Add runPrivileged/runAsUser options, for running on more restricted/s…

cmd/operator/main.go

@@ -54,6 +54,8 @@ var (
 	enableInitDaemonset    bool
 	initDaemonsetNamespace string
 	busyboxImage           string
+	runPrivileged          bool
+	runAsUser              int64
 )
 
 func init() {
@@ -64,6 +66,8 @@ func init() {
 	flag.BoolVar(&enableInitDaemonset, "enableInitDaemonset", true, "Set to false to disable the sysctl init daemonset")
 	flag.StringVar(&initDaemonsetNamespace, "initDaemonsetNamespace", "default", "Namespace to deploy the sysctl init daemonset into")
 	flag.StringVar(&busyboxImage, "busybox-image", "busybox:1.26.2", "Image to use for sysctl init daemonset")
+	flag.BoolVar(&runPrivileged, "runPrivileged", true, "Run pods as privileged. Set to false if your Kubernetes cluster doesn't allow running containers in privileged mode. Setting does not affect InitDaemonset.")
+	flag.Int64Var(&runAsUser, "runAsUser", 0, "Run the first process in the container as this uid. Change this if your Kubernetes cluster doesn't allow running containers as root. Setting does not affect InitDaemonset.")
 	flag.Parse()
 }
 
@@ -78,11 +82,16 @@ func Main() int {
 
 	// Print params configured
 	logrus.Info("Using Variables:")
+	logrus.Infof("   masterhost: %s", masterHost)
 	logrus.Infof("   enableInitDaemonset: %t", enableInitDaemonset)
+	logrus.Infof("   initDaemonsetNamespace: %s", initDaemonsetNamespace)
 	logrus.Infof("   baseImage: %s", baseImage)
+	logrus.Infof("   busybox-image: %s", busyboxImage)
+	logrus.Infof("   runPrivileged: %t", runPrivileged)
+	logrus.Infof("   runAsUser: %d", runAsUser)
 
 	// Init
-	k8sclient, err := k8sutil.New(kubeCfgFile, masterHost, enableInitDaemonset, initDaemonsetNamespace, busyboxImage)
+	k8sclient, err := k8sutil.New(kubeCfgFile, masterHost, enableInitDaemonset, initDaemonsetNamespace, busyboxImage, runPrivileged, runAsUser)
 	if err != nil {
 		logrus.Error("Could not init k8sclient! ", err)
 		return 1

pkg/k8sutil/deployments.go

@@ -170,15 +170,20 @@ func (k *K8sutil) CreateClientDeployment(baseImage string, replicas *int32, java
 						},
 					},
 					Spec: v1.PodSpec{
+						SecurityContext: &v1.PodSecurityContext{
+							RunAsUser: &k.RunAsUser,
+							FSGroup: &k.RunAsUser,
+						},
 						Affinity: &affinity,
 						Containers: []v1.Container{
 							v1.Container{
 								Name: deploymentName,
 								SecurityContext: &v1.SecurityContext{
-									Privileged: &[]bool{true}[0],
+									Privileged: &k.RunPrivileged,
 									Capabilities: &v1.Capabilities{
 										Add: []v1.Capability{
 											"IPC_LOCK",
+											"SYS_RESOURCE",
 										},
 									},
 								},

pkg/k8sutil/k8sutil.go

@@ -89,10 +89,12 @@ type K8sutil struct {
 	EnableInitDaemonset    bool
 	InitDaemonsetNamespace string
 	BusyboxImage           string
+	RunPrivileged          bool
+	RunAsUser              int64
 }
 
 // New creates a new instance of k8sutil
-func New(kubeCfgFile, masterHost string, enableInitDaemonset bool, initDaemonsetNamespace, busyboxImage string) (*K8sutil, error) {
+func New(kubeCfgFile, masterHost string, enableInitDaemonset bool, initDaemonsetNamespace, busyboxImage string, runPrivileged bool, runAsUser int64) (*K8sutil, error) {
 
 	crdClient, kubeClient, kubeExt, k8sVersion, err := newKubeClient(kubeCfgFile)
 
@@ -109,6 +111,8 @@ func New(kubeCfgFile, masterHost string, enableInitDaemonset bool, initDaemonset
 		EnableInitDaemonset:    enableInitDaemonset,
 		InitDaemonsetNamespace: initDaemonsetNamespace,
 		BusyboxImage:           busyboxImage,
+		RunPrivileged:          runPrivileged,
+		RunAsUser:              runAsUser,
 	}
 
 	return k, nil
@@ -395,8 +399,8 @@ func processDeploymentType(deploymentType string, clusterName string) (string, s
 	return deploymentName, role, isNodeMaster, isNodeData
 }
 
-func buildStatefulSet(statefulSetName, clusterName, deploymentType, baseImage, storageClass, dataDiskSize, javaOptions, masterJavaOptions, dataJavaOptions, serviceAccountName,
-	statsdEndpoint, networkHost string, replicas *int32, useSSL *bool, resources myspec.Resources, imagePullSecrets []myspec.ImagePullSecrets, imagePullPolicy string, nodeSelector map[string]string, tolerations []v1.Toleration) *apps.StatefulSet {
+func buildStatefulSet(statefulSetName, clusterName, deploymentType, baseImage, storageClass, dataDiskSize, javaOptions, serviceAccountName,
+	statsdEndpoint, networkHost string, replicas *int32, useSSL *bool, resources myspec.Resources, imagePullSecrets []myspec.ImagePullSecrets, imagePullPolicy string, nodeSelector map[string]string, tolerations []v1.Toleration, runPrivileged *bool, runAsUser *int64) *apps.StatefulSet {
 
 	_, role, isNodeMaster, isNodeData := processDeploymentType(deploymentType, clusterName)
 
@@ -485,6 +489,10 @@ func buildStatefulSet(statefulSetName, clusterName, deploymentType, baseImage, s
 					},
 				},
 				Spec: v1.PodSpec{
+					SecurityContext: &v1.PodSecurityContext{
+						RunAsUser: runAsUser,
+						FSGroup: runAsUser,
+					},
 					Tolerations:  tolerations,
 					NodeSelector: nodeSelector,
 					Affinity: &v1.Affinity{
@@ -511,10 +519,11 @@ func buildStatefulSet(statefulSetName, clusterName, deploymentType, baseImage, s
 						v1.Container{
 							Name: statefulSetName,
 							SecurityContext: &v1.SecurityContext{
-								Privileged: &[]bool{true}[0],
+								Privileged: runPrivileged,
 								Capabilities: &v1.Capabilities{
 									Add: []v1.Capability{
 										"IPC_LOCK",
+										"SYS_RESOURCE",
 									},
 								},
 							},
@@ -681,7 +690,7 @@ func (k *K8sutil) CreateDataNodeDeployment(deploymentType string, replicas *int3
 		logrus.Infof("StatefulSet %s not found, creating...", statefulSetName)
 
 		statefulSet := buildStatefulSet(statefulSetName, clusterName, deploymentType, baseImage, storageClass, dataDiskSize, javaOptions, masterJavaOptions, dataJavaOptions, serviceAccountName,
-			statsdEndpoint, networkHost, replicas, useSSL, resources, imagePullSecrets, imagePullPolicy, nodeSelector, tolerations)
+			statsdEndpoint, networkHost, replicas, useSSL, resources, imagePullSecrets, imagePullPolicy, nodeSelector, tolerations, &k.RunPrivileged, &k.RunAsUser)
 
 		if _, err := k.Kclient.AppsV1beta2().StatefulSets(namespace).Create(statefulSet); err != nil {
 			logrus.Error("Could not create stateful set: ", err)

pkg/k8sutil/k8sutil_test.go

@@ -42,8 +42,10 @@ func TestSSLCertConfig(t *testing.T) {
 	useSSL := false
 	nodeSelector := make(map[string]string)
 	tolerations := []corev1.Toleration{}
+  runPrivileged := true
+	var runAsUser int64 = 0
 	statefulSet := buildStatefulSet("test", clusterName, "master", "foo/image", "test", "1G", "",
-		"", "", "", "", "", nil, &useSSL, resources, nil, "", nodeSelector, tolerations)
+		"", "", "", "", "", nil, &useSSL, resources, nil, "", nodeSelector, tolerations, &runPrivileged, &runAsUser)
 
 	for _, volume := range statefulSet.Spec.Template.Spec.Volumes {
 		if volume.Name == fmt.Sprintf("%s-%s", secretName, clusterName) {
@@ -53,7 +55,7 @@ func TestSSLCertConfig(t *testing.T) {
 
 	useSSL = true
 	statefulSet = buildStatefulSet("test", clusterName, "master", "foo/image", "test", "1G", "",
-		"", "", "", "", "", nil, &useSSL, resources, nil, "", nodeSelector, tolerations)
+		"", "", "", "", "", nil, &useSSL, resources, nil, "", nodeSelector, tolerations, &runPrivileged, &runAsUser)
 
 	found := false
 	for _, volume := range statefulSet.Spec.Template.Spec.Volumes {