support run as non root (#183)

Signed-off-by: haorenfsa <[email protected]>
zilliztech · Sep 9, 2024 · dbd88c0 · dbd88c0
1 parent 1d591f4
commit dbd88c0
Show file tree

Hide file tree

Showing 11 changed files with 73 additions and 1 deletion.
diff --git a/apis/milvus.io/v1beta1/components_types.go b/apis/milvus.io/v1beta1/components_types.go
@@ -183,6 +183,11 @@ type MilvusComponents struct {
 	// so it's hard to determine when to switch. you need to switch it manually.
 	ActiveConfigMap string `json:"activeConfigMap,omitempty"`
 
+	// RunAsNonRoot whether to run milvus as non-root user
+	// this disables some certain features
+	// +kubebuilder:validation:Optional
+	RunAsNonRoot bool `json:"runAsNonRoot,omitempty"`
+
 	// +kubebuilder:validation:Optional
 	Proxy *MilvusProxy `json:"proxy,omitempty"`
 

diff --git a/charts/milvus-operator/templates/crds.yaml b/charts/milvus-operator/templates/crds.yaml
@@ -5676,6 +5676,8 @@ spec:
                         type: array
                         x-kubernetes-preserve-unknown-fields: true
                     type: object
+                  runAsNonRoot:
+                    type: boolean
                   runWithSubProcess:
                     type: boolean
                   schedulerName:
@@ -13341,6 +13343,8 @@ spec:
                         type: array
                         x-kubernetes-preserve-unknown-fields: true
                     type: object
+                  runAsNonRoot:
+                    type: boolean
                   runWithSubProcess:
                     type: boolean
                   schedulerName:

diff --git a/config/crd/bases/milvus.io_milvusclusters.yaml b/config/crd/bases/milvus.io_milvusclusters.yaml
@@ -5674,6 +5674,8 @@ spec:
                         type: array
                         x-kubernetes-preserve-unknown-fields: true
                     type: object
+                  runAsNonRoot:
+                    type: boolean
                   runWithSubProcess:
                     type: boolean
                   schedulerName:

diff --git a/config/crd/bases/milvus.io_milvuses.yaml b/config/crd/bases/milvus.io_milvuses.yaml
@@ -6652,6 +6652,8 @@ spec:
                         type: array
                         x-kubernetes-preserve-unknown-fields: true
                     type: object
+                  runAsNonRoot:
+                    type: boolean
                   runWithSubProcess:
                     type: boolean
                   schedulerName:

diff --git a/config/samples/run_as_non_root.yaml b/config/samples/run_as_non_root.yaml
@@ -0,0 +1,25 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: mc-sit
+---
+apiVersion: milvus.io/v1beta1
+kind: Milvus
+metadata:
+  name: milvus
+  namespace: mc-sit
+  labels:
+    app: milvus
+spec:
+  components:
+    runAsNonRoot: true
+    volumes:
+    - emptyDir: {}
+      name: data
+    volumeMounts:
+    - mountPath: /milvus/data
+      name: data
+  config:
+    localStorage:
+      path: /milvus/data
diff --git a/deploy/manifests/deployment.yaml b/deploy/manifests/deployment.yaml
@@ -5707,6 +5707,8 @@ spec:
                         type: array
                         x-kubernetes-preserve-unknown-fields: true
                     type: object
+                  runAsNonRoot:
+                    type: boolean
                   runWithSubProcess:
                     type: boolean
                   schedulerName:
@@ -13373,6 +13375,8 @@ spec:
                         type: array
                         x-kubernetes-preserve-unknown-fields: true
                     type: object
+                  runAsNonRoot:
+                    type: boolean
                   runWithSubProcess:
                     type: boolean
                   schedulerName:

diff --git a/pkg/controllers/deployment_updater.go b/pkg/controllers/deployment_updater.go
@@ -101,6 +101,13 @@ func updatePodTemplate(
 	updateSidecars(template, updater)
 	updateNetworkSettings(template, updater)
 
+	if updater.GetMilvus().Spec.Com.RunAsNonRoot {
+		template.Spec.SecurityContext = &corev1.PodSecurityContext{
+			RunAsNonRoot: &updater.GetMilvus().Spec.Com.RunAsNonRoot,
+			RunAsUser:    int64Ptr(1000),
+		}
+	}
+
 	var hasUpdates = !IsEqual(currentTemplate, template)
 	switch {
 	case hasUpdates:

diff --git a/pkg/controllers/deployments.go b/pkg/controllers/deployments.go
@@ -273,6 +273,10 @@ func renderInitContainer(container *corev1.Container, toolImage string) *corev1.
 		configVolumeMount,
 		toolVolumeMount,
 	}
+	container.SecurityContext = &corev1.SecurityContext{
+		RunAsNonRoot: boolPtr(true),
+		RunAsUser:    int64Ptr(1000),
+	}
 	fillContainerDefaultValues(container)
 	return container
 }
@@ -297,14 +301,16 @@ var (
 )
 
 func configVolumeByName(name string) corev1.Volume {
+	// so that non root user can change the config
+	configmapMode := int32(0777)
 	return corev1.Volume{
 		Name: MilvusConfigVolumeName,
 		VolumeSource: corev1.VolumeSource{
 			ConfigMap: &corev1.ConfigMapVolumeSource{
 				LocalObjectReference: corev1.LocalObjectReference{
 					Name: name,
 				},
-				DefaultMode: &DefaultConfigMapMode,
+				DefaultMode: &configmapMode,
 			},
 		},
 	}

diff --git a/pkg/controllers/utils.go b/pkg/controllers/utils.go
@@ -472,6 +472,10 @@ func int64Ptr(i int64) *int64 {
 	return &ret
 }
 
+func boolPtr(b bool) *bool {
+	return &b
+}
+
 func getDeployReplicas(deploy *appsv1.Deployment) int {
 	if deploy.Spec.Replicas == nil {
 		return 1

diff --git a/pkg/controllers/utils_test.go b/pkg/controllers/utils_test.go
@@ -533,3 +533,7 @@ func TestSetControllerReference(t *testing.T) {
 func Test_int64Ptr(t *testing.T) {
 	assert.Equal(t, int64(10), *int64Ptr(10))
 }
+
+func Test_boolPtr(t *testing.T) {
+	assert.True(t, *boolPtr(true))
+}
diff --git a/test/min-mc-feature.yaml b/test/min-mc-feature.yaml
@@ -16,12 +16,19 @@ spec:
   components:
     rollingMode: 3
     runWithSubProcess: true
+    runAsNonRoot: true
     proxy:
       ingress:
         hosts: ["mc-sit.milvus.io"]
       replicas: 1
     mixCoord:
       replicas: 1
+    volumes:
+    - emptyDir: {}
+      name: data
+    volumeMounts:
+    - mountPath: /milvus/data
+      name: data
   dependencies:
     etcd:
       inCluster:
@@ -55,6 +62,8 @@ spec:
           persistence:
             size: 20Gi
   config:
+    localStorage:
+      path: /milvus/data
     milvus:
       log:
         level: info