Move from annotation to .spec.readOnlyRootFilesystem property, add ru…

…nAsNonRoot to default securityContext
k8ssandra · May 31, 2024 · 29c71d0 · 29c71d0
1 parent f908d1e
commit 29c71d0
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,6 +11,8 @@ Changelog for Cass Operator, new PRs should update the `main / unreleased` secti
 
 ## unreleased
 
+* [ENHANCEMENT] [#199](https://github.com/k8ssandra/cass-operator/issues/199) If .spec.readOnlyRootFilesystem is set, run the cassandra container with readOnlyRootFilesystem. Also, modify the default SecurityContext to mention runAsNonRoot: true
+
 ## v1.21.0
 
 * [FEATURE] [#659](https://github.com/k8ssandra/cass-operator/issues/659) Add support for HCD serverType with versions 1.x.x. It will be deployed like Cassandra >= 4.1 for now.

diff --git a/apis/cassandra/v1beta1/cassandradatacenter_types.go b/apis/cassandra/v1beta1/cassandradatacenter_types.go
@@ -258,6 +258,10 @@ type CassandraDatacenterSpec struct {
 	// Use cautiously.
 	// +optional
 	DatacenterName string `json:"datacenterName,omitempty"`
+
+	// ReadOnlyRootFilesystem makes the cassandra container to be run with a read-only root filesystem. Currently only functional when used with the
+	// new k8ssandra-client config builder (Cassandra 4.1 and newer and HCD)
+	ReadOnlyRootFilesystem bool `json:"readOnlyRootFilesystem,omitempty"`
 }
 
 type NetworkingConfig struct {

diff --git a/config/crd/bases/cassandra.datastax.com_cassandradatacenters.yaml b/config/crd/bases/cassandra.datastax.com_cassandradatacenters.yaml
@@ -8814,6 +8814,11 @@ spec:
                   - name
                   type: object
                 type: array
+              readOnlyRootFilesystem:
+                description: |-
+                  ReadOnlyRootFilesystem makes the cassandra container to be run with a read-only root filesystem. Currently only functional when used with the
+                  new k8ssandra-client config builder (Cassandra 4.1 and newer and HCD)
+                type: boolean
               replaceNodes:
                 description: Deprecated Use CassandraTask replacenode to achieve correct
                   node replacement. A list of pod names that need to be replaced.

diff --git a/pkg/reconciliation/construct_podtemplatespec.go b/pkg/reconciliation/construct_podtemplatespec.go
@@ -801,7 +801,7 @@ func buildContainers(dc *api.CassandraDatacenter, baseTemplate *corev1.PodTempla
 }
 
 func readOnlyFs(dc *api.CassandraDatacenter) bool {
-	return metav1.HasAnnotation(dc.ObjectMeta, "cassandra.datastax.com/readonly-fs")
+	return dc.Spec.ReadOnlyRootFilesystem && dc.UseClientImage()
 }
 
 func buildPodTemplateSpec(dc *api.CassandraDatacenter, rack api.Rack, addLegacyInternodeMount bool) (*corev1.PodTemplateSpec, error) {
@@ -836,9 +836,10 @@ func buildPodTemplateSpec(dc *api.CassandraDatacenter, rack api.Rack, addLegacyI
 	if baseTemplate.Spec.SecurityContext == nil {
 		var userID int64 = 999
 		baseTemplate.Spec.SecurityContext = &corev1.PodSecurityContext{
-			RunAsUser:  &userID,
-			RunAsGroup: &userID,
-			FSGroup:    &userID,
+			RunAsUser:    &userID,
+			RunAsGroup:   &userID,
+			FSGroup:      &userID,
+			RunAsNonRoot: ptr.To[bool](true),
 		}
 	}
 

diff --git a/tests/testdata/default-two-rack-two-node-dc.yaml b/tests/testdata/default-two-rack-two-node-dc.yaml
@@ -9,6 +9,7 @@ spec:
   serverVersion: "4.0.10"
   managementApiAuth:
     insecure: {}
+  readOnlyRootFilesystem: true
   size: 2
   storageConfig:
       cassandraDataVolumeClaimSpec: