Set podSecurityContext to reflect distroless nonroot uids

Author: calind

Changelog.md

@@ -7,7 +7,10 @@ adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 ### Added
+ * Add `orchestrator.persistence.fsGroupWorkaroundEnabled` for persistent volume
+   provisioners wich don't support fsGroup in security context (fixes #615)
 ### Changed
+ * Allow setting pod security context when deploying with Helm
  * Use [distroless](https://github.com/GoogleContainerTools/distroless) as base image for orchestrator container
 ### Removed
 ### Fixed

deploy/charts/mysql-operator/templates/statefulset.yaml

@@ -33,8 +33,6 @@ spec:
         - name: operator
           image: "{{ .Values.image }}"
           imagePullPolicy: {{ .Values.imagePullPolicy }}
-          securityContext:
-            runAsUser: 888
           env:
             - name: ORC_TOPOLOGY_USER
               valueFrom:
@@ -93,8 +91,10 @@ spec:
               secretRef:
                 name: {{ template "mysql-operator.orc-secret-name" . }}
           volumeMounts:
+            - name: data
+              mountPath: /var/lib/orchestrator
             - name: config
-              mountPath: /usr/local/share/orchestrator/templates/
+              mountPath: /usr/local/share/orchestrator/templates
           livenessProbe:
             timeoutSeconds: 10
             initialDelaySeconds: 200
@@ -118,17 +118,24 @@ spec:
         - name: data
           emptyDir: {}
         {{- end }}
+
+      {{- if .Values.orchestrator.persistence.fsGroupWorkaroundEnabled }}
       initContainers:
         - name: init-mount
+          securityContext:
+            runAsUser: 0
           image: busybox:1.34.0
-          command: ['sh', '-c', "chown -R 777:777 /var/lib/orchestrator"]
+          command: ['sh', '-c', "chown -R {{ .Values.securityContext.fsGroup | default "0" }}:{{ .Values.securityContext.fsGroup | default "0" }} /var/lib/orchestrator"]
           volumeMounts:
             - name: data
-              mountPath: /var/lib/orchestrator/
+              mountPath: /var/lib/orchestrator
+      {{- end }}
 
       # security context to mount corectly the volume for orc
+      {{- with .Values.securityContext }}
       securityContext:
-        fsGroup: 777
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
 
       {{- with .Values.nodeSelector }}
       nodeSelector:

deploy/charts/mysql-operator/values.yaml

@@ -49,6 +49,13 @@ resources: {}
   #  cpu: 100m
   #  memory: 128Mi
 
+securityContext:
+  runAsNonRoot: true
+  # 65532 is the UID for nonroot user from distroless image
+  runAsUser: 65532
+  runAsGroup: 65532
+  fsGroup: 65532
+
 ## nodeAffinity settings
 # nodeAffinity:
 #   requiredDuringSchedulingIgnoredDuringExecution:
@@ -130,6 +137,10 @@ orchestrator:
     # storageClass: "-"
     accessMode: "ReadWriteOnce"
     size: 1Gi
+    # inject an init container which properly sets the ownership for the orchestrator's data volume
+    # this is needed when the PV provisioner does not properly sets permissions for fsGroup
+    # when enabling this, you MUST change the securityContext.runAsNonRoot to false
+    fsGroupWorkaroundEnabled: false
 
   # key value map of orchestrator conf directives.
   # see: https://github.com/github/orchestrator/blob/master/conf/orchestrator-sample.conf.json
@@ -179,7 +190,7 @@ orchestrator:
     # for more information about template: https://github.com/github/orchestrator/blob/master/go/logic/topology_recovery.go#L256
     ProcessesShellCommand: "sh"
 
-    OnFailureDetectionProcesses: 
+    OnFailureDetectionProcesses:
       - "/usr/local/bin/orc-helper event -w '{failureClusterAlias}' 'OrcFailureDetection' 'Failure: {failureType}, failed host: {failedHost}, lost replcas: {lostReplicas}' || true"
       - "/usr/local/bin/orc-helper failover-in-progress '{failureClusterAlias}' '{failureDescription}' || true"