Skip to content

Commit

Permalink
Move from annotation to .spec.readOnlyRootFilesystem property, add ru…
Browse files Browse the repository at this point in the history
…nAsNonRoot to default securityContext
  • Loading branch information
burmanm committed Jul 16, 2024
1 parent 513d1b8 commit 1afa0aa
Show file tree
Hide file tree
Showing 5 changed files with 16 additions and 4 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ Changelog for Cass Operator, new PRs should update the `main / unreleased` secti

* [FEATURE] [#263]((https://github.com/k8ssandra/cass-operator/issues/263) Allow increasing the size of CassandraDataVolumeClaimSpec if the selected StorageClass supports it. This feature is currently behind a opt-in feature flag and requires an annotation ``cassandra.datastax.com/allow-storage-changes: true`` to be set in the CassandraDatacenter.
* [ENHANCEMENT] [#648](https://github.com/k8ssandra/cass-operator/issues/648) Make MinReadySeconds configurable value in the Spec.
* [ENHANCEMENT] [#199](https://github.com/k8ssandra/cass-operator/issues/199) If .spec.readOnlyRootFilesystem is set, run the cassandra container with readOnlyRootFilesystem. Also, modify the default SecurityContext to mention runAsNonRoot: true
* [FEATURE] [#646](https://github.com/k8ssandra/cass-operator/issues/646) Allow starting multiple parallel pods if they have already previously bootstrapped and not planned for replacement. Set annotation ``cassandra.datastax.com/allow-parallel-starts: true`` to enable this feature.

## v1.21.1
Expand Down
4 changes: 4 additions & 0 deletions apis/cassandra/v1beta1/cassandradatacenter_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -268,6 +268,10 @@ type CassandraDatacenterSpec struct {
// MinReadySeconds sets the minimum number of seconds for which a newly created pod should be ready without any of its containers crashing, for it to be considered available. Defaults to 5 seconds and is set in the StatefulSet spec.
// Setting to 0 might cause multiple Cassandra pods to restart at the same time despite PodDisruptionBudget settings.
MinReadySeconds *int32 `json:"minReadySeconds,omitempty"`

// ReadOnlyRootFilesystem makes the cassandra container to be run with a read-only root filesystem. Currently only functional when used with the
// new k8ssandra-client config builder (Cassandra 4.1 and newer and HCD)
ReadOnlyRootFilesystem bool `json:"readOnlyRootFilesystem,omitempty"`
}

type NetworkingConfig struct {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8820,6 +8820,11 @@ spec:
- name
type: object
type: array
readOnlyRootFilesystem:
description: |-
ReadOnlyRootFilesystem makes the cassandra container to be run with a read-only root filesystem. Currently only functional when used with the
new k8ssandra-client config builder (Cassandra 4.1 and newer and HCD)
type: boolean
replaceNodes:
description: Deprecated Use CassandraTask replacenode to achieve correct
node replacement. A list of pod names that need to be replaced.
Expand Down
9 changes: 5 additions & 4 deletions pkg/reconciliation/construct_podtemplatespec.go
Original file line number Diff line number Diff line change
Expand Up @@ -801,7 +801,7 @@ func buildContainers(dc *api.CassandraDatacenter, baseTemplate *corev1.PodTempla
}

func readOnlyFs(dc *api.CassandraDatacenter) bool {
return metav1.HasAnnotation(dc.ObjectMeta, "cassandra.datastax.com/readonly-fs")
return dc.Spec.ReadOnlyRootFilesystem && dc.UseClientImage()
}

func buildPodTemplateSpec(dc *api.CassandraDatacenter, rack api.Rack, addLegacyInternodeMount bool) (*corev1.PodTemplateSpec, error) {
Expand Down Expand Up @@ -836,9 +836,10 @@ func buildPodTemplateSpec(dc *api.CassandraDatacenter, rack api.Rack, addLegacyI
if baseTemplate.Spec.SecurityContext == nil {
var userID int64 = 999
baseTemplate.Spec.SecurityContext = &corev1.PodSecurityContext{
RunAsUser: &userID,
RunAsGroup: &userID,
FSGroup: &userID,
RunAsUser: &userID,
RunAsGroup: &userID,
FSGroup: &userID,
RunAsNonRoot: ptr.To[bool](true),
}
}

Expand Down
1 change: 1 addition & 0 deletions tests/testdata/default-two-rack-two-node-dc.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ spec:
serverVersion: "4.0.10"
managementApiAuth:
insecure: {}
readOnlyRootFilesystem: true
size: 2
storageConfig:
cassandraDataVolumeClaimSpec:
Expand Down

0 comments on commit 1afa0aa

Please sign in to comment.