search

spotahome / redis-operator

Redis Operator creates/configures/manages high availability redis with sentinel automatic failover atop Kubernetes.
Apache License 2.0
1.51k stars 359 forks source link

Issues with deploying a redisfailover on OpenShift #591

Closed yotles closed 1 year ago

yotles commented 1 year ago

Creating a redisfailover on OpenShift with default Security Context Constraints using this operator doesn't seem to work. It seems that this is due to the runAsUser, runAsGroup parameter in the securityContext for initContainer in deployment rfs-redisfailover. As it mentioned in README I can pass securityContext and containerSecurityContext with empty object for sentintel and redis and it work as expected. But initConainer still generated with default securityContext:

  initContainers:
  - command:
    - cp
    - /redis/sentinel.conf
    - /redis-writable/sentinel.conf
    image: redis:6.2.6-alpine
    imagePullPolicy: Always
    name: sentinel-config-copy
    resources:
      limits:
        cpu: 10m
        memory: 32Mi
      requests:
        cpu: 10m
        memory: 32Mi
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      privileged: false
      readOnlyRootFilesystem: true
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000

And this lead to such errors:

message: pods "rfs-redisfailover-c8b4d6546-" is forbidden: unable to validate against any security context constraint

So is it possible to add overwriting securityContext and containerSecurityContext for defaults initContainer too?

Thanks in advance.

cfmanteiga commented 1 year ago

Hi @yotles

Try this:

apiVersion: databases.spotahome.com/v1
kind: RedisFailover
metadata:
  name: redisfailover-cache
spec:
  redis:
    exporter:
      enabled: true
      containerSecurityContext:
        runAsUser: 1000670001
        runAsGroup: 1000670001
    securityContext:
      runAsUser: 1000670001
    containerSecurityContext:
      runAsUser: 1000670001
      runAsGroup: 1000670001

  sentinel:
    securityContext:
      runAsUser: 1000670001
    containerSecurityContext:
      runAsUser: 1000670001
      runAsGroup: 1000670001
    configCopy:
      containerSecurityContext:
        runAsUser: 1000670001
        runAsGroup: 1000670001
    exporter:
      enabled: true
      containerSecurityContext:
        runAsUser: 1000670001
        runAsGroup: 1000670001

I had to review operator code and CRD to get it working in Openshift.

HTH

yotles commented 1 year ago

@cfmanteiga Thank you for feedback, this is exactly what I looking for. My fault that not found option to use configCopy for redefine SecurityContext for initContainer. As UID in OpenShift are random, and whenever you create a namespace, a new "uid-range" will be allocated, in this case it is easier to pass to OpenShift take care about correct UID on their own. Also GID selected for root. So final config can be look like this: 

apiVersion: databases.spotahome.com/v1
kind: RedisFailover
metadata:
  name: redisfailover-cache
spec:
  redis:
    exporter:
      enabled: true
      containerSecurityContext:
        runAsUser: null
    securityContext:
      runAsUser: null
    containerSecurityContext:
      runAsUser: null

  sentinel:
    securityContext:
      runAsUser: null
    containerSecurityContext:
      runAsUser: null
    configCopy:
      containerSecurityContext:
        runAsUser: null
    exporter:
      enabled: true
      containerSecurityContext:
        runAsUser: null
cfmanteiga commented 1 year ago

Way better, should work too.

github-actions[bot] commented 1 year ago

This issue is stale because it has been open for 45 days with no activity.

github-actions[bot] commented 1 year ago

This issue was closed because it has been inactive for 14 days since being marked as stale.