Merge pull request #64 from alexeyNsorokin/feature/security-context-propagation

Feature/security context propagation

Author: polefishu

deploy/example/securitycontext.yaml

@@ -0,0 +1,21 @@
+apiVersion: redis.kun/v1alpha1
+kind: DistributedRedisCluster
+metadata:
+  annotations:
+    # if your operator run as cluster-scoped, add this annotations
+    redis.kun/scope: cluster-scoped
+  name: example-distributedrediscluster
+spec:
+  image: redis:5.0.4-alpine
+  masterSize: 3
+  clusterReplicas: 1
+  securityContext:
+    runAsUser: 1101
+    runAsGroup: 1101
+    fsGroup: 1101
+    supplementalGroups: [1101]
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - ALL

pkg/apis/redis/v1alpha1/distributedrediscluster_types.go

@@ -25,17 +25,18 @@ type DistributedRedisClusterSpec struct {
 	ServiceName      string                        `json:"serviceName,omitempty"`
 	Config           map[string]string             `json:"config,omitempty"`
 	// Set RequiredAntiAffinity to force the master-slave node anti-affinity.
-	RequiredAntiAffinity bool                         `json:"requiredAntiAffinity,omitempty"`
-	Affinity             *corev1.Affinity             `json:"affinity,omitempty"`
-	NodeSelector         map[string]string            `json:"nodeSelector,omitempty"`
-	ToleRations          []corev1.Toleration          `json:"toleRations,omitempty"`
-	SecurityContext      *corev1.PodSecurityContext   `json:"securityContext,omitempty"`
-	Annotations          map[string]string            `json:"annotations,omitempty"`
-	Storage              *RedisStorage                `json:"storage,omitempty"`
-	Resources            *corev1.ResourceRequirements `json:"resources,omitempty"`
-	PasswordSecret       *corev1.LocalObjectReference `json:"passwordSecret,omitempty"`
-	Monitor              *AgentSpec                   `json:"monitor,omitempty"`
-	Init                 *InitSpec                    `json:"init,omitempty"`
+	RequiredAntiAffinity 		bool                         `json:"requiredAntiAffinity,omitempty"`
+	Affinity             		*corev1.Affinity             `json:"affinity,omitempty"`
+	NodeSelector         		map[string]string            `json:"nodeSelector,omitempty"`
+	ToleRations          		[]corev1.Toleration          `json:"toleRations,omitempty"`
+	SecurityContext      		*corev1.PodSecurityContext   `json:"securityContext,omitempty"`
+	ContainerSecurityContext	*corev1.SecurityContext		 `json:"containerSecurityContext,omitempty"`
+	Annotations          		map[string]string            `json:"annotations,omitempty"`
+	Storage              		*RedisStorage                `json:"storage,omitempty"`
+	Resources            		*corev1.ResourceRequirements `json:"resources,omitempty"`
+	PasswordSecret       		*corev1.LocalObjectReference `json:"passwordSecret,omitempty"`
+	Monitor              		*AgentSpec                   `json:"monitor,omitempty"`
+	Init                 		*InitSpec                    `json:"init,omitempty"`
 }
 
 type AgentSpec struct {

pkg/resources/statefulsets/statefulset.go

@@ -232,6 +232,7 @@ func redisServerContainer(cluster *redisv1alpha1.DistributedRedisCluster, passwo
 		Name:            redisServerName,
 		Image:           cluster.Spec.Image,
 		ImagePullPolicy: cluster.Spec.ImagePullPolicy,
+		SecurityContext: cluster.Spec.ContainerSecurityContext,
 		Ports: []corev1.ContainerPort{
 			{
 				Name:          "client",