Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ReadOnlyRootFilesystem support #661

Merged
merged 6 commits into from
Jul 19, 2024
Merged

ReadOnlyRootFilesystem support #661

merged 6 commits into from
Jul 19, 2024

Conversation

burmanm
Copy link
Contributor

@burmanm burmanm commented May 29, 2024
edited by adejanovski
Loading

What this PR does:
Adds new Spec field: ReadOnlyRootFilesystem that adds necessary new volumes and disables MCAC (since it can't work in this system).

See required PR to get it working (smoke_test_read_only_fs uses image based on this PR): k8ssandra/management-api-for-apache-cassandra#491

Which issue(s) this PR fixes:
Fixes #196
Fixes #199
Fixes #210

Checklist

  • Changes manually tested
  • Automated Tests added/updated
  • Documentation added/updated
  • CHANGELOG.md updated (not required for documentation PRs)
  • CLA Signed: DataStax CLA

@burmanm
Copy link
Contributor Author

burmanm commented May 29, 2024

This PR requires modified management-api to start. Here's a YAML to test..

apiVersion: cassandra.datastax.com/v1beta1
kind: CassandraDatacenter
metadata:
  name: dc1
  annotations:
    cassandra.datastax.com/readonly-fs: "true"
spec:
  clusterName: cluster1
  serverType: cassandra
  serverVersion: "4.1.4"
  serverImage: michaelburman290/cass-management-api:4.1.4
  managementApiAuth:
    insecure: {}
  size: 2
  storageConfig:
      cassandraDataVolumeClaimSpec:
        storageClassName: standard
        accessModes:
          - ReadWriteOnce
        resources:
          requests:
            storage: 1Gi
  racks:
    - name: r1
    - name: r2
  podTemplateSpec:
    spec:
      containers:
        - name: "cassandra"
          securityContext:
            readOnlyRootFilesystem: true
      securityContext:
        runAsUser: 12345
        runAsGroup: 0
        runAsNonRoot: true
  config:
    jvm-server-options:
      initial_heap_size: "512m"
      max_heap_size: "512m"
      additional-jvm-opts:
        - "-Dcassandra.system_distributed_replication_per_dc=1"

@burmanm burmanm marked this pull request as ready for review May 31, 2024 15:38
@burmanm burmanm requested a review from a team as a code owner May 31, 2024 15:38
@burmanm burmanm changed the title Experimental ReadOnlyRootFilesystem support ReadOnlyRootFilesystem support Jul 16, 2024
adejanovski
adejanovski approved these changes Jul 18, 2024
View reviewed changes
Copy link
Contributor

@adejanovski adejanovski left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works as expected 👍

burmanm added 5 commits July 19, 2024 14:38
@burmanm
Add new annotation, cassandra.datastax.com/readonly-fs that makes the…
cce8716 
… cassandra container to run in ReadOnlyRootFilesystem securityContext
@burmanm
Move from annotation to .spec.readOnlyRootFilesystem property, add ru…
e9db5f4 
…nAsNonRoot to default securityContext
@burmanm
Fix existing tests
bb8e733
@burmanm
Add unit tests, e2e test, modify readOnlyRootFilesystem to be *bool (…
e20b1fc 
…so we can set it to true by default later), add verification that MCAC is disabled when used with readOnlyRootFilesystem
@burmanm
Remove $ character
c1a5a0a
@burmanm burmanm merged commit cf277bc into k8ssandra:master Jul 19, 2024
2 of 3 checks passed
@burmanm burmanm mentioned this pull request Sep 11, 2024
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bradfordcp bradfordcp bradfordcp left review comments

@adejanovski adejanovski adejanovski approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@burmanm @bradfordcp @adejanovski