Add new annotation, cassandra.datastax.com/readonly-fs that makes the…

… cassandra container to run in ReadOnlyRootFilesystem securityContext
k8ssandra · May 29, 2024 · c855eab · c855eab
1 parent 721bfd5
commit c855eab
Showing 1 changed file with 42 additions and 1 deletion.
diff --git a/pkg/reconciliation/construct_podtemplatespec.go b/pkg/reconciliation/construct_podtemplatespec.go
@@ -23,6 +23,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/utils/ptr"
 )
 
 const (
@@ -303,8 +304,27 @@ func addVolumes(dc *api.CassandraDatacenter, baseTemplate *corev1.PodTemplateSpe
 			EmptyDir: &corev1.EmptyDirVolumeSource{},
 		},
 	}
+
 	volumeDefaults := []corev1.Volume{vServerConfig, vServerLogs}
 
+	if readOnlyFs(dc) {
+		tmp := corev1.Volume{
+			Name: "tmp",
+			VolumeSource: corev1.VolumeSource{
+				EmptyDir: &corev1.EmptyDirVolumeSource{},
+			},
+		}
+
+		etcCass := corev1.Volume{
+			Name: "etc-cassandra",
+			VolumeSource: corev1.VolumeSource{
+				EmptyDir: &corev1.EmptyDirVolumeSource{},
+			},
+		}
+
+		volumeDefaults = append(volumeDefaults, tmp, etcCass)
+	}
+
 	if dc.UseClientImage() {
 		vBaseConfig := corev1.Volume{
 			Name: "server-config-base",
@@ -435,7 +455,7 @@ func buildInitContainers(dc *api.CassandraDatacenter, rackName string, baseTempl
 
 		configMounts = append(configMounts, configBaseMount)
 
-		// Similar to k8ssandra 1.x, use config-container if use new config-builder replacement
+		// Similar to k8ssandra 1.x, use config-container if we use k8ssandra-client to build configs
 		if configContainerIndex < 0 {
 			configContainer = &corev1.Container{
 				Name: ServerBaseConfigContainerName,
@@ -625,6 +645,12 @@ func buildContainers(dc *api.CassandraDatacenter, baseTemplate *corev1.PodTempla
 		}
 	}
 
+	if readOnlyFs(dc) {
+		cassContainer.SecurityContext = &corev1.SecurityContext{
+			ReadOnlyRootFilesystem: ptr.To[bool](true),
+		}
+	}
+
 	// Combine env vars
 
 	envDefaults := []corev1.EnvVar{
@@ -697,6 +723,17 @@ func buildContainers(dc *api.CassandraDatacenter, baseTemplate *corev1.PodTempla
 		}
 	}
 
+	if readOnlyFs(dc) {
+		cassContainer.VolumeMounts = append(cassContainer.VolumeMounts, corev1.VolumeMount{
+			Name:      "tmp",
+			MountPath: "/tmp",
+		})
+		cassContainer.VolumeMounts = append(cassContainer.VolumeMounts, corev1.VolumeMount{
+			Name:      "etc-cassandra",
+			MountPath: "/etc/cassandra",
+		})
+	}
+
 	volumeMounts = combineVolumeMountSlices(volumeMounts, cassContainer.VolumeMounts)
 	cassContainer.VolumeMounts = combineVolumeMountSlices(volumeMounts, generateStorageConfigVolumesMount(dc))
 
@@ -754,6 +791,10 @@ func buildContainers(dc *api.CassandraDatacenter, baseTemplate *corev1.PodTempla
 	return nil
 }
 
+func readOnlyFs(dc *api.CassandraDatacenter) bool {
+	return metav1.HasAnnotation(dc.ObjectMeta, "cassandra.datastax.com/readonly-fs")
+}
+
 func buildPodTemplateSpec(dc *api.CassandraDatacenter, rack api.Rack, addLegacyInternodeMount bool) (*corev1.PodTemplateSpec, error) {
 
 	baseTemplate := dc.Spec.PodTemplateSpec.DeepCopy()