       - mountPath: /etc/multicluster
         name: multi-cluster-config
     {{ end }}
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+          - ALL
diff --git a/scripts/funcs/kubernetes b/scripts/funcs/kubernetes
@@ -17,6 +17,7 @@ metadata:
   name: ${namespace}
   labels:
     evg: task
+    pod-security.kubernetes.io/warn: "restricted"
   annotations:
     evg/version: "https://evergreen.mongodb.com/version/${version_id:-'not-specified'}"
     evg/task-name: ${TASK_NAME:-'not-specified'}
@@ -98,15 +99,15 @@ create_image_registries_secret() {
     context=$1
     namespace=$2
     secret_name=$3
-    
+
     # Detect the correct config file path based on container runtime
     local config_file
     local temp_config_file=""
     if command -v podman &> /dev/null && (podman info &> /dev/null || sudo podman info &> /dev/null); then
       # For Podman, use root's auth.json since minikube uses sudo podman
       config_file="/root/.config/containers/auth.json"
       echo "Using Podman config: ${config_file}"
-      
+
       # Create a temporary copy that the current user can read
       temp_config_file=$(mktemp)
       sudo cp "${config_file}" "${temp_config_file}"
@@ -117,7 +118,7 @@ create_image_registries_secret() {
       config_file="${HOME}/.docker/config.json"
       echo "Using Docker config: ${config_file}"
     fi
-    
+
     # shellcheck disable=SC2154
     if kubectl --context "${context}" get namespace "${namespace}"; then
       kubectl --context "${context}" -n "${namespace}" delete secret "${secret_name}" --ignore-not-found
@@ -127,7 +128,7 @@ create_image_registries_secret() {
     else
       echo "Skipping creating pull secret in ${context}/${namespace}. The namespace doesn't exist yet."
     fi
-    
+
     # Clean up temporary file
     if [[ -n "${temp_config_file}" ]] && [[ -f "${temp_config_file}" ]]; then
       rm -f "${temp_config_file}"

Original file line number	Diff line number	Diff line change
`@@ -45,7 +45,9 @@ def _prepare_test_environment(namespace) -> None:`
`45`	`45`
`46`	`46`	`print("Creating Namespace")`
`47`	`47`	`k8s_conditions.ignore_if_already_exists(`
`48`		`- lambda: corev1.create_namespace(client.V1Namespace(metadata=dict(name=namespace)))`
	`48`	`+ lambda: corev1.create_namespace(`
	`49`	`+ client.V1Namespace(metadata=dict(name=namespace, labels={"pod-security.kubernetes.io/warn": "restricted"}))`
	`50`	`+ )`
`49`	`51`	`)`
`50`	`52`
`51`	`53`	`print("Creating Cluster Role Binding and Service Account for test pod")`