From 20fc5194524917deb076159fcdf00056d7ce5b78 Mon Sep 17 00:00:00 2001 From: Cyril Scetbon Date: Tue, 27 Apr 2021 08:11:53 -0400 Subject: [PATCH] Fix the way FSGroup and RunAsUser are used (#319) --- .../db.orange.com_cassandraclusters_crd.yaml | 2 ++ .../db.orange.com_cassandraclusters_crd.yaml | 13 ++++++++----- .../db.orange.com_cassandraclusters_crd.yaml | 13 ++++++++----- .../db/v1alpha1/cassandracluster_types.go | 19 +++++-------------- .../v1alpha1/cassandracluster_types_test.go | 2 -- pkg/apis/db/v1alpha1/zz_generated.deepcopy.go | 10 ---------- pkg/controller/cassandracluster/generator.go | 4 ++-- .../cassandracluster/generator_test.go | 3 +++ .../testdata/cassandracluster-2DC.yaml | 2 ++ 9 files changed, 30 insertions(+), 38 deletions(-) diff --git a/deploy/crds/db.orange.com_cassandraclusters_crd.yaml b/deploy/crds/db.orange.com_cassandraclusters_crd.yaml index b69c7d0ab..643556885 100644 --- a/deploy/crds/db.orange.com_cassandraclusters_crd.yaml +++ b/deploy/crds/db.orange.com_cassandraclusters_crd.yaml @@ -112,6 +112,7 @@ spec: cluster is deleted it is false by default type: boolean fsGroup: + default: 1 description: FSGroup defines the GID owning volumes in the Cassandra image format: int64 @@ -305,6 +306,7 @@ spec: format: int32 type: integer runAsUser: + default: 999 description: RunAsUser define the id of the user to run in the Cassandra image format: int64 diff --git a/helm/cassandra-operator/crds/db.orange.com_cassandraclusters_crd.yaml b/helm/cassandra-operator/crds/db.orange.com_cassandraclusters_crd.yaml index 039d51ca6..643556885 100644 --- a/helm/cassandra-operator/crds/db.orange.com_cassandraclusters_crd.yaml +++ b/helm/cassandra-operator/crds/db.orange.com_cassandraclusters_crd.yaml @@ -111,6 +111,13 @@ spec: description: DeletePVC defines if the PVC must be deleted when the cluster is deleted it is false by default type: boolean + fsGroup: + default: 1 + description: FSGroup defines the GID owning volumes in the Cassandra + image + format: int64 + minimum: 1 + type: integer gcStdout: description: 'GCStdout set the parameter CASSANDRA_GC_STDOUT which configure the JVM -Xloggc: true by default' @@ -299,16 +306,12 @@ spec: format: int32 type: integer runAsUser: + default: 999 description: RunAsUser define the id of the user to run in the Cassandra image format: int64 minimum: 1 type: integer - fsGroup: - description: FSGroup defines the GID owning volumes in the Cassandra image - format: int64 - minimum: 1 - type: integer service: description: ServicePolicy defines the policy for headless service owned by CassKop operator. diff --git a/multi-casskop/helm/multi-casskop/crds/db.orange.com_cassandraclusters_crd.yaml b/multi-casskop/helm/multi-casskop/crds/db.orange.com_cassandraclusters_crd.yaml index 039d51ca6..643556885 100644 --- a/multi-casskop/helm/multi-casskop/crds/db.orange.com_cassandraclusters_crd.yaml +++ b/multi-casskop/helm/multi-casskop/crds/db.orange.com_cassandraclusters_crd.yaml @@ -111,6 +111,13 @@ spec: description: DeletePVC defines if the PVC must be deleted when the cluster is deleted it is false by default type: boolean + fsGroup: + default: 1 + description: FSGroup defines the GID owning volumes in the Cassandra + image + format: int64 + minimum: 1 + type: integer gcStdout: description: 'GCStdout set the parameter CASSANDRA_GC_STDOUT which configure the JVM -Xloggc: true by default' @@ -299,16 +306,12 @@ spec: format: int32 type: integer runAsUser: + default: 999 description: RunAsUser define the id of the user to run in the Cassandra image format: int64 minimum: 1 type: integer - fsGroup: - description: FSGroup defines the GID owning volumes in the Cassandra image - format: int64 - minimum: 1 - type: integer service: description: ServicePolicy defines the policy for headless service owned by CassKop operator. diff --git a/pkg/apis/db/v1alpha1/cassandracluster_types.go b/pkg/apis/db/v1alpha1/cassandracluster_types.go index 0de830f9e..1d3c3f4b0 100644 --- a/pkg/apis/db/v1alpha1/cassandracluster_types.go +++ b/pkg/apis/db/v1alpha1/cassandracluster_types.go @@ -55,12 +55,7 @@ const ( //DefaultDelayWaitForDecommission is the time to wait for the decommission to happen on the Pod //The operator will start again if it is not the case DefaultDelayWaitForDecommission = 120 - - //DefaultUserID is the default ID to use in cassandra image (RunAsUser) - DefaultUserID int64 = 999 - //DefaultFSGroup is the default GID owning volumes in the Cassandra image - DefaultFSGroup int64 = 1 -) + ) // ClusterStateInfo describe a cluster state type ClusterStateInfo struct { @@ -142,12 +137,6 @@ func (cc *CassandraCluster) CheckDefaults() { ccs.InitContainerCmd = InitContainerCmd } - if ccs.RunAsUser == nil { - ccs.RunAsUser = func(i int64) *int64 { return &i }(DefaultUserID) - } - if ccs.FSGroup == nil { - ccs.FSGroup = func(i int64) *int64 { return &i }(DefaultFSGroup) - } if ccs.ReadOnlyRootFilesystem == nil { ccs.ReadOnlyRootFilesystem = func(b bool) *bool { return &b }(true) } @@ -758,11 +747,13 @@ type CassandraClusterSpec struct { // RunAsUser define the id of the user to run in the Cassandra image // +kubebuilder:validation:Minimum=1 - RunAsUser *int64 `json:"runAsUser,omitempty"` + // +kubebuilder:default:=999 + RunAsUser int64 `json:"runAsUser,omitempty"` // FSGroup defines the GID owning volumes in the Cassandra image // +kubebuilder:validation:Minimum=1 - FSGroup *int64 `json:"fsGroup,omitempty"` + // +kubebuilder:default:=1 + FSGroup int64 `json:"fsGroup,omitempty"` // Make the pod as Readonly ReadOnlyRootFilesystem *bool `json:"readOnlyRootFilesystem,omitempty"` diff --git a/pkg/apis/db/v1alpha1/cassandracluster_types_test.go b/pkg/apis/db/v1alpha1/cassandracluster_types_test.go index 229ab7f32..70d84036c 100644 --- a/pkg/apis/db/v1alpha1/cassandracluster_types_test.go +++ b/pkg/apis/db/v1alpha1/cassandracluster_types_test.go @@ -502,8 +502,6 @@ func TestSetDefaults(t *testing.T) { assert.Equal(resource.MustParse("500m"), *cluster.Spec.Resources.Limits.Cpu()) assert.Equal(resource.MustParse("1Gi"), *cluster.Spec.Resources.Limits.Memory()) - assert.Equal(DefaultUserID, *cluster.Spec.RunAsUser) - assert.Equal(DefaultFSGroup, *cluster.Spec.FSGroup) assert.Equal(ClusterPhaseInitial.Name, cluster.Status.Phase) assert.Equal(int32(defaultMaxPodUnavailable), cluster.Spec.MaxPodUnavailable) assert.Equal([]string{"defaults-test-dc1-rack1-0.defaults-test.default"}, cluster.Status.SeedList) diff --git a/pkg/apis/db/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/db/v1alpha1/zz_generated.deepcopy.go index 96654196a..bace114fb 100644 --- a/pkg/apis/db/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/db/v1alpha1/zz_generated.deepcopy.go @@ -213,16 +213,6 @@ func (in *CassandraClusterList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CassandraClusterSpec) DeepCopyInto(out *CassandraClusterSpec) { *out = *in - if in.RunAsUser != nil { - in, out := &in.RunAsUser, &out.RunAsUser - *out = new(int64) - **out = **in - } - if in.FSGroup != nil { - in, out := &in.FSGroup, &out.FSGroup - *out = new(int64) - **out = **in - } if in.ReadOnlyRootFilesystem != nil { in, out := &in.ReadOnlyRootFilesystem, &out.ReadOnlyRootFilesystem *out = new(bool) diff --git a/pkg/controller/cassandracluster/generator.go b/pkg/controller/cassandracluster/generator.go index 7dbbd3ffc..f9d5d0065 100644 --- a/pkg/controller/cassandracluster/generator.go +++ b/pkg/controller/cassandracluster/generator.go @@ -346,9 +346,9 @@ func generateCassandraStatefulSet(cc *api.CassandraCluster, status *api.Cassandr }, Tolerations: tolerations, SecurityContext: &v1.PodSecurityContext{ - RunAsUser: cc.Spec.RunAsUser, + RunAsUser: func(i int64) *int64 { return &i }(cc.Spec.RunAsUser), RunAsNonRoot: func(b bool) *bool { return &b }(true), - FSGroup: cc.Spec.FSGroup, + FSGroup: func(i int64) *int64 { return &i }(cc.Spec.FSGroup), }, InitContainers: []v1.Container{ diff --git a/pkg/controller/cassandracluster/generator_test.go b/pkg/controller/cassandracluster/generator_test.go index 03a87c0a2..45ecb42a2 100644 --- a/pkg/controller/cassandracluster/generator_test.go +++ b/pkg/controller/cassandracluster/generator_test.go @@ -203,6 +203,9 @@ func TestGenerateCassandraStatefulSet(t *testing.T) { }, }, sts.Spec.Template.Spec.Tolerations) + assert.Equal(int64(1001), *sts.Spec.Template.Spec.SecurityContext.RunAsUser) + assert.Equal(int64(1002), *sts.Spec.Template.Spec.SecurityContext.FSGroup) + checkVolumeClaimTemplates(t, labels, sts.Spec.VolumeClaimTemplates, "10Gi", "test-storage") checkLiveAndReadiNessProbe(t, sts.Spec.Template.Spec.Containers, 1010, 201, 32, 7, 9, 1205, 151, 17, 50, 30) diff --git a/pkg/controller/cassandracluster/testdata/cassandracluster-2DC.yaml b/pkg/controller/cassandracluster/testdata/cassandracluster-2DC.yaml index f65b4e9e3..7c0629ff4 100644 --- a/pkg/controller/cassandracluster/testdata/cassandracluster-2DC.yaml +++ b/pkg/controller/cassandracluster/testdata/cassandracluster-2DC.yaml @@ -16,6 +16,8 @@ spec: requests: cpu: "1" memory: 1Gi + runAsUser: 1001 + fsGroup: 1002 livenessInitialDelaySeconds: 1205 livenessHealthCheckTimeout: 151 livenessHealthCheckPeriod: 17