From dbd88c0c1c56f1a71b020a5bd9610ee391322006 Mon Sep 17 00:00:00 2001 From: shaoyue Date: Mon, 9 Sep 2024 11:08:59 +0800 Subject: [PATCH] support run as non root (#183) Signed-off-by: haorenfsa --- apis/milvus.io/v1beta1/components_types.go | 5 ++++ charts/milvus-operator/templates/crds.yaml | 4 +++ .../crd/bases/milvus.io_milvusclusters.yaml | 2 ++ config/crd/bases/milvus.io_milvuses.yaml | 2 ++ config/samples/run_as_non_root.yaml | 25 +++++++++++++++++++ deploy/manifests/deployment.yaml | 4 +++ pkg/controllers/deployment_updater.go | 7 ++++++ pkg/controllers/deployments.go | 8 +++++- pkg/controllers/utils.go | 4 +++ pkg/controllers/utils_test.go | 4 +++ test/min-mc-feature.yaml | 9 +++++++ 11 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 config/samples/run_as_non_root.yaml diff --git a/apis/milvus.io/v1beta1/components_types.go b/apis/milvus.io/v1beta1/components_types.go index cef90920..c908ca0a 100644 --- a/apis/milvus.io/v1beta1/components_types.go +++ b/apis/milvus.io/v1beta1/components_types.go @@ -183,6 +183,11 @@ type MilvusComponents struct { // so it's hard to determine when to switch. you need to switch it manually. ActiveConfigMap string `json:"activeConfigMap,omitempty"` + // RunAsNonRoot whether to run milvus as non-root user + // this disables some certain features + // +kubebuilder:validation:Optional + RunAsNonRoot bool `json:"runAsNonRoot,omitempty"` + // +kubebuilder:validation:Optional Proxy *MilvusProxy `json:"proxy,omitempty"` diff --git a/charts/milvus-operator/templates/crds.yaml b/charts/milvus-operator/templates/crds.yaml index d6e7f060..5f486310 100644 --- a/charts/milvus-operator/templates/crds.yaml +++ b/charts/milvus-operator/templates/crds.yaml @@ -5676,6 +5676,8 @@ spec: type: array x-kubernetes-preserve-unknown-fields: true type: object + runAsNonRoot: + type: boolean runWithSubProcess: type: boolean schedulerName: @@ -13341,6 +13343,8 @@ spec: type: array x-kubernetes-preserve-unknown-fields: true type: object + runAsNonRoot: + type: boolean runWithSubProcess: type: boolean schedulerName: diff --git a/config/crd/bases/milvus.io_milvusclusters.yaml b/config/crd/bases/milvus.io_milvusclusters.yaml index 01e01fb6..1db0a250 100644 --- a/config/crd/bases/milvus.io_milvusclusters.yaml +++ b/config/crd/bases/milvus.io_milvusclusters.yaml @@ -5674,6 +5674,8 @@ spec: type: array x-kubernetes-preserve-unknown-fields: true type: object + runAsNonRoot: + type: boolean runWithSubProcess: type: boolean schedulerName: diff --git a/config/crd/bases/milvus.io_milvuses.yaml b/config/crd/bases/milvus.io_milvuses.yaml index 61020c04..29b90d55 100644 --- a/config/crd/bases/milvus.io_milvuses.yaml +++ b/config/crd/bases/milvus.io_milvuses.yaml @@ -6652,6 +6652,8 @@ spec: type: array x-kubernetes-preserve-unknown-fields: true type: object + runAsNonRoot: + type: boolean runWithSubProcess: type: boolean schedulerName: diff --git a/config/samples/run_as_non_root.yaml b/config/samples/run_as_non_root.yaml new file mode 100644 index 00000000..3ed7451c --- /dev/null +++ b/config/samples/run_as_non_root.yaml @@ -0,0 +1,25 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: mc-sit +--- +apiVersion: milvus.io/v1beta1 +kind: Milvus +metadata: + name: milvus + namespace: mc-sit + labels: + app: milvus +spec: + components: + runAsNonRoot: true + volumes: + - emptyDir: {} + name: data + volumeMounts: + - mountPath: /milvus/data + name: data + config: + localStorage: + path: /milvus/data diff --git a/deploy/manifests/deployment.yaml b/deploy/manifests/deployment.yaml index e0144c26..47b2cebb 100644 --- a/deploy/manifests/deployment.yaml +++ b/deploy/manifests/deployment.yaml @@ -5707,6 +5707,8 @@ spec: type: array x-kubernetes-preserve-unknown-fields: true type: object + runAsNonRoot: + type: boolean runWithSubProcess: type: boolean schedulerName: @@ -13373,6 +13375,8 @@ spec: type: array x-kubernetes-preserve-unknown-fields: true type: object + runAsNonRoot: + type: boolean runWithSubProcess: type: boolean schedulerName: diff --git a/pkg/controllers/deployment_updater.go b/pkg/controllers/deployment_updater.go index cfbebcd1..9022e758 100644 --- a/pkg/controllers/deployment_updater.go +++ b/pkg/controllers/deployment_updater.go @@ -101,6 +101,13 @@ func updatePodTemplate( updateSidecars(template, updater) updateNetworkSettings(template, updater) + if updater.GetMilvus().Spec.Com.RunAsNonRoot { + template.Spec.SecurityContext = &corev1.PodSecurityContext{ + RunAsNonRoot: &updater.GetMilvus().Spec.Com.RunAsNonRoot, + RunAsUser: int64Ptr(1000), + } + } + var hasUpdates = !IsEqual(currentTemplate, template) switch { case hasUpdates: diff --git a/pkg/controllers/deployments.go b/pkg/controllers/deployments.go index a5d4113a..401b3e9c 100644 --- a/pkg/controllers/deployments.go +++ b/pkg/controllers/deployments.go @@ -273,6 +273,10 @@ func renderInitContainer(container *corev1.Container, toolImage string) *corev1. configVolumeMount, toolVolumeMount, } + container.SecurityContext = &corev1.SecurityContext{ + RunAsNonRoot: boolPtr(true), + RunAsUser: int64Ptr(1000), + } fillContainerDefaultValues(container) return container } @@ -297,6 +301,8 @@ var ( ) func configVolumeByName(name string) corev1.Volume { + // so that non root user can change the config + configmapMode := int32(0777) return corev1.Volume{ Name: MilvusConfigVolumeName, VolumeSource: corev1.VolumeSource{ @@ -304,7 +310,7 @@ func configVolumeByName(name string) corev1.Volume { LocalObjectReference: corev1.LocalObjectReference{ Name: name, }, - DefaultMode: &DefaultConfigMapMode, + DefaultMode: &configmapMode, }, }, } diff --git a/pkg/controllers/utils.go b/pkg/controllers/utils.go index a1464563..87445b92 100644 --- a/pkg/controllers/utils.go +++ b/pkg/controllers/utils.go @@ -472,6 +472,10 @@ func int64Ptr(i int64) *int64 { return &ret } +func boolPtr(b bool) *bool { + return &b +} + func getDeployReplicas(deploy *appsv1.Deployment) int { if deploy.Spec.Replicas == nil { return 1 diff --git a/pkg/controllers/utils_test.go b/pkg/controllers/utils_test.go index 0b851644..1bb713c4 100644 --- a/pkg/controllers/utils_test.go +++ b/pkg/controllers/utils_test.go @@ -533,3 +533,7 @@ func TestSetControllerReference(t *testing.T) { func Test_int64Ptr(t *testing.T) { assert.Equal(t, int64(10), *int64Ptr(10)) } + +func Test_boolPtr(t *testing.T) { + assert.True(t, *boolPtr(true)) +} diff --git a/test/min-mc-feature.yaml b/test/min-mc-feature.yaml index a1a37036..d472013c 100644 --- a/test/min-mc-feature.yaml +++ b/test/min-mc-feature.yaml @@ -16,12 +16,19 @@ spec: components: rollingMode: 3 runWithSubProcess: true + runAsNonRoot: true proxy: ingress: hosts: ["mc-sit.milvus.io"] replicas: 1 mixCoord: replicas: 1 + volumes: + - emptyDir: {} + name: data + volumeMounts: + - mountPath: /milvus/data + name: data dependencies: etcd: inCluster: @@ -55,6 +62,8 @@ spec: persistence: size: 20Gi config: + localStorage: + path: /milvus/data milvus: log: level: info