How can I specify securityContext for nifi nodes (pods)?

[grandeon]

Hi everyone,

I am trying to deploy the Stackable Operator for Apache NiFi solution on an OpenShift cluster.

I need to enforce some security directives through scc (securityContextConstraints).

I have deployed with helm declaring said directives when installing:
helm install nifi-operator stackable-stable/nifi-operator --version 0.8.0 -n stackable --set securityContext.runAsNonRoot=true --set securityContext.runAsUser=1000669988

And everything went well with the operator Pod, but the nodes are not deployed with those properties (runAsUser and NonRoot).

How can I make the nodes also have those properties when they are created?

The error I get is:
create Pod simple-nifi-node-default-0 in StatefulSet simple-nifi-node-default failed error: pods "simple-nifi-node-default-0" is forbidden: unable to validate against any security context constraint: [provider " anyuid": Forbidden: not usable by user or serviceaccount, spec.volumes[7]: Invalid value: "csi": csi volumes are not allowed to be used, spec.initContainers[0].securityContext.runAsUser: Invalid value: 0 : must be in the ranges: [1000670000, 1000679999], provider "restricted": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "zookeeper-scc": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]

Regards, and thank you very much,

[grandeon]

I am going to use OPA Gatekeeper to mutate the pods and thus get the desired security values:

apiVersion: mutations.gatekeeper.sh/v1
kind: Assign
metadata:
  name: scc
spec:
  applyTo:
  - groups: [""]
    kinds: ["Pod"]
    versions: ["v1"]
  match:
    scope: Namespaced
    kinds:
    - apiGroups: ["*"]
      kinds: ["Pod"]
    namespaces: ["nifi-stackable"]
  location: "spec.containers[name:*].securityContext"
  parameters:
    assign:
      value: 
        privileged: false
        runAsNonRoot: true
        runAsUser: 1000669988

It's works!!!

Now I am trying to modify zookeeper-operator so that it, as well as the zookeeper nodes that it raises, use the UID I choose and not uid 1000 (by default). If not, it gives a permissions error on boot.

So I'm compiling with:

RUN groupadd -g 1000669988 stackable && adduser -u 1000669988 -g stackable -c 'Stackable Operator' stackable

and I want to point to a private repository to use the images that HELM will deploy.

[razvan]

Hello @grandeon ,

sorry for taking so long to reply. Your message has somehow went unnoticed until today. Sorry for that.

We are currently working on getting all our operators and supported products to run on OpenShift. We didn't get to Nifi yet but ZooKeeper should work out of the box. The operator will create a service account for each ZooKeeper cluster and that account has an SCC attached to it.

Why do you need that particular user id for your cluster? Stackable supported products don't need to run as root and can run with any user id that is generated by OpenShift (there are some exceptions)

[grandeon]

Thank you very much @razvan for your answer.

While the OpenShift-compatible operator for NiFi is coming out, what I have done is to modify the statefulset object and add the serviceAccount and the scc necessary to be able to run in OpenShift.

I needed the particular user id because I was trying to use the "anyuid" scc, but eventually I'm going to use the "privileged" scc for the "nifi" serviceAccount I'm using.