[Feature] add runAsUser filed

Signed-off-by: yandongxiao <[email protected]>

config/crd/bases/starrocks.com_starrocksclusters.yaml

@@ -1168,6 +1168,11 @@ spec:
                       it defaults to Limits if that is explicitly specified, otherwise
                       to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
                     type: object
+                  runAsNonRoot:
+                    description: 'RunAsGroup is used to determine whether to run starrocks
+                      as a normal user. If RunAsGroup is true, operator will set RunAsGroup
+                      and RunAsGroup to 1000 in securityContext. default: nil'
+                    type: boolean
                   schedulerName:
                     description: SchedulerName is the name of the kubernetes scheduler
                       that will be used to schedule the pods.
@@ -3112,6 +3117,11 @@ spec:
                       it defaults to Limits if that is explicitly specified, otherwise
                       to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
                     type: object
+                  runAsNonRoot:
+                    description: 'RunAsGroup is used to determine whether to run starrocks
+                      as a normal user. If RunAsGroup is true, operator will set RunAsGroup
+                      and RunAsGroup to 1000 in securityContext. default: nil'
+                    type: boolean
                   schedulerName:
                     description: SchedulerName is the name of the kubernetes scheduler
                       that will be used to schedule the pods.
@@ -4382,6 +4392,11 @@ spec:
                       it defaults to Limits if that is explicitly specified, otherwise
                       to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
                     type: object
+                  runAsNonRoot:
+                    description: 'RunAsGroup is used to determine whether to run starrocks
+                      as a normal user. If RunAsGroup is true, operator will set RunAsGroup
+                      and RunAsGroup to 1000 in securityContext. default: nil'
+                    type: boolean
                   schedulerName:
                     description: SchedulerName is the name of the kubernetes scheduler
                       that will be used to schedule the pods.

deploy/starrocks.com_starrocksclusters.yaml

@@ -549,6 +549,8 @@ spec:
                       pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
                       x-kubernetes-int-or-string: true
                     type: object
+                  runAsNonRoot:
+                    type: boolean
                   schedulerName:
                     type: string
                   secrets:
@@ -1467,6 +1469,8 @@ spec:
                       pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
                       x-kubernetes-int-or-string: true
                     type: object
+                  runAsNonRoot:
+                    type: boolean
                   schedulerName:
                     type: string
                   secrets:
@@ -2058,6 +2062,8 @@ spec:
                       pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
                       x-kubernetes-int-or-string: true
                     type: object
+                  runAsNonRoot:
+                    type: boolean
                   schedulerName:
                     type: string
                   secrets:

doc/api.md

@@ -1374,6 +1374,19 @@ string
 </tr>
 <tr>
 <td>
+<code>runAsUser</code><br/>
+<em>
+bool
+</em>
+</td>
+<td>
+<p>RunAsGroup is used to determine whether to run starrocks as a normal user.
+If RunAsGroup is true, operator will set RunAsGroup and RunAsGroup to 1000 in securityContext.
+default: nil</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>fsGroup</code><br/>
 <em>
 int64
@@ -2037,6 +2050,19 @@ string
 </tr>
 <tr>
 <td>
+<code>runAsUser</code><br/>
+<em>
+bool
+</em>
+</td>
+<td>
+<p>RunAsGroup is used to determine whether to run starrocks as a normal user.
+If RunAsGroup is true, operator will set RunAsGroup and RunAsGroup to 1000 in securityContext.
+default: nil</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>fsGroup</code><br/>
 <em>
 int64
@@ -2486,6 +2512,19 @@ string
 </tr>
 <tr>
 <td>
+<code>runAsUser</code><br/>
+<em>
+bool
+</em>
+</td>
+<td>
+<p>RunAsGroup is used to determine whether to run starrocks as a normal user.
+If RunAsGroup is true, operator will set RunAsGroup and RunAsGroup to 1000 in securityContext.
+default: nil</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>fsGroup</code><br/>
 <em>
 int64
@@ -2884,6 +2923,19 @@ string
 </tr>
 <tr>
 <td>
+<code>runAsUser</code><br/>
+<em>
+bool
+</em>
+</td>
+<td>
+<p>RunAsGroup is used to determine whether to run starrocks as a normal user.
+If RunAsGroup is true, operator will set RunAsGroup and RunAsGroup to 1000 in securityContext.
+default: nil</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>fsGroup</code><br/>
 <em>
 int64

helm-charts/charts/kube-starrocks/values.yaml

@@ -191,6 +191,7 @@ starrocksCnSpec:
   serviceAccount: ""
   # add annotations for cn pods. example, if you want to config monitor for datadog, you can config the annotations.
   annotations: {}
+  runAsUser: 0
   # A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change
   # the ownership of that volume to be owned by the pod.
   # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods

pkg/apis/starrocks/v1/component_type.go

@@ -34,6 +34,7 @@ type SpecInterface interface {
 	GetHostAliases() []corev1.HostAlias
 	GetSchedulerName() string
 	GetFsGroup() *int64
+	GetRunAsNonRoot() (*int64, *int64)
 	GetAnnotations() map[string]string
 }
 
@@ -84,6 +85,11 @@ type StarRocksComponentSpec struct {
 	// serviceAccount for access cloud service.
 	ServiceAccount string `json:"serviceAccount,omitempty"`
 
+	// RunAsGroup is used to determine whether to run starrocks as a normal user.
+	// If RunAsGroup is true, operator will set RunAsGroup and RunAsGroup to 1000 in securityContext.
+	// default: nil
+	RunAsNonRoot *bool `json:"runAsNonRoot,omitempty"`
+
 	// A special supplemental group that applies to all containers in a pod.
 	// Some volume types allow the Kubelet to change the ownership of that volume
 	// to be owned by the pod:
@@ -385,3 +391,14 @@ func (spec *StarRocksComponentSpec) GetSchedulerName() string {
 func (spec *StarRocksComponentSpec) GetFsGroup() *int64 {
 	return spec.FsGroup
 }
+
+func (spec *StarRocksComponentSpec) GetRunAsNonRoot() (*int64, *int64) {
+	runAsNonRoot := spec.RunAsNonRoot
+	if runAsNonRoot == nil || *runAsNonRoot == false {
+		return nil, nil
+	}
+
+	userId := int64(1000)
+	groupId := int64(1000)
+	return &userId, &groupId
+}

pkg/k8sutils/templates/pod/spec.go

@@ -425,13 +425,20 @@ func PodSecurityContext(spec v1.SpecInterface) *corev1.PodSecurityContext {
 	return nil
 }
 
-func ContainerSecurityContext() *corev1.SecurityContext {
+func ContainerSecurityContext(spec v1.SpecInterface) *corev1.SecurityContext {
+	userId, groupId := spec.GetRunAsNonRoot()
+
+	var runAsNonRoot *bool
+	if userId != nil && *userId != 0 {
+		b := true
+		runAsNonRoot = &b
+	}
 	return &corev1.SecurityContext{
+		RunAsUser:                userId,
+		RunAsGroup:               groupId,
+		RunAsNonRoot:             runAsNonRoot,
 		AllowPrivilegeEscalation: func() *bool { b := false; return &b }(),
 		// starrocks will create pid file, eg.g /opt/starrocks/fe/bin/fe.pid, so set it to false
 		ReadOnlyRootFilesystem: func() *bool { b := false; return &b }(),
-		SeccompProfile: &corev1.SeccompProfile{
-			Type: corev1.SeccompProfileTypeUnconfined,
-		},
 	}
 }

pkg/sub_controller/be/be_pod.go

@@ -90,7 +90,7 @@ func (be *BeController) buildPodTemplate(src *srapi.StarRocksCluster, config map
 		LivenessProbe:   pod.LivenessProbe(rutils.GetPort(config, rutils.WEBSERVER_PORT), pod.HEALTH_API_PATH),
 		ReadinessProbe:  pod.ReadinessProbe(rutils.GetPort(config, rutils.WEBSERVER_PORT), pod.HEALTH_API_PATH),
 		Lifecycle:       pod.LifeCycle("/opt/starrocks/be_prestop.sh"),
-		SecurityContext: pod.ContainerSecurityContext(),
+		SecurityContext: pod.ContainerSecurityContext(beSpec),
 	}
 	if beSpec.ConfigMapInfo.ConfigMapName != "" && beSpec.ConfigMapInfo.ResolveKey != "" {
 		beContainer.Env = append(beContainer.Env, corev1.EnvVar{

pkg/sub_controller/cn/cn_pod.go

@@ -73,7 +73,7 @@ func (cc *CnController) buildPodTemplate(src *srapi.StarRocksCluster, config map
 		LivenessProbe:   pod.LivenessProbe(rutils.GetPort(config, rutils.WEBSERVER_PORT), pod.HEALTH_API_PATH),
 		ReadinessProbe:  pod.ReadinessProbe(rutils.GetPort(config, rutils.WEBSERVER_PORT), pod.HEALTH_API_PATH),
 		Lifecycle:       pod.LifeCycle("/opt/starrocks/cn_prestop.sh"),
-		SecurityContext: pod.ContainerSecurityContext(),
+		SecurityContext: pod.ContainerSecurityContext(cnSpec),
 	}
 
 	if cnSpec.ConfigMapInfo.ConfigMapName != "" && cnSpec.ConfigMapInfo.ResolveKey != "" {

pkg/sub_controller/fe/fe_pod.go

@@ -89,7 +89,7 @@ func (fc *FeController) buildPodTemplate(src *srapi.StarRocksCluster, config map
 		LivenessProbe:   pod.LivenessProbe(rutils.GetPort(config, rutils.HTTP_PORT), pod.HEALTH_API_PATH),
 		ReadinessProbe:  pod.ReadinessProbe(rutils.GetPort(config, rutils.HTTP_PORT), pod.HEALTH_API_PATH),
 		Lifecycle:       pod.LifeCycle("/opt/starrocks/fe_prestop.sh"),
-		SecurityContext: pod.ContainerSecurityContext(),
+		SecurityContext: pod.ContainerSecurityContext(feSpec),
 	}
 
 	if feSpec.ConfigMapInfo.ConfigMapName != "" && feSpec.ConfigMapInfo.ResolveKey != "" {