Fix the way FSGroup and RunAsUser are used (#319)

Orange-OpenSource · Apr 27, 2021 · 20fc519 · 20fc519
1 parent 3fce4db
commit 20fc519
Show file tree

Hide file tree

Showing 9 changed files with 30 additions and 38 deletions.
diff --git a/deploy/crds/db.orange.com_cassandraclusters_crd.yaml b/deploy/crds/db.orange.com_cassandraclusters_crd.yaml
@@ -112,6 +112,7 @@ spec:
                   cluster is deleted it is false by default
                 type: boolean
               fsGroup:
+                default: 1
                 description: FSGroup defines the GID owning volumes in the Cassandra
                   image
                 format: int64
@@ -305,6 +306,7 @@ spec:
                 format: int32
                 type: integer
               runAsUser:
+                default: 999
                 description: RunAsUser define the id of the user to run in the Cassandra
                   image
                 format: int64

diff --git a/helm/cassandra-operator/crds/db.orange.com_cassandraclusters_crd.yaml b/helm/cassandra-operator/crds/db.orange.com_cassandraclusters_crd.yaml
@@ -111,6 +111,13 @@ spec:
                 description: DeletePVC defines if the PVC must be deleted when the
                   cluster is deleted it is false by default
                 type: boolean
+              fsGroup:
+                default: 1
+                description: FSGroup defines the GID owning volumes in the Cassandra
+                  image
+                format: int64
+                minimum: 1
+                type: integer
               gcStdout:
                 description: 'GCStdout set the parameter CASSANDRA_GC_STDOUT which
                   configure the JVM -Xloggc: true by default'
@@ -299,16 +306,12 @@ spec:
                 format: int32
                 type: integer
               runAsUser:
+                default: 999
                 description: RunAsUser define the id of the user to run in the Cassandra
                   image
                 format: int64
                 minimum: 1
                 type: integer
-              fsGroup:
-                description: FSGroup defines the GID owning volumes in the Cassandra image
-                format: int64
-                minimum: 1
-                type: integer
               service:
                 description: ServicePolicy defines the policy for headless service
                   owned by CassKop operator.

diff --git a/multi-casskop/helm/multi-casskop/crds/db.orange.com_cassandraclusters_crd.yaml b/multi-casskop/helm/multi-casskop/crds/db.orange.com_cassandraclusters_crd.yaml
@@ -111,6 +111,13 @@ spec:
                 description: DeletePVC defines if the PVC must be deleted when the
                   cluster is deleted it is false by default
                 type: boolean
+              fsGroup:
+                default: 1
+                description: FSGroup defines the GID owning volumes in the Cassandra
+                  image
+                format: int64
+                minimum: 1
+                type: integer
               gcStdout:
                 description: 'GCStdout set the parameter CASSANDRA_GC_STDOUT which
                   configure the JVM -Xloggc: true by default'
@@ -299,16 +306,12 @@ spec:
                 format: int32
                 type: integer
               runAsUser:
+                default: 999
                 description: RunAsUser define the id of the user to run in the Cassandra
                   image
                 format: int64
                 minimum: 1
                 type: integer
-              fsGroup:
-                description: FSGroup defines the GID owning volumes in the Cassandra image
-                format: int64
-                minimum: 1
-                type: integer
               service:
                 description: ServicePolicy defines the policy for headless service
                   owned by CassKop operator.

diff --git a/pkg/apis/db/v1alpha1/cassandracluster_types.go b/pkg/apis/db/v1alpha1/cassandracluster_types.go
@@ -55,12 +55,7 @@ const (
 	//DefaultDelayWaitForDecommission is the time to wait for the decommission to happen on the Pod
 	//The operator will start again if it is not the case
 	DefaultDelayWaitForDecommission = 120
-
-	//DefaultUserID is the default ID to use in cassandra image (RunAsUser)
-	DefaultUserID int64 = 999
-	//DefaultFSGroup is the default GID owning volumes in the Cassandra image
-	DefaultFSGroup int64 = 1
-)
+	)
 
 // ClusterStateInfo describe a cluster state
 type ClusterStateInfo struct {
@@ -142,12 +137,6 @@ func (cc *CassandraCluster) CheckDefaults() {
 		ccs.InitContainerCmd = InitContainerCmd
 	}
 
-	if ccs.RunAsUser == nil {
-		ccs.RunAsUser = func(i int64) *int64 { return &i }(DefaultUserID)
-	}
-	if ccs.FSGroup == nil {
-		ccs.FSGroup = func(i int64) *int64 { return &i }(DefaultFSGroup)
-	}
 	if ccs.ReadOnlyRootFilesystem == nil {
 		ccs.ReadOnlyRootFilesystem = func(b bool) *bool { return &b }(true)
 	}
@@ -758,11 +747,13 @@ type CassandraClusterSpec struct {
 
 	// RunAsUser define the id of the user to run in the Cassandra image
 	// +kubebuilder:validation:Minimum=1
-	RunAsUser *int64 `json:"runAsUser,omitempty"`
+	// +kubebuilder:default:=999
+	RunAsUser int64 `json:"runAsUser,omitempty"`
 
 	// FSGroup defines the GID owning volumes in the Cassandra image
 	// +kubebuilder:validation:Minimum=1
-	FSGroup *int64 `json:"fsGroup,omitempty"`
+	// +kubebuilder:default:=1
+	FSGroup int64 `json:"fsGroup,omitempty"`
 
 	// Make the pod as Readonly
 	ReadOnlyRootFilesystem *bool `json:"readOnlyRootFilesystem,omitempty"`

diff --git a/pkg/apis/db/v1alpha1/cassandracluster_types_test.go b/pkg/apis/db/v1alpha1/cassandracluster_types_test.go
@@ -502,8 +502,6 @@ func TestSetDefaults(t *testing.T) {
 	assert.Equal(resource.MustParse("500m"), *cluster.Spec.Resources.Limits.Cpu())
 	assert.Equal(resource.MustParse("1Gi"), *cluster.Spec.Resources.Limits.Memory())
 
-	assert.Equal(DefaultUserID, *cluster.Spec.RunAsUser)
-	assert.Equal(DefaultFSGroup, *cluster.Spec.FSGroup)
 	assert.Equal(ClusterPhaseInitial.Name, cluster.Status.Phase)
 	assert.Equal(int32(defaultMaxPodUnavailable), cluster.Spec.MaxPodUnavailable)
 	assert.Equal([]string{"defaults-test-dc1-rack1-0.defaults-test.default"}, cluster.Status.SeedList)

diff --git a/pkg/apis/db/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/db/v1alpha1/zz_generated.deepcopy.go
diff --git a/pkg/controller/cassandracluster/generator.go b/pkg/controller/cassandracluster/generator.go
@@ -346,9 +346,9 @@ func generateCassandraStatefulSet(cc *api.CassandraCluster, status *api.Cassandr
 					},
 					Tolerations: tolerations,
 					SecurityContext: &v1.PodSecurityContext{
-						RunAsUser:    cc.Spec.RunAsUser,
+						RunAsUser:    func(i int64) *int64 { return &i }(cc.Spec.RunAsUser),
 						RunAsNonRoot: func(b bool) *bool { return &b }(true),
-						FSGroup:      cc.Spec.FSGroup,
+						FSGroup:      func(i int64) *int64 { return &i }(cc.Spec.FSGroup),
 					},
 
 					InitContainers: []v1.Container{

diff --git a/pkg/controller/cassandracluster/generator_test.go b/pkg/controller/cassandracluster/generator_test.go
@@ -203,6 +203,9 @@ func TestGenerateCassandraStatefulSet(t *testing.T) {
 		},
 	}, sts.Spec.Template.Spec.Tolerations)
 
+	assert.Equal(int64(1001), *sts.Spec.Template.Spec.SecurityContext.RunAsUser)
+	assert.Equal(int64(1002), *sts.Spec.Template.Spec.SecurityContext.FSGroup)
+
 	checkVolumeClaimTemplates(t, labels, sts.Spec.VolumeClaimTemplates, "10Gi", "test-storage")
 	checkLiveAndReadiNessProbe(t, sts.Spec.Template.Spec.Containers,
 		1010, 201, 32, 7, 9, 1205, 151, 17, 50, 30)

diff --git a/pkg/controller/cassandracluster/testdata/cassandracluster-2DC.yaml b/pkg/controller/cassandracluster/testdata/cassandracluster-2DC.yaml
@@ -16,6 +16,8 @@ spec:
       requests:
         cpu: "1"
         memory: 1Gi
+  runAsUser: 1001
+  fsGroup: 1002
   livenessInitialDelaySeconds: 1205
   livenessHealthCheckTimeout: 151
   livenessHealthCheckPeriod: 17