Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

make the root file system read only and run as non-root user [K8SSAND-954][K8SSAND-962][K8SSAND-801] #218

Closed
wants to merge 7 commits into from

Conversation

jsanda
Copy link
Contributor

@jsanda jsanda commented Oct 23, 2021

What this PR does:
Make the root file system read-only and the user non-root for all containers that cass-operator deploys by default.

The goal is to adopt the principle of least privilege so that there shouldn't be any need for users to override the default pod security context or container level security contexts (unless they want less security).

Changes have been made to support both Cassandra and DSE.

I have added a new init container, base-config-init, which copies base config files onto a config volume. The config files generated by the server-config-init init container are copied onto this volume. It is worth noting that we can have server-config-init write directly to the new config volume. I held off on doing that though we should update the management-api entrypoint script. Coordinating those changing will make things a bit tricky so I held off for now.

The default PodSecurityContext is now configure with RunAsNonRoot: true. I have also added a default SecurityContext for all of the containers to keep things locked down.

Which issue(s) this PR fixes:
Fixes #196, #199, #210, #211

Checklist

  • Changes manually tested
  • Automated Tests added/updated
  • Documentation added/updated
  • CHANGELOG.md updated (not required for documentation PRs)
  • CLA Signed: DataStax CLA

@jsanda jsanda requested a review from a team as a code owner October 23, 2021 04:43
@jsanda jsanda changed the title make the root file system read only and run as non-root user [WIP] make the root file system read only and run as non-root user Oct 23, 2021
@jsanda jsanda changed the title [WIP] make the root file system read only and run as non-root user make the root file system read only and run as non-root user Oct 29, 2021
These changes apply to both DSE and Cassandra as well as init containers and
the logging sidecar container.

Tests have been updated to pass but additional updates are needed still to
cover the changes.
Uupdates and refactoring of relevant unit tests wil follow in subsequent
commits.
The test is passing locally for me so it is entirely possibly that the failure
in GHA is due to resource constraints. There is no need to deploy 6 C* nodes
to test a config change particularly when the tests are running in GHA.
Furthermore, it will just make the test slower.
@jsanda jsanda self-assigned this Oct 29, 2021
@jsanda jsanda requested a review from burmanm October 29, 2021 21:28
@jdonenine jdonenine changed the title make the root file system read only and run as non-root user make the root file system read only and run as non-root user [K8SSAND-954] Nov 17, 2021
@jdonenine jdonenine removed the request for review from a team November 17, 2021 13:51
@jdonenine jdonenine changed the title make the root file system read only and run as non-root user [K8SSAND-954] make the root file system read only and run as non-root user [K8SSAND-954][K8SSAND-962][K8SSAND-801] Nov 17, 2021
@adejanovski
Copy link
Contributor

@burmanm, this is a fairly old PR. Is it still relevant?

@burmanm
Copy link
Contributor

burmanm commented May 12, 2023

Probably not at this point, the use-case/scenario itself is still not implemented, but there have been other changes to the cass-operator and other parts that this PR wouldn't be mergeable in any case.

@adejanovski
Copy link
Contributor

ok, I'll close the PR then and we can revisit this at some point.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
No open projects
Archived in project
3 participants