search

GoogleCloudPlatform / flink-on-k8s-operator

[DEPRECATED] Kubernetes operator for managing the lifecycle of Apache Flink and Beam applications.
Apache License 2.0
659 stars 265 forks source link

SecurityContext only partly applied to Jobmanager / Taskmanager #453

Open timsn opened 3 years ago

timsn commented 3 years ago

To comply to our policies I have set several securityContext settings. Such as to the Jobmanager, Taskmanger and Job. The CRD clearly allows to set the securityContext for all the needed resources (see the CRD docs here). But when I set them in the FlinkCluster resource and inspect the deployment created by the operator only some of them seem to be applied.

For example the Jobmanager part in my flink-cluster.yaml looks like this:

jobManager:
  accessScope: Cluster
  securityContext:
    runAsNonRoot: true
    runAsUser: 9999
    runAsGroup: 9999
    privileged: false
    allowPrivilegeEscalation: false
    readOnlyRootFilesystem: true
    capabilities:
      drop:
        - all
  ports:
    ui: 8081
  resources:
    requests:
      memory: "1024Mi"
      cpu: "200m"
    limits:
      memory: "1024Mi"

And if I inspect the created Jobmanager I can only find these securityContext settings set:

$ kubectl get pod flinksessioncluster-jobmanager-0 -o yaml

Output:

[...]
securityContext:
  runAsGroup: 9999
  runAsNonRoot: true
  runAsUser: 9999

So for example dropping the capabilites isn't applied at all even if it seems to be part of the CRD: https://github.com/GoogleCloudPlatform/flink-on-k8s-operator/blob/0310df76d6e2128cd5d2bc51fae4e842d370c463/config/crd/bases/flinkoperator.k8s.io_flinkclusters.yaml#L1838-L1855