From f908d1ec486fc9d95daaafd3d8e671f3c6e54edf Mon Sep 17 00:00:00 2001 From: Michael Burman Date: Wed, 29 May 2024 15:49:51 +0300 Subject: [PATCH] Add new annotation, cassandra.datastax.com/readonly-fs that makes the cassandra container to run in ReadOnlyRootFilesystem securityContext --- .../construct_podtemplatespec.go | 43 ++++++++++++++++++- 1 file changed, 42 insertions(+), 1 deletion(-) diff --git a/pkg/reconciliation/construct_podtemplatespec.go b/pkg/reconciliation/construct_podtemplatespec.go index 56e5397a..0d0ea922 100644 --- a/pkg/reconciliation/construct_podtemplatespec.go +++ b/pkg/reconciliation/construct_podtemplatespec.go @@ -23,6 +23,7 @@ import ( corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/utils/ptr" ) const ( @@ -303,8 +304,27 @@ func addVolumes(dc *api.CassandraDatacenter, baseTemplate *corev1.PodTemplateSpe EmptyDir: &corev1.EmptyDirVolumeSource{}, }, } + volumeDefaults := []corev1.Volume{vServerConfig, vServerLogs} + if readOnlyFs(dc) { + tmp := corev1.Volume{ + Name: "tmp", + VolumeSource: corev1.VolumeSource{ + EmptyDir: &corev1.EmptyDirVolumeSource{}, + }, + } + + etcCass := corev1.Volume{ + Name: "etc-cassandra", + VolumeSource: corev1.VolumeSource{ + EmptyDir: &corev1.EmptyDirVolumeSource{}, + }, + } + + volumeDefaults = append(volumeDefaults, tmp, etcCass) + } + if dc.UseClientImage() { vBaseConfig := corev1.Volume{ Name: "server-config-base", @@ -435,7 +455,7 @@ func buildInitContainers(dc *api.CassandraDatacenter, rackName string, baseTempl configMounts = append(configMounts, configBaseMount) - // Similar to k8ssandra 1.x, use config-container if use new config-builder replacement + // Similar to k8ssandra 1.x, use config-container if we use k8ssandra-client to build configs if configContainerIndex < 0 { configContainer = &corev1.Container{ Name: ServerBaseConfigContainerName, @@ -629,6 +649,12 @@ func buildContainers(dc *api.CassandraDatacenter, baseTemplate *corev1.PodTempla } } + if readOnlyFs(dc) { + cassContainer.SecurityContext = &corev1.SecurityContext{ + ReadOnlyRootFilesystem: ptr.To[bool](true), + } + } + // Combine env vars envDefaults := []corev1.EnvVar{ @@ -706,6 +732,17 @@ func buildContainers(dc *api.CassandraDatacenter, baseTemplate *corev1.PodTempla } } + if readOnlyFs(dc) { + cassContainer.VolumeMounts = append(cassContainer.VolumeMounts, corev1.VolumeMount{ + Name: "tmp", + MountPath: "/tmp", + }) + cassContainer.VolumeMounts = append(cassContainer.VolumeMounts, corev1.VolumeMount{ + Name: "etc-cassandra", + MountPath: "/etc/cassandra", + }) + } + volumeMounts = combineVolumeMountSlices(volumeMounts, cassContainer.VolumeMounts) cassContainer.VolumeMounts = combineVolumeMountSlices(volumeMounts, generateStorageConfigVolumesMount(dc)) @@ -763,6 +800,10 @@ func buildContainers(dc *api.CassandraDatacenter, baseTemplate *corev1.PodTempla return nil } +func readOnlyFs(dc *api.CassandraDatacenter) bool { + return metav1.HasAnnotation(dc.ObjectMeta, "cassandra.datastax.com/readonly-fs") +} + func buildPodTemplateSpec(dc *api.CassandraDatacenter, rack api.Rack, addLegacyInternodeMount bool) (*corev1.PodTemplateSpec, error) { baseTemplate := dc.Spec.PodTemplateSpec.DeepCopy()