Don't run init container as root and avoid chmod and chowning (#183)

sbernauer · sbernauer · commit f565c4d3e114 · 2022-12-05T08:28:27.000Z
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,9 +8,11 @@ All notable changes to this project will be documented in this file.
 
 - Updated stackable image versions ([#176])
 - `operator-rs` `0.22.0` → `0.27.1` ([#178])
+- Don't run init container as root and avoid chmod and chowning ([#183])
 
 [#176]: https://github.com/stackabletech/spark-k8s-operator/pull/176
 [#178]: https://github.com/stackabletech/spark-k8s-operator/pull/178
+[#183]: https://github.com/stackabletech/spark-k8s-operator/pull/183
 
 ## [0.6.0] - 2022-11-07
 
diff --git a/rust/crd/src/constants.rs b/rust/crd/src/constants.rs
@@ -21,7 +21,6 @@ pub const ACCESS_KEY_ID: &str = "accessKeyId";
 pub const SECRET_ACCESS_KEY: &str = "secretAccessKey";
 pub const S3_SECRET_DIR_NAME: &str = "/stackable/secrets";
 
-pub const SPARK_UID: i64 = 1000;
 pub const MIN_MEMORY_OVERHEAD: u32 = 384;
 pub const JVM_OVERHEAD_FACTOR: f32 = 0.1;
 pub const NON_JVM_OVERHEAD_FACTOR: f32 = 0.4;
diff --git a/rust/operator-binary/src/spark_k8s_controller.rs b/rust/operator-binary/src/spark_k8s_controller.rs
@@ -1,7 +1,5 @@
 use snafu::{OptionExt, ResultExt, Snafu};
-use stackable_operator::builder::{
-    ConfigMapBuilder, ContainerBuilder, ObjectMetaBuilder, PodSecurityContextBuilder,
-};
+use stackable_operator::builder::{ConfigMapBuilder, ContainerBuilder, ObjectMetaBuilder};
 
 use stackable_operator::commons::s3::InlinedS3BucketSpec;
 use stackable_operator::commons::tls::{CaCert, TlsVerification};
@@ -481,17 +479,12 @@ fn build_spark_role_serviceaccount(
 }
 
 fn security_context() -> PodSecurityContext {
-    PodSecurityContextBuilder::new()
-        .fs_group(1000)
-        // OpenShift generates UIDs for processes inside Pods. Setting the UID is optional,
-        // *but* if specified, OpenShift will check that the value is within the
-        // valid range generated by the SCC (security context constraints) for this Pod.
-        // On the other hand, it is *required* to set the process UID in KinD, K3S as soon
-        // as the runAsGroup property is set.
-        .run_as_user(SPARK_UID)
-        // Required to access files in mounted volumes on OpenShift.
-        .run_as_group(0)
-        .build()
+    PodSecurityContext {
+        run_as_user: Some(1000),
+        run_as_group: Some(1000),
+        fs_group: Some(1000),
+        ..PodSecurityContext::default()
+    }
 }
 
 pub fn error_policy(_obj: Arc<SparkApplication>, _error: &Error, _ctx: Arc<Ctx>) -> Action {
