[Merged by Bors] - openshift compatibility

CHANGELOG.md

@@ -7,8 +7,10 @@ All notable changes to this project will be documented in this file.
 ### Changed
 
 - Include chart name when installing with a custom release name ([#205])
+- Added OpenShift compatiblity ([#225])
 
 [#205]: https://github.com/stackabletech/hdfs-operator/pull/205
+[#225]: https://github.com/stackabletech/hdfs-operator/pull/225
 
 ## [0.4.0] - 2022-06-30
 
@@ -30,7 +32,6 @@ All notable changes to this project will be documented in this file.
 - `HADOOP_OPTS` for jmx exporter specified to `HADOOP_NAMENODE_OPTS`, `HADOOP_DATANODE_OPTS` and `HADOOP_JOURNALNODE_OPTS` to fix cli tool ([#148]).
 - [BREAKING] Specifying the product version has been changed to adhere to [ADR018](https://docs.stackable.tech/home/contributor/adr/ADR018-product_image_versioning.html) instead of just specifying the product version you will now have to add the Stackable image version as well, so `version: 3.5.8` becomes (for example) `version: 3.5.8-stackable0.1.0` ([#180])
 
-
 [#122]: https://github.com/stackabletech/hdfs-operator/pull/122
 [#130]: https://github.com/stackabletech/hdfs-operator/pull/130
 [#134]: https://github.com/stackabletech/hdfs-operator/pull/134

deploy/helm/hdfs-operator/templates/roles.yaml

@@ -89,3 +89,83 @@ rules:
  - {{ include "operator.name" . }}clusters/status
  verbs:
  - patch
+ - apiGroups:
+ - rbac.authorization.k8s.io
+ resources:
+ - clusterroles
+ verbs:
+ - bind
+ resourceNames:
+ - {{ include "operator.name" . }}-clusterrole
+{{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
+---
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+ name: hdfs-scc
+ annotations:
+ kubernetes.io/description: |-
+ This resource is derived from hostmount-anyuid. It provides all the features of the
+ restricted SCC but allows host mounts and any UID by a pod. This is primarily
+ used by the persistent volume recycler. WARNING: this SCC allows host file
+ system access as any UID, including UID 0. Grant with caution.
+ release.openshift.io/create-only: "true"
+allowHostDirVolumePlugin: true
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: true
+allowPrivilegedContainer: false
+allowedCapabilities: null
+defaultAddCapabilities: null
+fsGroup:
+ type: RunAsAny
+readOnlyRootFilesystem: false
+runAsUser:
+ type: RunAsAny
+seLinuxContext:
+ type: MustRunAs
+supplementalGroups:
+ type: RunAsAny
+volumes:
+- configMap
+- downwardAPI
+- emptyDir
+- hostPath
+- nfs
+- persistentVolumeClaim
+- projected
+- secret
+- ephemeral
+{{ end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: {{ include "operator.name" . }}-clusterrole
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ - secrets
+ - serviceaccounts
+ verbs:
+ - get
+ - apiGroups:
+ - events.k8s.io
+ resources:
+ - events
+ verbs:
+ - create
+{{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
+ - apiGroups:
+ - security.openshift.io
+ resources:
+ - securitycontextconstraints
+ resourceNames:
+ - hdfs-scc
+ verbs:
+ - use
+{{ end }}

deploy/manifests/roles.yaml

@@ -89,3 +89,31 @@ rules:
  - hdfsclusters/status
  verbs:
  - patch
+ - apiGroups:
+ - rbac.authorization.k8s.io
+ resources:
+ - clusterroles
+ verbs:
+ - bind
+ resourceNames:
+ - hdfs-clusterrole
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: hdfs-clusterrole
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ - secrets
+ - serviceaccounts
+ verbs:
+ - get
+ - apiGroups:
+ - events.k8s.io
+ resources:
+ - events
+ verbs:
+ - create

rust/crd/src/error.rs

@@ -126,6 +126,17 @@ pub enum Error {
  JournalnodeJavaHeapConfig {
  source: stackable_operator::error::Error,
  },
+
+ #[error("failed to patch service account: {source}")]
+ ApplyServiceAccount {
+ name: String,
+ source: stackable_operator::error::Error,
+ },
+ #[error("failed to patch role binding: {source}")]
+ ApplyRoleBinding {
+ name: String,
+ source: stackable_operator::error::Error,
+ },
 }
 pub type HdfsOperatorResult<T> = std::result::Result<T, Error>;
 

rust/operator/src/hdfs_controller.rs

@@ -2,11 +2,11 @@ use crate::config::{
  CoreSiteConfigBuilder, HdfsNodeDataDirectory, HdfsSiteConfigBuilder, ROOT_DATA_DIR,
 };
 use crate::discovery::build_discovery_configmap;
-use crate::OPERATOR_NAME;
+use crate::{rbac, OPERATOR_NAME};
 use stackable_hdfs_crd::error::{Error, HdfsOperatorResult};
 use stackable_hdfs_crd::{constants::*, ROLE_PORTS};
 use stackable_hdfs_crd::{HdfsCluster, HdfsPodRef, HdfsRole};
-use stackable_operator::builder::{ConfigMapBuilder, ObjectMetaBuilder};
+use stackable_operator::builder::{ConfigMapBuilder, ObjectMetaBuilder, PodSecurityContextBuilder};
 use stackable_operator::client::Client;
 use stackable_operator::k8s_openapi::api::core::v1::{
  Container, ContainerPort, ObjectFieldSelector, PodSpec, PodTemplateSpec, Probe,
@@ -25,6 +25,7 @@ use stackable_operator::kube::api::ObjectMeta;
 use stackable_operator::kube::runtime::controller::Action;
 use stackable_operator::kube::runtime::events::{Event, EventType, Recorder, Reporter};
 use stackable_operator::kube::runtime::reflector::ObjectRef;
+use stackable_operator::kube::ResourceExt;
 use stackable_operator::labels::role_group_selector_labels;
 use stackable_operator::memory::to_java_heap;
 use stackable_operator::product_config::{types::PropertyNameKind, ProductConfigManager};
@@ -72,6 +73,22 @@ pub async fn reconcile_hdfs(hdfs: Arc<HdfsCluster>, ctx: Arc<Ctx>) -> HdfsOperat
 
  let dfs_replication = hdfs.spec.dfs_replication;
 
+ let (rbac_sa, rbac_rolebinding) = rbac::build_rbac_resources(hdfs.as_ref(), "hdfs");
+ client
+ .apply_patch(FIELD_MANAGER_SCOPE, &rbac_sa, &rbac_sa)
+ .await
+ .map_err(|source| Error::ApplyServiceAccount {
+ source,
+ name: rbac_sa.name_any(),
+ })?;
+ client
+ .apply_patch(FIELD_MANAGER_SCOPE, &rbac_rolebinding, &rbac_rolebinding)
+ .await
+ .map_err(|source| Error::ApplyRoleBinding {
+ source,
+ name: rbac_rolebinding.name_any(),
+ })?;
+
  for (role_name, group_config) in validated_config.iter() {
  let role: HdfsRole = serde_yaml::from_str(role_name).unwrap();
  let role_ports = ROLE_PORTS.get(&role).unwrap().as_slice();
@@ -111,6 +128,7 @@ pub async fn reconcile_hdfs(hdfs: Arc<HdfsCluster>, ctx: Arc<Ctx>) -> HdfsOperat
  &rolegroup_ref,
  &namenode_podrefs,
  &hadoop_container,
+ &rbac_sa.name_any(),
  )?;
 
  client
@@ -295,6 +313,7 @@ fn rolegroup_statefulset(
  rolegroup_ref: &RoleGroupRef<HdfsCluster>,
  namenode_podrefs: &[HdfsPodRef],
  hadoop_container: &Container,
+ rbac_sa: &str,
 ) -> HdfsOperatorResult<StatefulSet> {
  tracing::info!("Setting up StatefulSet for {:?}", rolegroup_ref);
  let service_name = rolegroup_ref.object_name();
@@ -342,6 +361,14 @@ fn rolegroup_statefulset(
  }),
  ..Volume::default()
  }]),
+ service_account: Some(rbac_sa.to_string()),
+ security_context: Some(
+ PodSecurityContextBuilder::new()
+ .run_as_user(rbac::HDFS_UID)
+ .run_as_group(0)
+ .fs_group(1000) // Needed for secret-operator
+ .build(),
+ ),
  ..PodSpec::default()
  }),
  };

rust/operator/src/lib.rs

@@ -2,6 +2,7 @@ mod config;
 mod discovery;
 mod hdfs_controller;
 mod pod_svc_controller;
+mod rbac;
 
 use std::sync::Arc;
 

rust/operator/src/rbac.rs

@@ -0,0 +1,44 @@
+use stackable_operator::builder::ObjectMetaBuilder;
+use stackable_operator::k8s_openapi::api::core::v1::ServiceAccount;
+use stackable_operator::k8s_openapi::api::rbac::v1::{RoleBinding, RoleRef, Subject};
+use stackable_operator::kube::{Resource, ResourceExt};
+
+/// Used as runAsUser in the pod security context. This is specified in the Hadoop image file
+pub const HDFS_UID: i64 = 1000;
+
+/// Build RBAC objects for the product workloads.
+/// The `rbac_prefix` is meant to be the product name, for example: zookeeper, airflow, etc.
+/// and it is a assumed that a ClusterRole named `{rbac_prefix}-clusterrole` exists.
+pub fn build_rbac_resources<T: Resource>(
+ resource: &T,
+ rbac_prefix: &str,
+) -> (ServiceAccount, RoleBinding) {
+ let sa_name = format!("{rbac_prefix}-sa");
+ let service_account = ServiceAccount {
+ metadata: ObjectMetaBuilder::new()
+ .name_and_namespace(resource)
+ .name(sa_name.clone())
+ .build(),
+ ..ServiceAccount::default()
+ };
+
+ let role_binding = RoleBinding {
+ metadata: ObjectMetaBuilder::new()
+ .name_and_namespace(resource)
+ .name(format!("{rbac_prefix}-rolebinding"))
+ .build(),
+ role_ref: RoleRef {
+ kind: "ClusterRole".to_string(),
+ name: format!("{rbac_prefix}-clusterrole"),
+ api_group: "rbac.authorization.k8s.io".to_string(),
+ },
+ subjects: Some(vec![Subject {
+ kind: "ServiceAccount".to_string(),
+ name: sa_name,
+ namespace: resource.namespace(),
+ ..Subject::default()
+ }]),
+ };
+
+ (service_account, role_binding)
+}

tests/templates/kuttl/fs-ops/01-assert.yaml

@@ -3,7 +3,7 @@ apiVersion: kuttl.dev/v1beta1
 kind: TestAssert
 metadata:
  name: install-hdfs
-timeout: 300
+timeout: 600
 ---
 apiVersion: apps/v1
 kind: StatefulSet

tests/templates/kuttl/fs-ops/02-webhdfs.yaml

@@ -17,6 +17,6 @@ spec:
  spec:
  containers:
  - name: webhdfs
- image: python:3.10-slim
+ image: docker.stackable.tech/stackable/testing-tools:0.1.0-stackable0.1.0
  stdin: true
  tty: true

tests/templates/kuttl/fs-ops/03-create-file.yaml

@@ -4,6 +4,4 @@ kind: TestStep
 commands:
  - script: kubectl cp -n $NAMESPACE ./webhdfs.py webhdfs-0:/tmp
  - script: kubectl cp -n $NAMESPACE ./testdata.txt webhdfs-0:/tmp
- - script: kubectl cp -n $NAMESPACE ./requirements.txt webhdfs-0:/tmp
- - script: kubectl exec -n $NAMESPACE webhdfs-0 -- pip install --user -r /tmp/requirements.txt
  - script: kubectl exec -n $NAMESPACE webhdfs-0 -- python /tmp/webhdfs.py create