From 1afa0aa9d6407391fb5ff184543cb302c955e8b9 Mon Sep 17 00:00:00 2001 From: Michael Burman Date: Fri, 31 May 2024 18:38:44 +0300 Subject: [PATCH] Move from annotation to .spec.readOnlyRootFilesystem property, add runAsNonRoot to default securityContext --- CHANGELOG.md | 1 + apis/cassandra/v1beta1/cassandradatacenter_types.go | 4 ++++ .../cassandra.datastax.com_cassandradatacenters.yaml | 5 +++++ pkg/reconciliation/construct_podtemplatespec.go | 9 +++++---- tests/testdata/default-two-rack-two-node-dc.yaml | 1 + 5 files changed, 16 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 103b6668..87c7487e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ Changelog for Cass Operator, new PRs should update the `main / unreleased` secti * [FEATURE] [#263]((https://github.com/k8ssandra/cass-operator/issues/263) Allow increasing the size of CassandraDataVolumeClaimSpec if the selected StorageClass supports it. This feature is currently behind a opt-in feature flag and requires an annotation ``cassandra.datastax.com/allow-storage-changes: true`` to be set in the CassandraDatacenter. * [ENHANCEMENT] [#648](https://github.com/k8ssandra/cass-operator/issues/648) Make MinReadySeconds configurable value in the Spec. +* [ENHANCEMENT] [#199](https://github.com/k8ssandra/cass-operator/issues/199) If .spec.readOnlyRootFilesystem is set, run the cassandra container with readOnlyRootFilesystem. Also, modify the default SecurityContext to mention runAsNonRoot: true * [FEATURE] [#646](https://github.com/k8ssandra/cass-operator/issues/646) Allow starting multiple parallel pods if they have already previously bootstrapped and not planned for replacement. Set annotation ``cassandra.datastax.com/allow-parallel-starts: true`` to enable this feature. ## v1.21.1 diff --git a/apis/cassandra/v1beta1/cassandradatacenter_types.go b/apis/cassandra/v1beta1/cassandradatacenter_types.go index 5a13b335..8f6539a9 100644 --- a/apis/cassandra/v1beta1/cassandradatacenter_types.go +++ b/apis/cassandra/v1beta1/cassandradatacenter_types.go @@ -268,6 +268,10 @@ type CassandraDatacenterSpec struct { // MinReadySeconds sets the minimum number of seconds for which a newly created pod should be ready without any of its containers crashing, for it to be considered available. Defaults to 5 seconds and is set in the StatefulSet spec. // Setting to 0 might cause multiple Cassandra pods to restart at the same time despite PodDisruptionBudget settings. MinReadySeconds *int32 `json:"minReadySeconds,omitempty"` + + // ReadOnlyRootFilesystem makes the cassandra container to be run with a read-only root filesystem. Currently only functional when used with the + // new k8ssandra-client config builder (Cassandra 4.1 and newer and HCD) + ReadOnlyRootFilesystem bool `json:"readOnlyRootFilesystem,omitempty"` } type NetworkingConfig struct { diff --git a/config/crd/bases/cassandra.datastax.com_cassandradatacenters.yaml b/config/crd/bases/cassandra.datastax.com_cassandradatacenters.yaml index 9cda1de7..2d7a9493 100644 --- a/config/crd/bases/cassandra.datastax.com_cassandradatacenters.yaml +++ b/config/crd/bases/cassandra.datastax.com_cassandradatacenters.yaml @@ -8820,6 +8820,11 @@ spec: - name type: object type: array + readOnlyRootFilesystem: + description: |- + ReadOnlyRootFilesystem makes the cassandra container to be run with a read-only root filesystem. Currently only functional when used with the + new k8ssandra-client config builder (Cassandra 4.1 and newer and HCD) + type: boolean replaceNodes: description: Deprecated Use CassandraTask replacenode to achieve correct node replacement. A list of pod names that need to be replaced. diff --git a/pkg/reconciliation/construct_podtemplatespec.go b/pkg/reconciliation/construct_podtemplatespec.go index 0d0ea922..181f2186 100644 --- a/pkg/reconciliation/construct_podtemplatespec.go +++ b/pkg/reconciliation/construct_podtemplatespec.go @@ -801,7 +801,7 @@ func buildContainers(dc *api.CassandraDatacenter, baseTemplate *corev1.PodTempla } func readOnlyFs(dc *api.CassandraDatacenter) bool { - return metav1.HasAnnotation(dc.ObjectMeta, "cassandra.datastax.com/readonly-fs") + return dc.Spec.ReadOnlyRootFilesystem && dc.UseClientImage() } func buildPodTemplateSpec(dc *api.CassandraDatacenter, rack api.Rack, addLegacyInternodeMount bool) (*corev1.PodTemplateSpec, error) { @@ -836,9 +836,10 @@ func buildPodTemplateSpec(dc *api.CassandraDatacenter, rack api.Rack, addLegacyI if baseTemplate.Spec.SecurityContext == nil { var userID int64 = 999 baseTemplate.Spec.SecurityContext = &corev1.PodSecurityContext{ - RunAsUser: &userID, - RunAsGroup: &userID, - FSGroup: &userID, + RunAsUser: &userID, + RunAsGroup: &userID, + FSGroup: &userID, + RunAsNonRoot: ptr.To[bool](true), } } diff --git a/tests/testdata/default-two-rack-two-node-dc.yaml b/tests/testdata/default-two-rack-two-node-dc.yaml index 97817e4c..8ed229a1 100644 --- a/tests/testdata/default-two-rack-two-node-dc.yaml +++ b/tests/testdata/default-two-rack-two-node-dc.yaml @@ -9,6 +9,7 @@ spec: serverVersion: "4.0.10" managementApiAuth: insecure: {} + readOnlyRootFilesystem: true size: 2 storageConfig: cassandraDataVolumeClaimSpec: