make the root file system read only and run as non-root user [K8SSAND-954][K8SSAND-962][K8SSAND-801] #218
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jsanda
changed the title
jsanda
force-pushed
the
read-only-root-fs
branch
from
49b4d40 to
fca604b
Compare
jsanda
changed the title
These changes apply to both DSE and Cassandra as well as init containers and the logging sidecar container. Tests have been updated to pass but additional updates are needed still to cover the changes.
Uupdates and refactoring of relevant unit tests wil follow in subsequent commits.
The test is passing locally for me so it is entirely possibly that the failure in GHA is due to resource constraints. There is no need to deploy 6 C* nodes to test a config change particularly when the tests are running in GHA. Furthermore, it will just make the test slower.
jsanda
force-pushed
the
read-only-root-fs
branch
from
3520081 to
4b02cc6
Compare
This was referenced Nov 1, 2021
5 tasks
jdonenine
changed the title
jdonenine
changed the title
|
@burmanm, this is a fairly old PR. Is it still relevant? |
|
Probably not at this point, the use-case/scenario itself is still not implemented, but there have been other changes to the cass-operator and other parts that this PR wouldn't be mergeable in any case. |
|
ok, I'll close the PR then and we can revisit this at some point. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR does:
Make the root file system read-only and the user non-root for all containers that cass-operator deploys by default.
The goal is to adopt the principle of least privilege so that there shouldn't be any need for users to override the default pod security context or container level security contexts (unless they want less security).
Changes have been made to support both Cassandra and DSE.
I have added a new init container,
base-config-init, which copies base config files onto a config volume. The config files generated by theserver-config-initinit container are copied onto this volume. It is worth noting that we can haveserver-config-initwrite directly to the new config volume. I held off on doing that though we should update the management-api entrypoint script. Coordinating those changing will make things a bit tricky so I held off for now.The default PodSecurityContext is now configure with
RunAsNonRoot: true. I have also added a default SecurityContext for all of the containers to keep things locked down.Which issue(s) this PR fixes:
Fixes #196, #199, #210, #211
Checklist