Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion charts/proxysql-cluster/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
name: proxysql-cluster
description: ProxySQL control-plane (StatefulSet, persistent) for operator-managed ProxySQL Clusters
type: application
version: 0.1.0
version: 0.2.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check pod specifications in proxysql-cluster templates for PSA restricted compliance

# Find all template files
fd -e yaml -e yml 'charts/proxysql-cluster/templates' | while read file; do
  echo "=== File: $file ==="
  cat "$file"
  echo ""
done

Repository: ProxySQL/proxysql-on-k8s

Length of output: 506


🏁 Script executed:

#!/bin/bash
# Description: Check pod specifications in proxysql-cluster templates for PSA restricted compliance

# Find all template files using corrected fd syntax
fd . 'charts/proxysql-cluster/templates' -e yaml -e yml | while read file; do
  echo "=== File: $file ==="
  cat "$file"
  echo ""
done

Repository: ProxySQL/proxysql-on-k8s

Length of output: 11711


🏁 Script executed:

cat charts/proxysql-cluster/values.yaml

Repository: ProxySQL/proxysql-on-k8s

Length of output: 3881


Chart version bump to 0.2.0 is correct.

The version field update from 0.1.0 to 0.2.0 appropriately signals a minor version release.

Pod specifications in the main StatefulSet properly implement PSA restricted security context: the defaults in values.yaml set runAsNonRoot=true, uid/gid=999, readOnlyRootFilesystem=true, all capabilities dropped, and seccomp profile set to RuntimeDefault. Values overrides flow correctly through all templates, and label/selector consistency is preserved across all resources.

However, the test Pod in charts/proxysql-cluster/templates/tests/test-connection.yaml violates the uid requirement by using runAsUser: 65534 instead of the required 999. Update this to match the PSA restricted profile.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/proxysql-cluster/Chart.yaml` at line 5, The test Pod in the test
connection template violates the PSA restricted security context by running with
runAsUser set to 65534 instead of the required uid 999. Update the
securityContext in the test Pod specification to set runAsUser to 999 to match
the PSA restricted profile that is properly implemented in the main StatefulSet
and other resources. This ensures consistency across all Pod specifications and
compliance with the restricted security context.

Source: Coding guidelines

appVersion: "3.0"
kubeVersion: ">=1.29.0-0"
keywords:
Expand Down
4 changes: 2 additions & 2 deletions charts/proxysql-operator/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@ apiVersion: v2
name: proxysql-operator
description: Operator that reconciles ProxySQLCluster and ProxySQLConfig CRDs (proxysql.com/v1alpha1)
type: application
version: 0.2.5
appVersion: "0.2.5"
version: 0.3.0
appVersion: "0.3.0"
Comment on lines +5 to +6

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check pod specifications in proxysql-operator templates for PSA restricted compliance

# Find all template files
fd -e yaml -e yml 'charts/proxysql-operator/templates' | while read file; do
  echo "=== File: $file ==="
  cat "$file"
  echo ""
done

Repository: ProxySQL/proxysql-on-k8s

Length of output: 510


🏁 Script executed:

#!/bin/bash
# List all template files in the proxysql-operator templates directory
fd . 'charts/proxysql-operator/templates' -e yaml -e yml

Repository: ProxySQL/proxysql-on-k8s

Length of output: 335


🏁 Script executed:

#!/bin/bash
# Read the deployment.yaml to check pod specifications
cat 'charts/proxysql-operator/templates/deployment.yaml'

Repository: ProxySQL/proxysql-on-k8s

Length of output: 3176


🏁 Script executed:

#!/bin/bash
# Find values files for proxysql-operator chart
fd . 'charts/proxysql-operator' -name 'values*.yaml' -o -name 'values*.yml'

Repository: ProxySQL/proxysql-on-k8s

Length of output: 299


🏁 Script executed:

#!/bin/bash
# Find values files for proxysql-operator chart
find 'charts/proxysql-operator' -name 'values*.yaml'

Repository: ProxySQL/proxysql-on-k8s

Length of output: 105


🏁 Script executed:

#!/bin/bash
# Read values.yaml to check security context configuration
cat 'charts/proxysql-operator/values.yaml'

Repository: ProxySQL/proxysql-on-k8s

Length of output: 1683


PSA restricted pod security context is incomplete in charts/proxysql-operator/values.yaml.

The chart's podSecurityContext is missing required runAsUser: 999 and runAsGroup: 999 fields mandated by the PSA restricted profile. While the template correctly delegates security context to values and the existing configuration includes runAsNonRoot: true, readOnlyRootFilesystem: true, capability drops, and seccomp set to RuntimeDefault, the uid/gid specification must be added to achieve full PSA restricted compliance.

Add the following to podSecurityContext in charts/proxysql-operator/values.yaml:

podSecurityContext:
  runAsNonRoot: true
  runAsUser: 999
  runAsGroup: 999
  seccompProfile:
    type: RuntimeDefault

Also add fsGroup: 999 if the operator writes to mounted volumes.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/proxysql-operator/Chart.yaml` around lines 5 - 6, The
podSecurityContext in values.yaml is missing required fields for PSA restricted
profile compliance. Add runAsUser: 999 and runAsGroup: 999 to the existing
podSecurityContext configuration alongside the existing runAsNonRoot,
readOnlyRootFilesystem, capability drops, and seccomp settings. Additionally,
add fsGroup: 999 to podSecurityContext if the operator writes to mounted
volumes.

Source: Coding guidelines

kubeVersion: ">=1.29.0-0"
keywords:
- proxysql
Expand Down
Loading