mongodb · MaciejKaras · Sep 24, 2025 · Sep 24, 2025 · Sep 24, 2025 · Sep 24, 2025
@@ -0,0 +1,14 @@
+---
+kind: fix
+date: 2025-09-24
+---
+
+* To follow the [Pod Security Standards](https://v1-32.docs.kubernetes.io/docs/concepts/security/pod-security-standards/) more secure default pod `securityContext` settings were added.
+
+  Operator deployment `securityContext` settings that have changed:
+   - `allowPrivilegeEscalation: false`
+   - `capabilities.drop: [ ALL ]`
+   - `seccompProfile.type: RuntimeDefault`
+
+  Other workloads:
+   - `capabilities.drop: [ ALL ]`
@@ -45,6 +45,9 @@ func Test_buildDatabaseInitContainer(t *testing.T) {
 		SecurityContext: &corev1.SecurityContext{
 			ReadOnlyRootFilesystem:   ptr.To(true),
 			AllowPrivilegeEscalation: ptr.To(false),
+			Capabilities: &corev1.Capabilities{
 func WithDefaultSecurityContextsModifications() (Modification, container.Modification) { 
 	managedSecurityContext := envvar.ReadBool(ManagedSecurityContextEnv) // nolint:forbidigo 
 	configureContainerSecurityContext := container.NOOP() 
 	configurePodSpecSecurityContext := NOOP() 
 	if !managedSecurityContext { 
 		configurePodSpecSecurityContext = WithSecurityContext(DefaultPodSecurityContext()) 
 		configureContainerSecurityContext = container.WithSecurityContext(container.DefaultSecurityContext()) 
 	} 
 	return configurePodSpecSecurityContext, configureContainerSecurityContext 
 } 
 func WithDefaultSecurityContextsModifications() (Modification, container.Modification) { 
 	managedSecurityContext := envvar.ReadBool(ManagedSecurityContextEnv) // nolint:forbidigo 
 	configureContainerSecurityContext := container.NOOP() 
 	configurePodSpecSecurityContext := NOOP() 
 	if !managedSecurityContext { 
 		configurePodSpecSecurityContext = WithSecurityContext(DefaultPodSecurityContext()) 
 		configureContainerSecurityContext = container.WithSecurityContext(container.DefaultSecurityContext()) 
 	} 
  
 	return configurePodSpecSecurityContext, configureContainerSecurityContext 
 } 
+				Drop: []corev1.Capability{"ALL"},
+			},
 		},
 	}
 	assert.Equal(t, expectedContainer, container)

@@ -46,6 +46,9 @@ func Test_buildOpsManagerAndBackupInitContainer(t *testing.T) {
 		SecurityContext: &corev1.SecurityContext{
 			ReadOnlyRootFilesystem:   ptr.To(true),
 			AllowPrivilegeEscalation: ptr.To(false),
+			Capabilities: &corev1.Capabilities{
+				Drop: []corev1.Capability{"ALL"},
+			},
 		},
 	}
 	assert.Equal(t, expectedContainer, containerObj)

@@ -274,6 +274,11 @@ def delete_namespace(name: str):
     c.delete_namespace(name, body=c.V1DeleteOptions())
 
 
+def label_namespace(name: str, labels: dict):
+    body = {"metadata": {"labels": labels}}
+    client.CoreV1Api().patch_namespace(name, body)
+
+
 def get_deployments(namespace: str):
     return client.AppsV1Api().list_namespaced_deployment(namespace)
 

@@ -28,7 +28,8 @@ def helm_template(
     args = ("helm", "template", *(command_args), _helm_chart_dir(helm_chart_path))
     logger.info(" ".join(args))
 
-    yaml_file_name = "{}.yaml".format(str(uuid.uuid4()))
+    home = os.getenv("HOME")
+    yaml_file_name = os.path.join(home, "{}.yaml".format(str(uuid.uuid4())))
     with open(yaml_file_name, "w") as output:
         process_run_and_check(" ".join(args), stdout=output, check=True, shell=True)
 

@@ -5,6 +5,7 @@
 from kubetester import (
     create_or_update_secret,
     get_default_storage_class,
+    label_namespace,
     try_load,
     wait_until,
 )
@@ -42,15 +43,25 @@ def s3_bucket(aws_s3_client: AwsS3Client, namespace: str) -> str:
     yield from create_s3_bucket(aws_s3_client, "test-bucket-sharded-")
 
 
+@fixture(scope="module")
+def enforced_pss_namespace(namespace: str) -> str:
+    # Change pod-security mode from warn to enforce. This will make test fail if operator and deployments don't support enforce mode
+    # This will not work in multi-cluster, because Istio injects sidecar and that breaks restricted level
+    if not is_multi_cluster():
+        label_namespace(namespace, {"pod-security.kubernetes.io/enforce": "restricted"})
+
+    return namespace
+
+
 @fixture(scope="module")
 def ops_manager(
-    namespace: str,
+    enforced_pss_namespace: str,
     s3_bucket: str,
     custom_version: Optional[str],
     custom_appdb_version: str,
 ) -> MongoDBOpsManager:
     resource: MongoDBOpsManager = MongoDBOpsManager.from_yaml(
-        yaml_fixture("om_ops_manager_backup.yaml"), namespace=namespace
+        yaml_fixture("om_ops_manager_backup.yaml"), namespace=enforced_pss_namespace
     )
 
     try_load(resource)

diff --git a/helm_chart/templates/operator.yaml b/helm_chart/templates/operator.yaml
@@ -36,8 +36,10 @@ spec:
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
+        seccompProfile:
+          type: RuntimeDefault
 {{- end }}
-{{- if .Values.registry.imagePullSecrets}}
+{{- if .Values.registry.imagePullSecrets }}
       imagePullSecrets:
         - name: {{ .Values.registry.imagePullSecrets }}
 {{- end }}
@@ -74,6 +76,13 @@ spec:
             requests:
               cpu: {{ .Values.operator.resources.requests.cpu }}
               memory: {{ .Values.operator.resources.requests.memory }}
+          {{- if not .Values.managedSecurityContext }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+          {{- end }}
           env:
             - name: OPERATOR_ENV
               value: {{ .Values.operator.env }}

@@ -206,5 +206,11 @@ func WithSecurityContext(context corev1.SecurityContext) Modification {
 func DefaultSecurityContext() corev1.SecurityContext {
 	readOnlyRootFilesystem := true
 	allowPrivilegeEscalation := false
-	return corev1.SecurityContext{ReadOnlyRootFilesystem: &readOnlyRootFilesystem, AllowPrivilegeEscalation: &allowPrivilegeEscalation}
+	return corev1.SecurityContext{
+		ReadOnlyRootFilesystem:   &readOnlyRootFilesystem,
+		AllowPrivilegeEscalation: &allowPrivilegeEscalation,
+		Capabilities: &corev1.Capabilities{
+			Drop: []corev1.Capability{"ALL"},
+		},
+	}
 }
@@ -197,7 +197,13 @@ func DefaultPodSecurityContext() corev1.PodSecurityContext {
 	runAsNonRoot := true
 	runAsUser := int64(2000)
 	fsGroup := int64(2000)
-	return corev1.PodSecurityContext{RunAsUser: &runAsUser, RunAsNonRoot: &runAsNonRoot, FSGroup: &fsGroup}
+
+	return corev1.PodSecurityContext{
+		RunAsUser:      &runAsUser,
+		RunAsNonRoot:   &runAsNonRoot,
+		FSGroup:        &fsGroup,
+		SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
+	}
 }
 
 // WithImagePullSecrets adds an ImagePullSecrets local reference with the given name

@@ -45,7 +45,9 @@ def _prepare_test_environment(namespace) -> None:
 
     print("Creating Namespace")
     k8s_conditions.ignore_if_already_exists(
-        lambda: corev1.create_namespace(client.V1Namespace(metadata=dict(name=namespace)))
+        lambda: corev1.create_namespace(
+            client.V1Namespace(metadata=dict(name=namespace, labels={"pod-security.kubernetes.io/warn": "restricted"}))
+        )
     )
 
     print("Creating Cluster Role Binding and Service Account for test pod")

@@ -329,6 +329,8 @@ spec:
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
+        seccompProfile:
+          type: RuntimeDefault
       containers:
         - name: mongodb-kubernetes-operator-multi-cluster
           image: "quay.io/mongodb/mongodb-kubernetes:1.4.0"
@@ -353,6 +355,11 @@ spec:
             requests:
               cpu: 500m
               memory: 200Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
           env:
             - name: OPERATOR_ENV
               value: prod

@@ -329,6 +329,8 @@ spec:
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
+        seccompProfile:
+          type: RuntimeDefault
       containers:
         - name: mongodb-kubernetes-operator
           image: "quay.io/mongodb/mongodb-kubernetes:1.4.0"
@@ -349,6 +351,11 @@ spec:
             requests:
               cpu: 500m
               memory: 200Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
           env:
             - name: OPERATOR_ENV
               value: prod

@@ -42,6 +42,8 @@ spec:
       emptyDir: { }
     - name: diagnostics
       emptyDir: { }
+    - name: tests-home-dir
+      emptyDir: { }
   {{ if .Values.multiCluster.memberClusters }}
     - name: kube-config-volume
       secret:
@@ -52,6 +54,12 @@ spec:
         defaultMode: 420
         secretName: test-pod-multi-cluster-config
   {{ end }}
+  securityContext:
+    runAsNonRoot: true
+    runAsUser: 2000
+    fsGroup: 2000
+    seccompProfile:
+      type: RuntimeDefault
   containers:
   - image: public.ecr.aws/docker/library/busybox:1.37.0
     name: keepalive
@@ -61,6 +69,11 @@ spec:
         mountPath: /tmp/results
       - name: diagnostics
         mountPath: /tmp/diagnostics
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
   - name: mongodb-enterprise-operator-tests
     env:
     # OTEL env vars can either be used to construct custom spans or are used by pytest opentelemetry dynamic instrumentation
@@ -190,6 +203,9 @@ spec:
       value: {{ .Values.cognito_workload_url }}
     - name: cognito_workload_user_id
       value: {{ .Values.cognito_workload_user_id }}
+    # Used by helm to create .config and .cache directories. Also used by some tests that need to write files.
+    - name: HOME
+      value: /home/tests-home
     image: {{ .Values.repo }}/mongodb-kubernetes-tests:{{ .Values.tag }}
     # Options to pytest command should go in the pytest.ini file.
     command: ["pytest"]
@@ -206,9 +222,16 @@ spec:
         mountPath: /tmp/results
       - name: diagnostics
         mountPath: /tmp/diagnostics
+      - name: tests-home-dir
+        mountPath: /home/tests-home
     {{ if .Values.multiCluster.memberClusters }}
       - mountPath: /etc/config
         name: kube-config-volume
       - mountPath: /etc/multicluster
         name: multi-cluster-config
     {{ end }}
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+          - ALL
@@ -17,6 +17,7 @@ metadata:
   name: ${namespace}
   labels:
     evg: task
+    pod-security.kubernetes.io/warn: "restricted"
   annotations:
     evg/version: "https://evergreen.mongodb.com/version/${version_id:-'not-specified'}"
     evg/task-name: ${TASK_NAME:-'not-specified'}
@@ -98,15 +99,15 @@ create_image_registries_secret() {
     context=$1
     namespace=$2
     secret_name=$3
-    
+
     # Detect the correct config file path based on container runtime
     local config_file
     local temp_config_file=""
     if command -v podman &> /dev/null && (podman info &> /dev/null || sudo podman info &> /dev/null); then
       # For Podman, use root's auth.json since minikube uses sudo podman
       config_file="/root/.config/containers/auth.json"
       echo "Using Podman config: ${config_file}"
-      
+
       # Create a temporary copy that the current user can read
       temp_config_file=$(mktemp)
       sudo cp "${config_file}" "${temp_config_file}"
@@ -117,7 +118,7 @@ create_image_registries_secret() {
       config_file="${HOME}/.docker/config.json"
       echo "Using Docker config: ${config_file}"
     fi
-    
+
     # shellcheck disable=SC2154
     if kubectl --context "${context}" get namespace "${namespace}"; then
       kubectl --context "${context}" -n "${namespace}" delete secret "${secret_name}" --ignore-not-found
@@ -127,7 +128,7 @@ create_image_registries_secret() {
     else
       echo "Skipping creating pull secret in ${context}/${namespace}. The namespace doesn't exist yet."
     fi
-    
+
     # Clean up temporary file
     if [[ -n "${temp_config_file}" ]] && [[ -f "${temp_config_file}" ]]; then
       rm -f "${temp_config_file}"