Issue-468: Run pravega segmentstore sts with runAsUser = 0 #469
Conversation
Signed-off-by: prabhaker24 <[email protected]>
Signed-off-by: prabhaker24 <[email protected]>
Signed-off-by: prabhaker24 <[email protected]>
pkg/apis/pravega/v1beta1/pravega.go
Outdated
| @@ -167,6 +168,9 @@ type PravegaSpec struct { | |||
|
|
|||
| // SegmentStoreExternalTrafficPolicy defines the ExternalTrafficPolicy it can have cluster or local | |||
| SegmentStoreExternalTrafficPolicy string `json:"segmentStoreExternalTrafficPolicy,omitempty"` | |||
|
|
|||
| // SecurityContext holds security configuration that will be applied to a container | |||
| SecurityContext *corev1.PodSecurityContext `json:"securityContext,omitempty"` | |||
There was a problem hiding this comment.
The PodSecurityContext is getting applied to the segment store only in this PR. And indeed the controller pods don't necessarily need the same PSC. (in particular, SegmentStores pod have more requirements in terms of requiring access to NFS for example, versus controllers which require less).
While the changes look correct, perhaps calling out that this is only getting applied to the SS, (renaming it accordingly?) , or also adding a separate one for the controller pods as well, might help avoid confusion?
There was a problem hiding this comment.
I have changed the name and added securitycontext for controller as well.
| @@ -392,6 +392,128 @@ spec: | |||
| to the Pravega processes as JAVA_OPTS. See the following file | |||
| for a complete list of options: https://github.com/pravega/pravega/blob/master/config/config.properties' | |||
| type: object | |||
| securityContext: | |||
There was a problem hiding this comment.
There was a problem hiding this comment.
yes, it's from this only.
…e ss security context Signed-off-by: prabhaker24 <[email protected]>
Signed-off-by: prabhaker24 <[email protected]>
Signed-off-by: prabhaker24 <[email protected]>
Signed-off-by: prabhaker24 <[email protected]>
charts/pravega/README.md
Outdated
| @@ -99,3 +99,5 @@ The following table lists the configurable parameters of the pravega chart and t | |||
| | `storage.cache.className` | Storage class for cache volume | `` | | |||
| | `storage.cache.size` | Storage requests for cache volume | `20Gi` | | |||
| | `options` | List of Pravega options | | | |||
| | `segmentStoreSecurityContext.runAsUser` | The UID to run the entrypoint of the container process | `0` | | |||
There was a problem hiding this comment.
Can we mention that by default we are not setting any value for security context.
Signed-off-by: prabhaker24 <[email protected]>
Codecov Report
@@ Coverage Diff @@
## master #469 +/- ##
==========================================
- Coverage 75.29% 72.58% -2.72%
==========================================
Files 15 15
Lines 3068 3297 +229
==========================================
+ Hits 2310 2393 +83
- Misses 669 805 +136
- Partials 89 99 +10
Continue to review full report at Codecov.
|
Signed-off-by: prabhaker24 <[email protected]>
Signed-off-by: prabhaker24 [email protected]
Change log description
Pravega with ECS as LTS is failing to deploy in Openshift environment, as container needs to inject cert bundle into trust store, but the security context selected by openshift is preventing it.
To solve the above problem we have to set runAsUser = 0 for pravega segmentstore sts.
Purpose of the change
Fixes #468
What the code does
These changes allow the segmentstore pod's to run as root user. For enabling this user has to give the following things in the manifest file while deploying it manually
If he is using charts he needs to uncomment the line in the values.yaml in the pravega charts:-
For controller he needs to set like this:-
How to verify it
Deploy the pravega cluster with runAsUser: 0 and check the segment store sts and controller deployment post-deployment it should have the following in it's described output