removed init container for Postgres DB pod

* The init container was used to workaround an issue with hugepages which seems to be solved. * After removing it, there is no need for privileged container and for DB scc Signed-off-by: Danny Zaken <[email protected]>
dannyzaken · Mar 5, 2024 · 91e88a8 · 91e88a8
1 parent 75a9c13
commit 91e88a8
Show file tree

Hide file tree

Showing 5 changed files with 124 additions and 220 deletions.
diff --git a/deploy/internal/statefulset-db.yaml b/deploy/internal/statefulset-db.yaml
@@ -21,36 +21,36 @@ spec:
       serviceAccountName: noobaa-db
       terminationGracePeriodSeconds: 60
       containers:
-      #--------------------#
-      # DATABASE CONTAINER #
-      #--------------------#
-      - name: db
-        image: NOOBAA_DB_IMAGE
-        command:
-        - bash
-        - -c
-        - /opt/rh/rh-mongodb36/root/usr/bin/mongod --port 27017 --bind_ip_all --dbpath /data/mongo/cluster/shard1
-        resources:
-          requests:
-            cpu: "2"
-            memory: "4Gi"
-          limits:
-            cpu: "2"
-            memory: "4Gi"
-        volumeMounts:
+        #--------------------#
+        # DATABASE CONTAINER #
+        #--------------------#
         - name: db
-          mountPath: /data
-      securityContext: 
+          image: NOOBAA_DB_IMAGE
+          command:
+            - bash
+            - -c
+            - /opt/rh/rh-mongodb36/root/usr/bin/mongod --port 27017 --bind_ip_all --dbpath /data/mongo/cluster/shard1
+          resources:
+            requests:
+              cpu: "2"
+              memory: "4Gi"
+            limits:
+              cpu: "2"
+              memory: "4Gi"
+          volumeMounts:
+            - name: db
+              mountPath: /data
+      securityContext:
         runAsUser: 10001
         runAsGroup: 0
   volumeClaimTemplates:
-  - metadata:
-      name: db
-      labels:
-        app: noobaa
-    spec:
-      accessModes:
-      - ReadWriteOnce
-      resources:
-        requests:
-          storage: 50Gi
+    - metadata:
+        name: db
+        labels:
+          app: noobaa
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 50Gi
diff --git a/deploy/internal/statefulset-postgres-db.yaml b/deploy/internal/statefulset-postgres-db.yaml
@@ -19,92 +19,50 @@ spec:
         noobaa-db: postgres
     spec:
       serviceAccountName: noobaa-db
-      initContainers:
-      #-----------------#
-      # INIT CONTAINERS #
-      #-----------------#
-      - name: initialize-database
-        image: NOOBAA_DB_IMAGE
-        env:
-          - name: POSTGRESQL_DATABASE
-            value: nbcore
-          - name: LC_COLLATE
-            value: C
-          - name: POSTGRESQL_USER
-            valueFrom:
-              secretKeyRef:
-                key: user
-                name: noobaa-db
-          - name: POSTGRESQL_PASSWORD
-            valueFrom:
-              secretKeyRef:
-                key: password
-                name: noobaa-db
-        command:
-        - sh
-        - -x
-        - /init/initdb.sh
-        securityContext:
-          runAsUser: 0
-          runAsGroup: 0
-        resources:
-          requests:
-            cpu: "500m"
-            memory: "500Mi"
-          limits:
-            cpu: "500m"
-            memory: "500Mi"
-        volumeMounts:
-        - name: db
-          mountPath: /var/lib/pgsql
-        - name: noobaa-postgres-initdb-sh-volume
-          mountPath: /init
       containers:
-      #--------------------#
-      # Postgres CONTAINER #
-      #--------------------#
-      - name: db
-        image: NOOBAA_DB_IMAGE
-        env:
-          - name: POSTGRESQL_DATABASE
-            value: nbcore
-          - name: LC_COLLATE
-            value: C
-          - name: POSTGRESQL_USER
-            valueFrom:
-              secretKeyRef:
-                key: user
-                name: noobaa-db
-          - name: POSTGRESQL_PASSWORD
-            valueFrom:
-              secretKeyRef:
-                key: password
-                name: noobaa-db
-        imagePullPolicy: "IfNotPresent"
-        ports:
-          - containerPort: 5432
-        resources:
-          requests:
-            cpu: "500m"
-            memory: "4Gi"
-          limits:
-            cpu: "500m"
-            memory: "4Gi"
-        volumeMounts:
-          - name: db
-            mountPath: /var/lib/pgsql
-          - name: noobaa-postgres-config-volume
-            mountPath: /opt/app-root/src/postgresql-cfg
-          - name: noobaa-postgres-initdb-sh-volume
-            mountPath: /init
+        #--------------------#
+        # Postgres CONTAINER #
+        #--------------------#
+        - name: db
+          image: NOOBAA_DB_IMAGE
+          env:
+            - name: POSTGRESQL_DATABASE
+              value: nbcore
+            - name: LC_COLLATE
+              value: C
+            - name: POSTGRESQL_USER
+              valueFrom:
+                secretKeyRef:
+                  key: user
+                  name: noobaa-db
+            - name: POSTGRESQL_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key: password
+                  name: noobaa-db
+          imagePullPolicy: "IfNotPresent"
+          ports:
+            - containerPort: 5432
+          resources:
+            requests:
+              cpu: "500m"
+              memory: "4Gi"
+            limits:
+              cpu: "500m"
+              memory: "4Gi"
+          volumeMounts:
+            - name: db
+              mountPath: /var/lib/pgsql
+            - name: noobaa-postgres-config-volume
+              mountPath: /opt/app-root/src/postgresql-cfg
       volumes:
-      - name: noobaa-postgres-config-volume
-        configMap:
-          name: noobaa-postgres-config
-      - name: noobaa-postgres-initdb-sh-volume
-        configMap:
-          name: noobaa-postgres-initdb-sh
-      securityContext: 
+        - name: noobaa-postgres-config-volume
+          configMap:
+            name: noobaa-postgres-config
+        - name: noobaa-postgres-initdb-sh-volume
+          configMap:
+            name: noobaa-postgres-initdb-sh
+      securityContext:
         runAsUser: 10001
         runAsGroup: 0
         fsGroup: 0

diff --git a/deploy/role_db.yaml b/deploy/role_db.yaml
@@ -3,11 +3,11 @@ kind: Role
 metadata:
   name: noobaa-db
 rules:
-- apiGroups:
-  - security.openshift.io
-  resourceNames:
-  - noobaa-db
-  resources:
-  - securitycontextconstraints
-  verbs:
-  - use
+  - apiGroups:
+      - security.openshift.io
+    resourceNames:
+      - noobaa-db
+    resources:
+      - securitycontextconstraints
+    verbs:
+      - use
diff --git a/deploy/scc_db.yaml b/deploy/scc_db.yaml
@@ -2,17 +2,14 @@ apiVersion: security.openshift.io/v1
 kind: SecurityContextConstraints
 metadata:
   name: noobaa-db
-allowPrivilegeEscalation: true
+allowPrivilegeEscalation: false
 allowHostDirVolumePlugin: false
 allowHostIPC: false
 allowHostNetwork: false
 allowHostPID: false
 allowHostPorts: false
 allowPrivilegedContainer: false
 readOnlyRootFilesystem: false
-allowedCapabilities:
-- SETUID
-- SETGID
 fsGroup:
   type: RunAsAny
 runAsUser: