search

gardener / etcd-druid

An etcd operator to configure, provision, reconcile and monitor etcd clusters.
Apache License 2.0
67 stars 48 forks source link

Use `fsGroup` instead of initContainer for setting appropriate file owners. #803

Open AleksandarSavchev opened 2 months ago

AleksandarSavchev commented 2 months ago

How to categorize this issue?

/area quality /kind enhancement

What would you like to be added: Currently etcd uses initContainers to change file owners: https://github.com/gardener/etcd-druid/blob/4cb6e5cd5cdf92225c2c45770c790e3df090005c/pkg/component/etcd/statefulset/statefulset.go#L491-L525 I would like these initContainers to be removed and their functionality replaced with the use of fsGroup: 65532 added here: https://github.com/gardener/etcd-druid/blob/4cb6e5cd5cdf92225c2c45770c790e3df090005c/pkg/component/etcd/statefulset/statefulset.go#L526-L530 This will set group owner 65532 for mounted files and would make these files accessible for the etcd pod.

Why is this needed: Remove unnecessary etcd containers and avoid changing owners on PV

renormalize commented 2 months ago

@unmarshall @shreyas-s-rao should we do this in #777 or should we avoid adding more changes to it?

renormalize commented 2 months ago

I've tested this out with AWS, and fsGroup is sufficient to eliminate the use of init containers as mentioned in the issue description with older volumes which run with etcd-custom-image in root:root.

Testing has to be performed with all providers to ensure that fsGroup is implemented by all CSI drivers. All access modes aren't supported for OpenStack, as written in https://github.com/kubernetes/cloud-provider-openstack/issues/2075#issuecomment-1918331293.

I'm currently unsure if fsGroup would work with the local provider.