diff --git a/pkg/nova/cellmapping.go b/pkg/nova/cellmapping.go index 8d65c2682..71aa3403c 100644 --- a/pkg/nova/cellmapping.go +++ b/pkg/nova/cellmapping.go @@ -4,6 +4,7 @@ import ( batchv1 "k8s.io/api/batch/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/utils/ptr" common "github.com/openstack-k8s-operators/lib-common/modules/common" "github.com/openstack-k8s-operators/lib-common/modules/common/env" @@ -22,8 +23,6 @@ func CellMappingJob( inputHash string, labels map[string]string, ) *batchv1.Job { - runAsUser := int64(0) - args := []string{"-c"} if cell.Spec.Debug.StopJob { args = append(args, common.DebugCommand) @@ -69,7 +68,7 @@ func CellMappingJob( Args: args, Image: cell.Spec.ConductorServiceTemplate.ContainerImage, SecurityContext: &corev1.SecurityContext{ - RunAsUser: &runAsUser, + RunAsUser: ptr.To(NovaUserID), }, Env: env, VolumeMounts: []corev1.VolumeMount{ diff --git a/pkg/nova/common.go b/pkg/nova/common.go index 4e0f0a73d..44da87f35 100644 --- a/pkg/nova/common.go +++ b/pkg/nova/common.go @@ -30,6 +30,9 @@ const ( // NovaCell0DatabaseName - the name of the DB to store the cell schema for // cell0 NovaCell0DatabaseName = "nova_cell0" + // NovaUserID is the linux user ID used by Kolla for the nova user + // in the service containers + NovaUserID int64 = 42436 ) // GetScriptSecretName returns the name of the Secret used for the diff --git a/pkg/nova/host_discovery.go b/pkg/nova/host_discovery.go index 1505eb8bf..210cea485 100644 --- a/pkg/nova/host_discovery.go +++ b/pkg/nova/host_discovery.go @@ -22,6 +22,7 @@ import ( batchv1 "k8s.io/api/batch/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/utils/ptr" ) const ( @@ -35,8 +36,6 @@ func HostDiscoveryJob( inputHash string, labels map[string]string, ) *batchv1.Job { - runAsUser := int64(0) - args := []string{"-c"} if instance.Spec.Debug.StopJob { args = append(args, common.DebugCommand) @@ -81,7 +80,7 @@ func HostDiscoveryJob( Args: args, Image: instance.Spec.ConductorServiceTemplate.ContainerImage, SecurityContext: &corev1.SecurityContext{ - RunAsUser: &runAsUser, + RunAsUser: ptr.To(NovaUserID), }, Env: env, VolumeMounts: []corev1.VolumeMount{ diff --git a/pkg/novaapi/deployment.go b/pkg/novaapi/deployment.go index 39658c047..2d633f202 100644 --- a/pkg/novaapi/deployment.go +++ b/pkg/novaapi/deployment.go @@ -27,6 +27,7 @@ import ( corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/utils/ptr" ) // StatefulSet - returns the StatefulSet definition for the nova-api service @@ -36,8 +37,6 @@ func StatefulSet( labels map[string]string, annotations map[string]string, ) *appsv1.StatefulSet { - runAsUser := int64(0) - // This allows the pod to start up slowly. The pod will only be killed // if it does not succeed a probe in 60 seconds. startupProbe := &corev1.Probe{ @@ -135,7 +134,7 @@ func StatefulSet( Args: []string{"-c", "tail -n+1 -F /var/log/nova/nova-api.log"}, Image: instance.Spec.ContainerImage, SecurityContext: &corev1.SecurityContext{ - RunAsUser: &runAsUser, + RunAsUser: ptr.To(nova.NovaUserID), }, Env: env, VolumeMounts: []corev1.VolumeMount{nova.GetLogVolumeMount()}, @@ -152,7 +151,7 @@ func StatefulSet( Args: args, Image: instance.Spec.ContainerImage, SecurityContext: &corev1.SecurityContext{ - RunAsUser: &runAsUser, + RunAsUser: ptr.To(nova.NovaUserID), }, Env: env, VolumeMounts: []corev1.VolumeMount{ diff --git a/pkg/novacompute/deployment.go b/pkg/novacompute/deployment.go index cf2450031..abef38d88 100644 --- a/pkg/novacompute/deployment.go +++ b/pkg/novacompute/deployment.go @@ -26,6 +26,7 @@ import ( appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/utils/ptr" ) // StatefulSet - returns the StatefulSet definition for the nova-compute service @@ -35,8 +36,6 @@ func StatefulSet( labels map[string]string, annotations map[string]string, ) *appsv1.StatefulSet { - runAsUser := int64(0) - // After the first successful startupProbe, livenessProbe takes over livenessProbe := &corev1.Probe{ // TODO might need tuning @@ -122,7 +121,7 @@ func StatefulSet( Args: args, Image: instance.Spec.ContainerImage, SecurityContext: &corev1.SecurityContext{ - RunAsUser: &runAsUser, + RunAsUser: ptr.To(nova.NovaUserID), }, Env: env, VolumeMounts: []corev1.VolumeMount{ diff --git a/pkg/novaconductor/dbsync.go b/pkg/novaconductor/dbsync.go index 36ae4d118..44cf8cca5 100644 --- a/pkg/novaconductor/dbsync.go +++ b/pkg/novaconductor/dbsync.go @@ -26,6 +26,7 @@ import ( batchv1 "k8s.io/api/batch/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/utils/ptr" ) const ( @@ -39,8 +40,6 @@ func CellDBSyncJob( labels map[string]string, annotations map[string]string, ) *batchv1.Job { - runAsUser := int64(0) - args := []string{"-c"} if instance.Spec.Debug.StopJob { args = append(args, common.DebugCommand) @@ -81,7 +80,7 @@ func CellDBSyncJob( Args: args, Image: instance.Spec.ContainerImage, SecurityContext: &corev1.SecurityContext{ - RunAsUser: &runAsUser, + RunAsUser: ptr.To(nova.NovaUserID), }, Env: env, VolumeMounts: []corev1.VolumeMount{ diff --git a/pkg/novaconductor/deployment.go b/pkg/novaconductor/deployment.go index 4cf586606..91233bfba 100644 --- a/pkg/novaconductor/deployment.go +++ b/pkg/novaconductor/deployment.go @@ -26,6 +26,7 @@ import ( appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/utils/ptr" ) // StatefulSet - returns the StatefulSet definition for the nova-api service @@ -35,8 +36,6 @@ func StatefulSet( labels map[string]string, annotations map[string]string, ) *appsv1.StatefulSet { - runAsUser := int64(0) - livenessProbe := &corev1.Probe{ // TODO might need tuning TimeoutSeconds: 5, @@ -128,7 +127,7 @@ func StatefulSet( Args: args, Image: instance.Spec.ContainerImage, SecurityContext: &corev1.SecurityContext{ - RunAsUser: &runAsUser, + RunAsUser: ptr.To(nova.NovaUserID), }, Env: env, VolumeMounts: []corev1.VolumeMount{ diff --git a/pkg/novametadata/deployment.go b/pkg/novametadata/deployment.go index 2d864a9d8..4fb77b6bf 100644 --- a/pkg/novametadata/deployment.go +++ b/pkg/novametadata/deployment.go @@ -27,6 +27,7 @@ import ( corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/utils/ptr" ) // StatefulSet - returns the StatefulSet definition for the nova-metadata service @@ -36,8 +37,6 @@ func StatefulSet( labels map[string]string, annotations map[string]string, ) *appsv1.StatefulSet { - runAsUser := int64(0) - // This allows the pod to start up slowly. The pod will only be killed // if it does not succeed a probe in 60 seconds. startupProbe := &corev1.Probe{ @@ -135,7 +134,7 @@ func StatefulSet( Args: []string{"-c", "tail -n+1 -F /var/log/nova/nova-metadata.log"}, Image: instance.Spec.ContainerImage, SecurityContext: &corev1.SecurityContext{ - RunAsUser: &runAsUser, + RunAsUser: ptr.To(nova.NovaUserID), }, Env: env, VolumeMounts: []corev1.VolumeMount{ @@ -154,7 +153,7 @@ func StatefulSet( Args: args, Image: instance.Spec.ContainerImage, SecurityContext: &corev1.SecurityContext{ - RunAsUser: &runAsUser, + RunAsUser: ptr.To(nova.NovaUserID), }, Env: env, VolumeMounts: []corev1.VolumeMount{ diff --git a/pkg/novascheduler/deployment.go b/pkg/novascheduler/deployment.go index 365711028..9724e8a1e 100644 --- a/pkg/novascheduler/deployment.go +++ b/pkg/novascheduler/deployment.go @@ -26,6 +26,7 @@ import ( appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/utils/ptr" ) // StatefulSet - returns the StatefulSet definition for the nova-scheduler service @@ -35,8 +36,6 @@ func StatefulSet( labels map[string]string, annotations map[string]string, ) *appsv1.StatefulSet { - runAsUser := int64(0) - // This allows the pod to start up slowly. The pod will only be killed // if it does not succeed a probe in 60 seconds. startupProbe := &corev1.Probe{ @@ -137,7 +136,7 @@ func StatefulSet( Args: args, Image: instance.Spec.ContainerImage, SecurityContext: &corev1.SecurityContext{ - RunAsUser: &runAsUser, + RunAsUser: ptr.To(nova.NovaUserID), }, Env: env, VolumeMounts: []corev1.VolumeMount{ diff --git a/pkg/novncproxy/deployment.go b/pkg/novncproxy/deployment.go index 6d284f8bc..e9f89646a 100644 --- a/pkg/novncproxy/deployment.go +++ b/pkg/novncproxy/deployment.go @@ -27,6 +27,7 @@ import ( corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/utils/ptr" ) // StatefulSet - returns the StatefulSet definition for the nova-novanovncproxy service @@ -36,8 +37,6 @@ func StatefulSet( labels map[string]string, annotations map[string]string, ) *appsv1.StatefulSet { - runAsUser := int64(0) - // This allows the pod to start up slowly. The pod will only be killed // if it does not succeed a probe in 60 seconds. startupProbe := &corev1.Probe{ @@ -135,7 +134,7 @@ func StatefulSet( Args: args, Image: instance.Spec.ContainerImage, SecurityContext: &corev1.SecurityContext{ - RunAsUser: &runAsUser, + RunAsUser: ptr.To(nova.NovaUserID), }, Env: env, VolumeMounts: []corev1.VolumeMount{