flink-on-k8s-operator icon indicating copy to clipboard operation
flink-on-k8s-operator copied to clipboard

Published 20 hours ago verified publisher icon GoogleCloudPlatform

SecurityContext only partly applied to Jobmanager / Taskmanager

Open timsn opened this issue 3 years ago • 0 comments

To comply to our policies I have set several securityContext settings. Such as to the Jobmanager, Taskmanger and Job. The CRD clearly allows to set the securityContext for all the needed resources (see the CRD docs here). But when I set them in the FlinkCluster resource and inspect the deployment created by the operator only some of them seem to be applied.

For example the Jobmanager part in my flink-cluster.yaml looks like this:

jobManager:
  accessScope: Cluster
  securityContext:
    runAsNonRoot: true
    runAsUser: 9999
    runAsGroup: 9999
    privileged: false
    allowPrivilegeEscalation: false
    readOnlyRootFilesystem: true
    capabilities:
      drop:
        - all
  ports:
    ui: 8081
  resources:
    requests:
      memory: "1024Mi"
      cpu: "200m"
    limits:
      memory: "1024Mi"

And if I inspect the created Jobmanager I can only find these securityContext settings set:

$ kubectl get pod flinksessioncluster-jobmanager-0 -o yaml

Output:

[...]
securityContext:
  runAsGroup: 9999
  runAsNonRoot: true
  runAsUser: 9999

So for example dropping the capabilites isn't applied at all even if it seems to be part of the CRD: https://github.com/GoogleCloudPlatform/flink-on-k8s-operator/blob/0310df76d6e2128cd5d2bc51fae4e842d370c463/config/crd/bases/flinkoperator.k8s.io_flinkclusters.yaml#L1838-L1855

timsn avatar Jun 10 '21 14:06 timsn