[RFE] Better OpenShift Support

[RyuunoAelia]

What is the motivation or use case for the change?
Right now, the documentation of the operator states that to run the operator on openshift you need to create a new SCC. The yaml of that SCC states that it applies to every single authenticated user (so serviceaccounts on any namespace). This will relax (arguable only a little bit) SCC for ALL namespaces on the whole cluster, which is not great if you mind security.

Describe the solution you'd like
A better approach would be to be able to run the operator without that SCC.
As far as images go, it should not be that hard for PostgreSQL. The official docker/library image added the possibility to run as an arbitrary UID while back with docker-library/postgres#448

Then you would need to make the spec.securityContext.fsGroup optional in the pods created by the operator.
Please tell us about your environment:

• Operating System: any
• Where is this running: anywhere
• Storage being used: any (except hostPath)
• Container Image Tag: any
• PostgreSQL Version: any
• Platform: OpenShift
• Platform Version: OpenShift 3.11/4.x (OKD or OCP)

Additional context
I can probably help (reads write a PR) with the docker images.

[RyuunoAelia]

Interesting if I look at that https://github.com/CrunchyData/crunchy-containers/blob/master/bin/backrest_restore/common_lib.sh#L37-L38 the images seem to support arbitrary uid.

[RyuunoAelia]

And the fsgroup seems to come from the conf/postgres-operator/pgo.yaml file... so maybe it is a documentation issue? will test.

[jkatz]

This will be available in 4.3.2 which has not been released yet.

[RyuunoAelia]

Funny I did not find any issue/pr before opening this one, and now I find them... the github search feature is really trolling me sometimes.
So sorry for the noise.

Is there an ETA for the 4.3.2 release ?

[jkatz]

Very soon 😉