From 02569c9adb4adbc33cccd00ac79479602e8424b9 Mon Sep 17 00:00:00 2001 From: Rob Skillington Date: Sun, 26 May 2019 16:55:00 +0200 Subject: [PATCH] Add SYS_RESOURCE security context capability if not set --- pkg/k8sops/generators_test.go | 3 +++ pkg/k8sops/statefulset.go | 21 ++++++++++++++++++++- 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/pkg/k8sops/generators_test.go b/pkg/k8sops/generators_test.go index e6904f7e..4460de47 100644 --- a/pkg/k8sops/generators_test.go +++ b/pkg/k8sops/generators_test.go @@ -160,6 +160,9 @@ func TestGenerateStatefulSet(t *testing.T) { ReadinessProbe: readiness, SecurityContext: &v1.SecurityContext{ RunAsUser: pointer.Int64Ptr(20), + Capabilities: &v1.Capabilities{ + Add: []v1.Capability{v1.Capability("SYS_RESOURCE")}, + }, }, Command: []string{ "m3dbnode", diff --git a/pkg/k8sops/statefulset.go b/pkg/k8sops/statefulset.go index d369a808..6c872d42 100644 --- a/pkg/k8sops/statefulset.go +++ b/pkg/k8sops/statefulset.go @@ -38,6 +38,7 @@ import ( const ( podIdentityVolumePath = "/etc/m3db/pod-identity" podIdentityVolumeName = "pod-identity" + capabilitySysResource = v1.Capability("SYS_RESOURCE") ) var ( @@ -89,6 +90,24 @@ func NewBaseStatefulSet(ssName, isolationGroup string, cluster *myspec.M3DBClust }, } + // Add SYS_RESOURCE security capability if not set (required to raise + // rlimit nofile from the process in container) + specSecurityCtx := cluster.Spec.SecurityContext + if specSecurityCtx.Capabilities == nil { + specSecurityCtx.Capabilities = &v1.Capabilities{} + } + hasCapabilitySysResource := false + for _, c := range specSecurityCtx.Capabilities.Add { + if c == capabilitySysResource { + hasCapabilitySysResource = true + break + } + } + if !hasCapabilitySysResource { + specSecurityCtx.Capabilities.Add = + append(specSecurityCtx.Capabilities.Add, capabilitySysResource) + } + return &appsv1.StatefulSet{ ObjectMeta: metav1.ObjectMeta{ Name: ssName, @@ -110,7 +129,7 @@ func NewBaseStatefulSet(ssName, isolationGroup string, cluster *myspec.M3DBClust Containers: []v1.Container{ { Name: ssName, - SecurityContext: cluster.Spec.SecurityContext, + SecurityContext: specSecurityCtx, ReadinessProbe: probeReady, LivenessProbe: probeHealth, Command: []string{