Skip to content

minio operator Editing MinIO operator not working after upgrade

Jump to bottom
Allan Roger Reid edited this page Jan 25, 2023 · 1 revision

Issue

From Cesar, Issue comes from file github.com/minio/operator/pkg/resources/statefulsets/minio-statefulset.go:424 because we cannot longer support securityContext: {} in our Tenant Specification under pools option as before. I think we are trying to get some values from an empty context:

	// Default to Pod values
	if pool.SecurityContext != nil {
		runAsNonRoot = *pool.SecurityContext.RunAsNonRoot
		runAsUser = *pool.SecurityContext.RunAsUser
		runAsGroup = *pool.SecurityContext.RunAsGroup
	}

PR was: https://github.com/minio/operator/pull/1372

We should fix above issue/panic and still support securityContext: {} under pools in Tenant Specification.

Reproduce

  1. Deploy and maintain a kind cluster with tenant-lite. e.g. with testing/deploy-tenant.sh in the operator repo. Ensure that the destroy_kind command is commented out.

  2. Once the tenant pods are online, edit the tenant ensuring the following is under .spec.pools, with k -n tenant-lite edit tenants.minio.min.io:

    securityContext:
      #runAsUser: 1000
      #runAsGroup: 1000
      #runAsNonRoot: true
      fsGroup: 1000
    containerSecurityContext:
      runAsUser: 1000       
      runAsGroup: 1000
      runAsNonRoot: true

image

  1. Restart the tenant pods, and observe them in a non ready state
k -n tenant-lite delete pod/storage-lite-pool-0-0
k -n tenant-lite delete pod/storage-lite-pool-0-1
k -n tenant-lite delete pod/storage-lite-pool-0-2
k -n tenant-lite delete pod/storage-lite-pool-0-3

k -n tenant-lite get pods | grep "pool-0"

image

  1. Add Security Context to tenant
k -n tenant-lite edit tenants.minio.min.io  

    securityContext:
      runAsUser: 1000
      runAsGroup: 1000
      runAsNonRoot: true
      fsGroup: 1000

image

  1. Restart the tenant pods, and observe them in a ready state
k -n tenant-lite delete pod/storage-lite-pool-0-0
k -n tenant-lite delete pod/storage-lite-pool-0-1
k -n tenant-lite delete pod/storage-lite-pool-0-2
k -n tenant-lite delete pod/storage-lite-pool-0-3

k -n tenant-lite get pods | grep "pool-0"

image

Fix

  1. Modify pkg/resources/statefulsets/minio-statefulset.go addingin only non-null fields to avoid the NPE.
        // Default to Pod values
	if pool.SecurityContext != nil {
		if pool.SecurityContext.RunAsNonRoot != nil {
			runAsNonRoot = *pool.SecurityContext.RunAsNonRoot
		}
		if pool.SecurityContext.RunAsUser != nil {
			runAsUser = *pool.SecurityContext.RunAsUser
		}
		if pool.SecurityContext.RunAsGroup != nil {
			runAsGroup = *pool.SecurityContext.RunAsGroup
		}
	}

Test

  1. Clone https://github.com/allanrogerr/operator/tree/fix-security-context-npe Deploy and maintain a kind cluster with tenant-lite. e.g. with testing/deploy-tenant.sh in the operator repo. Ensure that the destroy_kind command is commented out.

  2. Once the tenant pods are online, edit the tenant ensuring the following is under .spec.pools, with k -n tenant-lite edit tenants.minio.min.io:

    securityContext:
      #runAsUser: 1000
      #runAsGroup: 1000
      #runAsNonRoot: true
      fsGroup: 1000
    containerSecurityContext:
      runAsUser: 1000       
      runAsGroup: 1000
      runAsNonRoot: true

image

  1. Restart the tenant pods, and observe them in a ready state
k -n tenant-lite delete pod/storage-lite-pool-0-0
k -n tenant-lite delete pod/storage-lite-pool-0-1
k -n tenant-lite delete pod/storage-lite-pool-0-2
k -n tenant-lite delete pod/storage-lite-pool-0-3

k -n tenant-lite get pods | grep "pool-0"

image

Clone this wiki locally