From 7c92fe249960256ec9e6415d02fb39caf96fa2f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Levilain?= Date: Mon, 11 Mar 2024 12:04:43 +0100 Subject: [PATCH] fix(shulker-operator): set fs group to Redis container to fix persistence permissions --- Cargo.lock | 4 ++-- .../minecraft_cluster/redis_stateful_set.rs | 11 +++++++++-- ...er__redis_stateful_set__tests__build_snapshot.snap | 8 +++++--- 3 files changed, 16 insertions(+), 7 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 990b5b5e..bfb09e69 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1353,9 +1353,9 @@ dependencies = [ [[package]] name = "mio" -version = "0.8.9" +version = "0.8.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3dce281c5e46beae905d4de1870d8b1509a9142b62eedf18b443b011ca8343d0" +checksum = "a4a650543ca06a924e8b371db273b2756685faae30f8487da1b56505a8f78b0c" dependencies = [ "libc", "wasi", diff --git a/packages/shulker-operator/src/reconcilers/minecraft_cluster/redis_stateful_set.rs b/packages/shulker-operator/src/reconcilers/minecraft_cluster/redis_stateful_set.rs index 70c76b8c..31ed31d6 100644 --- a/packages/shulker-operator/src/reconcilers/minecraft_cluster/redis_stateful_set.rs +++ b/packages/shulker-operator/src/reconcilers/minecraft_cluster/redis_stateful_set.rs @@ -8,6 +8,7 @@ use k8s_openapi::api::core::v1::ContainerPort; use k8s_openapi::api::core::v1::EnvVar; use k8s_openapi::api::core::v1::PersistentVolumeClaim; use k8s_openapi::api::core::v1::PersistentVolumeClaimSpec; +use k8s_openapi::api::core::v1::PodSecurityContext; use k8s_openapi::api::core::v1::PodSpec; use k8s_openapi::api::core::v1::PodTemplateSpec; use k8s_openapi::api::core::v1::SecurityContext; @@ -31,11 +32,16 @@ const REDIS_IMAGE: &str = "redis:7-alpine"; const REDIS_DATA_DIR: &str = "/data"; lazy_static! { + static ref REDIS_POD_SECURITY_CONTEXT: PodSecurityContext = PodSecurityContext { + run_as_user: Some(1000), + run_as_group: Some(1000), + run_as_non_root: Some(true), + fs_group: Some(1000), + ..PodSecurityContext::default() + }; static ref REDIS_SECURITY_CONTEXT: SecurityContext = SecurityContext { allow_privilege_escalation: Some(false), read_only_root_filesystem: Some(true), - run_as_non_root: Some(true), - run_as_user: Some(1000), capabilities: Some(Capabilities { drop: Some(vec!["ALL".to_string()]), ..Capabilities::default() @@ -140,6 +146,7 @@ impl RedisStatefulSetBuilder { }]), ..Container::default() }], + security_context: Some(REDIS_POD_SECURITY_CONTEXT.clone()), ..PodSpec::default() }; diff --git a/packages/shulker-operator/src/reconcilers/minecraft_cluster/snapshots/shulker_operator__reconcilers__minecraft_cluster__redis_stateful_set__tests__build_snapshot.snap b/packages/shulker-operator/src/reconcilers/minecraft_cluster/snapshots/shulker_operator__reconcilers__minecraft_cluster__redis_stateful_set__tests__build_snapshot.snap index 4cb66c08..75a89d62 100644 --- a/packages/shulker-operator/src/reconcilers/minecraft_cluster/snapshots/shulker_operator__reconcilers__minecraft_cluster__redis_stateful_set__tests__build_snapshot.snap +++ b/packages/shulker-operator/src/reconcilers/minecraft_cluster/snapshots/shulker_operator__reconcilers__minecraft_cluster__redis_stateful_set__tests__build_snapshot.snap @@ -53,11 +53,14 @@ spec: drop: - ALL readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 volumeMounts: - mountPath: /data name: data + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 volumeClaimTemplates: - apiVersion: v1 kind: PersistentVolumeClaim @@ -69,4 +72,3 @@ spec: resources: requests: storage: 1Gi -