Hi!
I would like to start cassandra pod as well as all processes as cassandra user, not root. I've tried both combinations below in my dc1.yaml, no luck. StatefulSet has securityContext set as "{}".
1.
spec: template: spec: securityContext: runAsUser: 999
2.
spec: securityContext: runAsUser: 999
But if I patch StatefulSet, it works fine. How do I predefine the setting on a pod level?
Thanks,
Vladimir
In you CassandraDatacenter spec add the following,
dockerImageRunsAsCassandra: true
That will cause cass-operator to use a SecurityContext like you are trying to do.
Do you know what Cassandra image you are using? If not what version are you specifying in your CassandraDatacenter manifest? The reason I ask is that the default images are not built to run as a non-root user.
I work on the k8ssandra project which uses cass-operator. In k8ssandra we are using non-root images. They can be used directly with cass-operator as well. See here for the images we use in k8ssandra.
Good luck!
John
@john.sanda_194109 Thanks, this option works just fine! I'm using cassandra-mgmtapi-3_11_10:v0.1.23. Also thanks for mentioning k8ssandra, I will take a look.
If you're provisioning a Cassandra cluster with the cass-operator, the image is already configured to run as the cassandra user.
It would be great if you could provide some background information on why you think processes are running as root instead so we could look into it. Cheers!
[UPDATE] I'm going to defer to John on this one. :)
Some of processes run as root by default. That's what I meant.
kubectl exec -n cass-operator -it cluster1-dc1-rack2-sts-0 -c server-system-logger -- ps -ef | grep root 1 root 0:00 tail -n+1 -F /var/log/cassandra/system.log 36 root 0:00 ps -ef
kubectl exec -n cass-operator -it cluster1-dc1-rack2-sts-0 -c cassandra -- ps -ef | grep root root 1 0 0 22:04 ? 00:00:00 /tini -g -- gosu cassandra j
5 People are following this question.
