Add SYS_RESOURCE security context capability if not set

pkg/k8sops/generators_test.go

@@ -160,6 +160,9 @@ func TestGenerateStatefulSet(t *testing.T) {
 							ReadinessProbe: readiness,
 							SecurityContext: &v1.SecurityContext{
 								RunAsUser: pointer.Int64Ptr(20),
+								Capabilities: &v1.Capabilities{
+									Add: []v1.Capability{v1.Capability("SYS_RESOURCE")},
+								},
 							},
 							Command: []string{
 								"m3dbnode",

pkg/k8sops/statefulset.go

@@ -38,6 +38,7 @@ import (
 const (
 	podIdentityVolumePath = "/etc/m3db/pod-identity"
 	podIdentityVolumeName = "pod-identity"
+	capabilitySysResource = v1.Capability("SYS_RESOURCE")
 )
 
 var (
@@ -89,6 +90,24 @@ func NewBaseStatefulSet(ssName, isolationGroup string, cluster *myspec.M3DBClust
 		},
 	}
 
+	// Add SYS_RESOURCE security capability if not set (required to raise
+	// rlimit nofile from the process in container)
+	specSecurityCtx := cluster.Spec.SecurityContext
+	if specSecurityCtx.Capabilities == nil {
+		specSecurityCtx.Capabilities = &v1.Capabilities{}
+	}
+	hasCapabilitySysResource := false
+	for _, c := range specSecurityCtx.Capabilities.Add {
+		if c == capabilitySysResource {
+			hasCapabilitySysResource = true
+			break
+		}
+	}
+	if !hasCapabilitySysResource {
+		specSecurityCtx.Capabilities.Add =
+			append(specSecurityCtx.Capabilities.Add, capabilitySysResource)
+	}
+
 	return &appsv1.StatefulSet{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:   ssName,
@@ -110,7 +129,7 @@ func NewBaseStatefulSet(ssName, isolationGroup string, cluster *myspec.M3DBClust
 					Containers: []v1.Container{
 						{
 							Name:            ssName,
-							SecurityContext: cluster.Spec.SecurityContext,
+							SecurityContext: specSecurityCtx,
 							ReadinessProbe:  probeReady,
 							LivenessProbe:   probeHealth,
 							Command: []string{