Unable to deploy CassandraCluster if PodSecurityPolicy prevents fsGroup 1

[armingerten]

Bug Report

What did you do? I deployed an instance of cassandraclusters.db.orange.com while having a PodSecurityPolicy that prevents fsGroups < 1000.

Relevant section of the PodSecurityPolicy:

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
spec:
  fsGroup:
    rule: MustRunAs
    ranges:
    - min: 1000
      max: 65536

What did you expect to see? The StatefulSet created by the operator should start-up.

What did you see instead? Under which circumstances? Pod's within the StatefulSet were unschedulable.

Output of kubectl describe sts cassandra-dev-dc-rack1:

Warning FailedCreate 16m (x22 over 60m) statefulset-controller create Pod cassandra-dev-dc-rack1-0 in StatefulSet cassandra-dev-dc-rack1 failed error: pods "cassandra-dev-dc-rack1-0" is forbidden: unable to validate against any pod security policy: [spec.securityContext.fsGroup: Invalid value: []int64{1}: group 1 must be in the ranges: [{1000 65536}] spec.containers[0].securityContext.capabilities.add: Invalid value: "IPC_LOCK": capability may not be added]

Environment

• casskop version: v1.1.2-release
• Kubernetes version information: v1.18.16
• Cassandra version: 3

Possible Solution The CRD & controller could be enhanced to allow the configuration of arbitrary FSGroups (analogous to the runAsUser option):

Controller:

SecurityContext: &v1.PodSecurityContext{
    RunAsUser:    cc.Spec.RunAsUser,
    RunAsNonRoot: func(b bool) *bool { return &b }(true),
    FSGroup:      cc.Spec.FSGroup,
},

CRD in Helm Chart

[cscetbon]

@armingerten thanks for the report. Would you mind creating a PR ? I can guide you if needed.

[armingerten]

Sure - I'll create a PR, soon. 👍

I was wondering:

• why is the fsGroup set by default (rather than leaving it empty)?
• why is the default value 1? What do you think about using a default value > 1000 (e.g. 2000) to avoid conflicts with system groups?