StarRocks · kevincai · Jul 27, 2023 · Jul 26, 2023 · Jul 26, 2023 · Jul 26, 2023
diff --git a/config/crd/bases/starrocks.com_starrocksclusters.yaml b/config/crd/bases/starrocks.com_starrocksclusters.yaml
@@ -1168,6 +1168,11 @@ spec:
                       it defaults to Limits if that is explicitly specified, otherwise
                       to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
                     type: object
+                  runAsNonRoot:
+                    description: 'RunAsGroup is used to determine whether to run starrocks
+                      as a normal user. If RunAsGroup is true, operator will set RunAsGroup
+                      and RunAsGroup to 1000 in securityContext. default: nil'
+                    type: boolean
                   schedulerName:
                     description: SchedulerName is the name of the kubernetes scheduler
                       that will be used to schedule the pods.
@@ -3112,6 +3117,11 @@ spec:
                       it defaults to Limits if that is explicitly specified, otherwise
                       to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
                     type: object
+                  runAsNonRoot:
+                    description: 'RunAsGroup is used to determine whether to run starrocks
+                      as a normal user. If RunAsGroup is true, operator will set RunAsGroup
+                      and RunAsGroup to 1000 in securityContext. default: nil'
+                    type: boolean
                   schedulerName:
                     description: SchedulerName is the name of the kubernetes scheduler
                       that will be used to schedule the pods.
@@ -4382,6 +4392,11 @@ spec:
                       it defaults to Limits if that is explicitly specified, otherwise
                       to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
                     type: object
+                  runAsNonRoot:
+                    description: 'RunAsGroup is used to determine whether to run starrocks
+                      as a normal user. If RunAsGroup is true, operator will set RunAsGroup
+                      and RunAsGroup to 1000 in securityContext. default: nil'
+                    type: boolean
                   schedulerName:
                     description: SchedulerName is the name of the kubernetes scheduler
                       that will be used to schedule the pods.

diff --git a/deploy/starrocks.com_starrocksclusters.yaml b/deploy/starrocks.com_starrocksclusters.yaml
@@ -549,6 +549,8 @@ spec:
                       pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
                       x-kubernetes-int-or-string: true
                     type: object
+                  runAsNonRoot:
+                    type: boolean
                   schedulerName:
                     type: string
                   secrets:
@@ -1467,6 +1469,8 @@ spec:
                       pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
                       x-kubernetes-int-or-string: true
                     type: object
+                  runAsNonRoot:
+                    type: boolean
                   schedulerName:
                     type: string
                   secrets:
@@ -2058,6 +2062,8 @@ spec:
                       pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
                       x-kubernetes-int-or-string: true
                     type: object
+                  runAsNonRoot:
+                    type: boolean
                   schedulerName:
                     type: string
                   secrets:

diff --git a/doc/api.md b/doc/api.md
@@ -1374,6 +1374,19 @@ string
 </tr>
 <tr>
 <td>
+<code>runAsNonRoot</code><br/>
+<em>
+bool
+</em>
+</td>
+<td>
+<p>RunAsGroup is used to determine whether to run starrocks as a normal user.
+If RunAsGroup is true, operator will set RunAsGroup and RunAsGroup to 1000 in securityContext.
+default: nil</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>fsGroup</code><br/>
 <em>
 int64
@@ -2037,6 +2050,19 @@ string
 </tr>
 <tr>
 <td>
+<code>runAsNonRoot</code><br/>
+<em>
+bool
+</em>
+</td>
+<td>
+<p>RunAsGroup is used to determine whether to run starrocks as a normal user.
+If RunAsGroup is true, operator will set RunAsGroup and RunAsGroup to 1000 in securityContext.
+default: nil</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>fsGroup</code><br/>
 <em>
 int64
@@ -2486,6 +2512,19 @@ string
 </tr>
 <tr>
 <td>
+<code>runAsNonRoot</code><br/>
+<em>
+bool
+</em>
+</td>
+<td>
+<p>RunAsGroup is used to determine whether to run starrocks as a normal user.
+If RunAsGroup is true, operator will set RunAsGroup and RunAsGroup to 1000 in securityContext.
+default: nil</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>fsGroup</code><br/>
 <em>
 int64
@@ -2884,6 +2923,19 @@ string
 </tr>
 <tr>
 <td>
+<code>runAsNonRoot</code><br/>
+<em>
+bool
+</em>
+</td>
+<td>
+<p>RunAsGroup is used to determine whether to run starrocks as a normal user.
+If RunAsGroup is true, operator will set RunAsGroup and RunAsGroup to 1000 in securityContext.
+default: nil</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>fsGroup</code><br/>
 <em>
 int64

diff --git a/helm-charts/charts/kube-starrocks/templates/starrocks/starrockscluster.yaml b/helm-charts/charts/kube-starrocks/templates/starrocks/starrockscluster.yaml
@@ -46,6 +46,7 @@ spec:
     serviceAccount: {{ .Values.starrocksFESpec.serviceAccount }}
 {{- end }}
     fsGroup: {{ .Values.starrocksFESpec.fsGroup }}
+    runAsNonRoot: {{ .Values.starrocksFESpec.runAsNonRoot }}
 {{- if .Values.starrocksFESpec.nodeSelector }}
     nodeSelector:
 {{ toYaml .Values.starrocksFESpec.nodeSelector | indent 6 }}
@@ -162,6 +163,7 @@ spec:
     serviceAccount: {{ .Values.starrocksBeSpec.serviceAccount }}
 {{- end }}
     fsGroup: {{ .Values.starrocksBeSpec.fsGroup }}
+    runAsNonRoot: {{ .Values.starrocksBeSpec.runAsNonRoot }}
 {{- if .Values.starrocksBeSpec.podLabels }}
     podLabels:
 {{toYaml .Values.starrocksBeSpec.podLabels | indent 6 }}
@@ -250,6 +252,7 @@ spec:
     serviceAccount: {{ .Values.starrocksCnSpec.serviceAccount }}
 {{- end }}
     fsGroup: {{ .Values.starrocksCnSpec.fsGroup }}
+    runAsNonRoot: {{ .Values.starrocksCnSpec.runAsNonRoot }}
 {{- if .Values.starrocksCnSpec.podLabels }}
     podLabels:
 {{toYaml .Values.starrocksCnSpec.podLabels | indent 6 }}

diff --git a/helm-charts/charts/kube-starrocks/values.yaml b/helm-charts/charts/kube-starrocks/values.yaml
@@ -77,6 +77,9 @@ starrocksFESpec:
     tag: 3.0-latest
   # add annotations for fe pods. For example, if you want to config monitor for datadog, you can config the annotations.
   annotations: {}
+  # If runAsNonRoot is true, the container is run as non-root user.
+  # The userId will be set to 1000, and the groupID will be set to 1000.
+  runAsNonRoot: false
   # A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change
   # the ownership of that volume to be owned by the pod.
   # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods
@@ -191,6 +194,9 @@ starrocksCnSpec:
   serviceAccount: ""
   # add annotations for cn pods. example, if you want to config monitor for datadog, you can config the annotations.
   annotations: {}
+  # If runAsNonRoot is true, the container is run as non-root user.
+  # The userId will be set to 1000, and the groupID will be set to 1000.
+  runAsNonRoot: false
   # A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change
   # the ownership of that volume to be owned by the pod.
   # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods
@@ -319,6 +325,9 @@ starrocksBeSpec:
   serviceAccount: ""
   # add annotations for be pods. example, if you want to config monitor for datadog, you can config the annotations.
   annotations: {}
+  # If runAsNonRoot is true, the container is run as non-root user.
+  # The userId will be set to 1000, and the groupID will be set to 1000.
+  runAsNonRoot: false
   # A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change
   # the ownership of that volume to be owned by the pod.
   # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods

diff --git a/pkg/apis/starrocks/v1/component_type.go b/pkg/apis/starrocks/v1/component_type.go
@@ -34,6 +34,7 @@ type SpecInterface interface {
 	GetHostAliases() []corev1.HostAlias
 	GetSchedulerName() string
 	GetFsGroup() *int64
+	GetRunAsNonRoot() (*int64, *int64)
 	GetAnnotations() map[string]string
 }
 
@@ -84,6 +85,11 @@ type StarRocksComponentSpec struct {
 	// serviceAccount for access cloud service.
 	ServiceAccount string `json:"serviceAccount,omitempty"`
 
+	// RunAsGroup is used to determine whether to run starrocks as a normal user.
+	// If RunAsGroup is true, operator will set RunAsGroup and RunAsGroup to 1000 in securityContext.
+	// default: nil
+	RunAsNonRoot *bool `json:"runAsNonRoot,omitempty"`
+
 	// A special supplemental group that applies to all containers in a pod.
 	// Some volume types allow the Kubelet to change the ownership of that volume
 	// to be owned by the pod:
@@ -385,3 +391,14 @@ func (spec *StarRocksComponentSpec) GetSchedulerName() string {
 func (spec *StarRocksComponentSpec) GetFsGroup() *int64 {
 	return spec.FsGroup
 }
+
+func (spec *StarRocksComponentSpec) GetRunAsNonRoot() (*int64, *int64) {
+	runAsNonRoot := spec.RunAsNonRoot
+	if runAsNonRoot == nil || *runAsNonRoot == false {
+		return nil, nil
+	}
+
+	userId := int64(1000)
+	groupId := int64(1000)
+	return &userId, &groupId
+}
diff --git a/pkg/apis/starrocks/v1/zz_generated.deepcopy.go b/pkg/apis/starrocks/v1/zz_generated.deepcopy.go
diff --git a/pkg/k8sutils/templates/pod/spec.go b/pkg/k8sutils/templates/pod/spec.go
@@ -425,13 +425,20 @@ func PodSecurityContext(spec v1.SpecInterface) *corev1.PodSecurityContext {
 	return nil
 }
 
-func ContainerSecurityContext() *corev1.SecurityContext {
+func ContainerSecurityContext(spec v1.SpecInterface) *corev1.SecurityContext {
+	userId, groupId := spec.GetRunAsNonRoot()
+
+	var runAsNonRoot *bool
+	if userId != nil && *userId != 0 {
+		b := true
+		runAsNonRoot = &b
+	}
 	return &corev1.SecurityContext{
+		RunAsUser:                userId,
+		RunAsGroup:               groupId,
+		RunAsNonRoot:             runAsNonRoot,
 		AllowPrivilegeEscalation: func() *bool { b := false; return &b }(),
 		// starrocks will create pid file, eg.g /opt/starrocks/fe/bin/fe.pid, so set it to false
 		ReadOnlyRootFilesystem: func() *bool { b := false; return &b }(),
-		SeccompProfile: &corev1.SeccompProfile{
-			Type: corev1.SeccompProfileTypeUnconfined,
-		},
 	}
 }
diff --git a/pkg/sub_controller/be/be_pod.go b/pkg/sub_controller/be/be_pod.go
@@ -90,7 +90,7 @@ func (be *BeController) buildPodTemplate(src *srapi.StarRocksCluster, config map
 		LivenessProbe:   pod.LivenessProbe(rutils.GetPort(config, rutils.WEBSERVER_PORT), pod.HEALTH_API_PATH),
 		ReadinessProbe:  pod.ReadinessProbe(rutils.GetPort(config, rutils.WEBSERVER_PORT), pod.HEALTH_API_PATH),
 		Lifecycle:       pod.LifeCycle("/opt/starrocks/be_prestop.sh"),
-		SecurityContext: pod.ContainerSecurityContext(),
+		SecurityContext: pod.ContainerSecurityContext(beSpec),
 	}
 	if beSpec.ConfigMapInfo.ConfigMapName != "" && beSpec.ConfigMapInfo.ResolveKey != "" {
 		beContainer.Env = append(beContainer.Env, corev1.EnvVar{

diff --git a/pkg/sub_controller/cn/cn_pod.go b/pkg/sub_controller/cn/cn_pod.go
@@ -73,7 +73,7 @@ func (cc *CnController) buildPodTemplate(src *srapi.StarRocksCluster, config map
 		LivenessProbe:   pod.LivenessProbe(rutils.GetPort(config, rutils.WEBSERVER_PORT), pod.HEALTH_API_PATH),
 		ReadinessProbe:  pod.ReadinessProbe(rutils.GetPort(config, rutils.WEBSERVER_PORT), pod.HEALTH_API_PATH),
 		Lifecycle:       pod.LifeCycle("/opt/starrocks/cn_prestop.sh"),
-		SecurityContext: pod.ContainerSecurityContext(),
+		SecurityContext: pod.ContainerSecurityContext(cnSpec),
 	}
 
 	if cnSpec.ConfigMapInfo.ConfigMapName != "" && cnSpec.ConfigMapInfo.ResolveKey != "" {

diff --git a/pkg/sub_controller/fe/fe_pod.go b/pkg/sub_controller/fe/fe_pod.go
@@ -89,7 +89,7 @@ func (fc *FeController) buildPodTemplate(src *srapi.StarRocksCluster, config map
 		LivenessProbe:   pod.LivenessProbe(rutils.GetPort(config, rutils.HTTP_PORT), pod.HEALTH_API_PATH),
 		ReadinessProbe:  pod.ReadinessProbe(rutils.GetPort(config, rutils.HTTP_PORT), pod.HEALTH_API_PATH),
 		Lifecycle:       pod.LifeCycle("/opt/starrocks/fe_prestop.sh"),
-		SecurityContext: pod.ContainerSecurityContext(),
+		SecurityContext: pod.ContainerSecurityContext(feSpec),
 	}
 
 	if feSpec.ConfigMapInfo.ConfigMapName != "" && feSpec.ConfigMapInfo.ResolveKey != "" {