razvan commented 2 years ago

Description

On OpenShift, product Pods must run with custom ServiceAccount(s) and SecurityContextConstraints.

Different Stackable products have different requirements with respect to the container permissions and capabilities.

The primary goal of this issue is to update all Stackable operators so that the products they manage run with custom ServiceAccount.

The zookeeper-operator provides an example implementation where the operator's Helm chart creates a ClusterRole that references a custom SCC object. The operator creates a ServiceAccount and a ClusterRoleBinding per namespace for each Zookeeper instance.

Acceptance criteria

[x] kuttl tests pass
[x] documentation (see here).

Tasks per operator

Part of getting the operators running on OpenShift at least the following tasks need to be performed per operator.

Update Helm charts to create product specific service accounts and cluster roles when installing the operators.
Update the operator code to assign this service account to Pods, StatefulSets, Deployments and so on.
Fix podSecurityContext warnings that pop up during Helm installations.

Operators

- [x] airflow-operator: https://github.com/stackabletech/airflow-operator/pull/261
- [x] commons-operator
- [x] druid-operator: https://github.com/stackabletech/druid-operator/pull/425
- [x] hbase-operator
- [x] hdfs-operator
- [x] hive-operator: https://github.com/stackabletech/hive-operator/pull/323
- [x] kafka-operator: https://github.com/stackabletech/kafka-operator/issues/570
- [x] listener-operator (runs/deploys, but does not yet have regular jenkins tests)
- [x] nifi-operator: https://github.com/stackabletech/nifi-operator/pull/446
- [x] opa-operator: https://github.com/stackabletech/opa-operator/pull/431
- [x] secret-operator
- [x] spark-k8s-operator: checked with 0.0.0-dev
- [x] superset-operator: https://github.com/stackabletech/superset-operator/pull/352
- [x] trino-operator: https://github.com/stackabletech/trino-operator/pull/404
- [x] zookeeper-operator: https://github.com/stackabletech/zookeeper-operator/pull/665

### Additional Tasks
- [ ] #340 
- [ ] https://github.com/stackabletech/issues/issues/341
- [ ] https://github.com/stackabletech/issues/issues/343

razvan commented 1 year ago

Stumbled upon a blocker when running kuttl tests against the Spark-K8S operators deployed with olm. The Spark pods are not allowed to mount ephemeral volumes. These are needed for Secrets mounted by the secret-operator.

This problem doesn't arise when the operator is deployed as Helm chart because there we can specify a custom scc.

Links:

Ephemeral volumes in OS 4.11 are GA: https://github.com/openshift/openshift-docs/issues/43249#issuecomment-1156139486
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2100429

lfrancke commented 1 year ago

@razvan The HBase checkbox is ticked above but I believe you mentioned today that it needs more work? If so: Do we already have a follow-up ticket for HBase?

lfrancke commented 1 year ago

This is marked as an epic - part of the refinement should be to decide whether this should be / needs to be split into multiple parts to be worked on separately.

adwk67 commented 1 year ago

Closing this now as current work is covered by https://github.com/stackabletech/issues/issues/376

stackabletech / issues

Get operators running on OpenShift #234

Description

Acceptance criteria

Tasks per operator

Operators