Skip to content

minio operator Add ContainerSecurityContext to Pools #1372

Jump to bottom
Allan Roger Reid edited this page Jan 25, 2023 · 1 revision

Status: Open

Pull Request

https://github.com/minio/operator/pull/1372

Issues

https://github.com/minio/operator/issues/1366 https://github.com/minio/operator/issues/1310 https://github.com/minio/operator/issues/1267

Steps

1a. Commented out "destroy_kind" from ./testing/check-helm.sh

b. Run ./testing/check-helm.sh

c. Observe operator, console and tenant without Container Security Context

k get pod/minio-operator-6699f5484b-44hrk -n minio-operator -o jsonpath="{.spec.containers[0].securityContext}"
k get pod/console-76658fcbb-2wj98 -n minio-operator -o jsonpath="{.spec.containers[0].securityContext}"
k get tenant/minio1 -n default -o jsonpath="{.spec.pools[0].containerSecurityContext}"

Operator image Console image Tenant image

d. Commented out "destroy_kind" from ./testing/deploy-tenant.sh

e. Run ./testing/deploy-tenant.sh

f. Observe operator, console and tenant without Container Security Context

k get pod/minio-operator-7f7fc7c985-7gfzn -n minio-operator -o jsonpath="{.spec.containers[0].securityContext}
k get pod/console-5c7b9cc488-qjn2c -n minio-operator -o jsonpath="{.spec.containers[0].securityContext}"
k get tenant/storage-lite -n tenant-lite -o jsonpath="{.spec.pools[0].containerSecurityContext}"

Note: kustomize minio-operator values are defaulted in testing/dev/deployment.yaml Operator image Console image Tenant image

g. Modify temporarily helm/operator/values.yaml Add the following yaml snippet under "console" and "operator" helm/tenant/values.yaml Add the following yaml snippet under "pools"

containerSecurityContext:
  runAsUser: 1000
  runAsGroup: 1000
  runAsNonRoot: true
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: false
  capabilities:
    add:
      - ALL
    drop:
      - ALL

Modify temporarily examples/kustomization/tenant-lite/tenant.yaml Add the following yaml snippet under "pools"

containerSecurityContext:
  runAsUser: 1000
  runAsGroup: 1000
  runAsNonRoot: true
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: false
  capabilities:
    add:
      - ALL
    drop:
      - ALL

Modify temporarily

  resources/base/console-ui.yaml
  resources/base/deployment.yaml
    Add the following yaml snippet under "containers"

securityContext:
  runAsUser: 1000
  runAsGroup: 1000
  runAsNonRoot: true
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: false
  capabilities:
    add:
      - ALL
    drop:
      - ALL

h. Run ./testing/check-helm.sh again

i. After the test completes, observe operator, console and tenant output yamls with the above Container Security Context e.g.

k get pod/minio-operator-8bbdb59d6-m8qh9 -n minio-operator -o jsonpath="{.spec.containers[0].securityContext}"
k get pod/console-857cc4f4fb-zn5fv -n minio-operator -o jsonpath="{.spec.containers[0].securityContext}"
k get tenant/minio1 -n default -o jsonpath="{.spec.pools[0].containerSecurityContext}"

Operator image Console image Tenant image

j. Run ./testing/deploy-tenant.sh again

k. After the test completes, observe operator, console and tenant output yamls with the above Container Security Contexts e.g.

k get pod/minio-operator-95c4dc86-gqnvd -n minio-operator -o jsonpath="{.spec.containers[0].securityContext}"
k get pod/console-988f7d86d-nnr6g -n minio-operator -o jsonpath="{.spec.containers[0].securityContext}"
k get tenant/storage-lite -n tenant-lite -o jsonpath="{.spec.pools[0].containerSecurityContext}"

Operator image Console image Tenant image

Clone this wiki locally