diff --git a/operatorapi/tenants_helper.go b/operatorapi/tenants_helper.go index 48c3fefff..9f6e34e9c 100644 --- a/operatorapi/tenants_helper.go +++ b/operatorapi/tenants_helper.go @@ -58,11 +58,14 @@ func convertModelSCToK8sSC(sc *models.SecurityContext) (*corev1.PodSecurityConte if err != nil { return nil, err } + FSGroupChangePolicy := corev1.PodFSGroupChangePolicy(sc.FsGroupChangePolicy) + return &corev1.PodSecurityContext{ - RunAsUser: &runAsUser, - RunAsGroup: &runAsGroup, - RunAsNonRoot: sc.RunAsNonRoot, - FSGroup: &fsGroup, + RunAsUser: &runAsUser, + RunAsGroup: &runAsGroup, + RunAsNonRoot: sc.RunAsNonRoot, + FSGroup: &fsGroup, + FSGroupChangePolicy: &FSGroupChangePolicy, }, nil } @@ -71,11 +74,18 @@ func convertK8sSCToModelSC(sc *corev1.PodSecurityContext) *models.SecurityContex runAsUser := strconv.FormatInt(*sc.RunAsUser, 10) runAsGroup := strconv.FormatInt(*sc.RunAsGroup, 10) fsGroup := strconv.FormatInt(*sc.FSGroup, 10) + fsGroupPolicy := "" + + if sc.FSGroupChangePolicy != nil { + fsGroupPolicy = string(*sc.FSGroupChangePolicy) + } + return &models.SecurityContext{ - RunAsUser: &runAsUser, - RunAsGroup: &runAsGroup, - RunAsNonRoot: sc.RunAsNonRoot, - FsGroup: fsGroup, + RunAsUser: &runAsUser, + RunAsGroup: &runAsGroup, + RunAsNonRoot: sc.RunAsNonRoot, + FsGroup: fsGroup, + FsGroupChangePolicy: fsGroupPolicy, } } diff --git a/portal-ui/src/screens/Console/Tenants/AddTenant/Steps/ConfigLogSearch.tsx b/portal-ui/src/screens/Console/Tenants/AddTenant/Steps/ConfigLogSearch.tsx index c4ae30c05..e621a2063 100644 --- a/portal-ui/src/screens/Console/Tenants/AddTenant/Steps/ConfigLogSearch.tsx +++ b/portal-ui/src/screens/Console/Tenants/AddTenant/Steps/ConfigLogSearch.tsx @@ -400,6 +400,13 @@ const ConfigLogSearch = ({ classes }: IConfigureProps) => { min="0" /> + + +
+ +
{ min="0" />
+
+ ) => { + updateField("logSearchSecurityContext", { + ...logSearchSecurityContext, + fsGroupChangePolicy: e.target.value, + }); + }} + options={[ + { + label: "Always", + value: "Always", + }, + { + label: "OnRootMismatch", + value: "OnRootMismatch", + }, + ]} + /> +

@@ -500,6 +531,13 @@ const ConfigLogSearch = ({ classes }: IConfigureProps) => { min="0" /> + + +
+ +
{ min="0" />
+
+ ) => { + updateField("logSearchPostgresSecurityContext", { + ...logSearchPostgresSecurityContext, + fsGroupChangePolicy: e.target.value, + }); + }} + options={[ + { + label: "Always", + value: "Always", + }, + { + label: "OnRootMismatch", + value: "OnRootMismatch", + }, + ]} + /> +

diff --git a/portal-ui/src/screens/Console/Tenants/AddTenant/Steps/ConfigPrometheus.tsx b/portal-ui/src/screens/Console/Tenants/AddTenant/Steps/ConfigPrometheus.tsx index 22d84ed43..8e6454a72 100644 --- a/portal-ui/src/screens/Console/Tenants/AddTenant/Steps/ConfigPrometheus.tsx +++ b/portal-ui/src/screens/Console/Tenants/AddTenant/Steps/ConfigPrometheus.tsx @@ -368,6 +368,13 @@ const ConfigPrometheus = ({ classes }: IConfigureProps) => { min="0" /> + + +
+ +
{ min="0" />
+
+ ) => { + updateField("prometheusSecurityContext", { + ...prometheusSecurityContext, + fsGroupChangePolicy: e.target.value, + }); + }} + options={[ + { + label: "Always", + value: "Always", + }, + { + label: "OnRootMismatch", + value: "OnRootMismatch", + }, + ]} + /> +
+
{ min="0" />
+ + +
+ +
{ min="0" />
+
+
+ ) => { + updateField("tenantSecurityContext", { + ...tenantSecurityContext, + fsGroupChangePolicy: e.target.value, + }); + }} + options={[ + { + label: "Always", + value: "Always", + }, + { + label: "OnRootMismatch", + value: "OnRootMismatch", + }, + ]} + /> +
+

diff --git a/portal-ui/src/screens/Console/Tenants/AddTenant/Steps/Encryption.tsx b/portal-ui/src/screens/Console/Tenants/AddTenant/Steps/Encryption.tsx index 99fc88f5c..da8484a0b 100644 --- a/portal-ui/src/screens/Console/Tenants/AddTenant/Steps/Encryption.tsx +++ b/portal-ui/src/screens/Console/Tenants/AddTenant/Steps/Encryption.tsx @@ -19,7 +19,7 @@ import { useSelector } from "react-redux"; import { Theme } from "@mui/material/styles"; import createStyles from "@mui/styles/createStyles"; import withStyles from "@mui/styles/withStyles"; -import { Paper } from "@mui/material"; +import { Paper, SelectChangeEvent } from "@mui/material"; import Grid from "@mui/material/Grid"; import { @@ -50,6 +50,7 @@ import AzureKMSAdd from "./Encryption/AzureKMSAdd"; import GCPKMSAdd from "./Encryption/GCPKMSAdd"; import GemaltoKMSAdd from "./Encryption/GemaltoKMSAdd"; import AWSKMSAdd from "./Encryption/AWSKMSAdd"; +import SelectWrapper from "../../../Common/FormComponents/SelectWrapper/SelectWrapper"; interface IEncryptionProps { classes: any; @@ -525,6 +526,13 @@ const Encryption = ({ classes }: IEncryptionProps) => { min="0" /> + + +
+ +
@@ -548,6 +556,32 @@ const Encryption = ({ classes }: IEncryptionProps) => { min="0" />
+
+ ) => { + updateField("kesSecurityContext", { + ...kesSecurityContext, + fsGroupChangePolicy: e.target.value, + }); + }} + options={[ + { + label: "Always", + value: "Always", + }, + { + label: "OnRootMismatch", + value: "OnRootMismatch", + }, + ]} + /> +

diff --git a/portal-ui/src/screens/Console/Tenants/AddTenant/createTenantSlice.ts b/portal-ui/src/screens/Console/Tenants/AddTenant/createTenantSlice.ts index d7d522e53..b973f0cde 100644 --- a/portal-ui/src/screens/Console/Tenants/AddTenant/createTenantSlice.ts +++ b/portal-ui/src/screens/Console/Tenants/AddTenant/createTenantSlice.ts @@ -125,24 +125,28 @@ const initialState: ICreateTenant = { runAsUser: "1000", runAsGroup: "1000", fsGroup: "1000", + fsGroupChangePolicy: "Always", runAsNonRoot: true, }, logSearchSecurityContext: { runAsUser: "1000", runAsGroup: "1000", fsGroup: "1000", + fsGroupChangePolicy: "Always", runAsNonRoot: true, }, logSearchPostgresSecurityContext: { runAsUser: "999", runAsGroup: "999", fsGroup: "999", + fsGroupChangePolicy: "Always", runAsNonRoot: true, }, prometheusSecurityContext: { runAsUser: "1000", runAsGroup: "1000", fsGroup: "1000", + fsGroupChangePolicy: "Always", runAsNonRoot: true, }, }, @@ -212,6 +216,7 @@ const initialState: ICreateTenant = { runAsUser: "1000", runAsGroup: "1000", fsGroup: "1000", + fsGroupChangePolicy: "Always", runAsNonRoot: true, }, }, diff --git a/portal-ui/src/screens/Console/Tenants/TenantDetails/Pools/AddPool/addPoolSlice.ts b/portal-ui/src/screens/Console/Tenants/TenantDetails/Pools/AddPool/addPoolSlice.ts index b5b4fd47f..72a52689e 100644 --- a/portal-ui/src/screens/Console/Tenants/TenantDetails/Pools/AddPool/addPoolSlice.ts +++ b/portal-ui/src/screens/Console/Tenants/TenantDetails/Pools/AddPool/addPoolSlice.ts @@ -68,6 +68,7 @@ const initialState: IAddPool = { runAsUser: "1000", runAsGroup: "1000", fsGroup: "1000", + fsGroupChangePolicy: "Always", runAsNonRoot: true, }, }, diff --git a/portal-ui/src/screens/Console/Tenants/TenantDetails/Pools/EditPool/editPoolSlice.ts b/portal-ui/src/screens/Console/Tenants/TenantDetails/Pools/EditPool/editPoolSlice.ts index 03f90276e..a376f5a34 100644 --- a/portal-ui/src/screens/Console/Tenants/TenantDetails/Pools/EditPool/editPoolSlice.ts +++ b/portal-ui/src/screens/Console/Tenants/TenantDetails/Pools/EditPool/editPoolSlice.ts @@ -50,6 +50,7 @@ const initialState: IEditPool = { runAsUser: "1000", runAsGroup: "1000", fsGroup: "1000", + fsGroupChangePolicy: "Always", runAsNonRoot: true, }, }, @@ -151,6 +152,8 @@ export const editPoolSlice = createSlice({ runAsUser: action.payload.securityContext?.runAsUser || "", runAsGroup: action.payload.securityContext?.runAsGroup || "", fsGroup: action.payload.securityContext?.fsGroup || "", + fsGroupChangePolicy: + action.payload.securityContext?.fsGroupChangePolicy || "Always", runAsNonRoot: !!action.payload.securityContext?.runAsNonRoot, }, }, diff --git a/portal-ui/src/screens/Console/Tenants/TenantDetails/TenantEncryption.tsx b/portal-ui/src/screens/Console/Tenants/TenantDetails/TenantEncryption.tsx index 8bc7c5b7f..17863e3c7 100644 --- a/portal-ui/src/screens/Console/Tenants/TenantDetails/TenantEncryption.tsx +++ b/portal-ui/src/screens/Console/Tenants/TenantDetails/TenantEncryption.tsx @@ -97,6 +97,7 @@ const TenantEncryption = ({ classes }: ITenantEncryption) => { useState(false); const [securityContext, setSecurityContext] = useState({ fsGroup: "1000", + fsGroupChangePolicy: "Always", runAsGroup: "1000", runAsNonRoot: true, runAsUser: "1000", diff --git a/portal-ui/src/screens/Console/Tenants/TenantDetails/tenantAuditLogSlice.ts b/portal-ui/src/screens/Console/Tenants/TenantDetails/tenantAuditLogSlice.ts index 0dbcda0d8..814bf8966 100644 --- a/portal-ui/src/screens/Console/Tenants/TenantDetails/tenantAuditLogSlice.ts +++ b/portal-ui/src/screens/Console/Tenants/TenantDetails/tenantAuditLogSlice.ts @@ -62,12 +62,14 @@ const initialState: IEditTenantAuditLogging = { runAsUser: "1000", runAsGroup: "1000", fsGroup: "1000", + fsGroupChangePolicy: "Always", runAsNonRoot: false, }, dbSecurityContext: { runAsUser: "1000", runAsGroup: "1000", fsGroup: "1000", + fsGroupChangePolicy: "Always", runAsNonRoot: false, }, refreshLoggingInfo: true, diff --git a/portal-ui/src/screens/Console/Tenants/types.ts b/portal-ui/src/screens/Console/Tenants/types.ts index d954cde4c..aff4d735e 100644 --- a/portal-ui/src/screens/Console/Tenants/types.ts +++ b/portal-ui/src/screens/Console/Tenants/types.ts @@ -137,6 +137,7 @@ export interface ISecurityContext { runAsGroup: string; runAsNonRoot: boolean; fsGroup: string; + fsGroupChangePolicy: "Always" | "OnRootMismatch"; } export interface IConfigureFields {