[Enhancement] Support ReadOnlyRootFilesystem

Signed-off-by: yandongxiao <[email protected]>

config/crd/bases/starrocks.com_starrocksclusters.yaml

@@ -2619,6 +2619,13 @@ spec:
                       type: string
                     description: the pod labels for user select or classify pods.
                     type: object
+                  readOnlyRootFilesystem:
+                    description: "Whether this container has a read-only root filesystem.\nDefault
+                      is false.\nNote that:\n\t1. This field cannot be set when spec.os.name
+                      is windows.\n\t2. The FE/BE/CN container should support read-only
+                      root filesystem. The newest version of FE/BE/CN is 3.3.6,\n
+                      \   and does not support read-only root filesystem"
+                    type: boolean
                   readinessProbeFailureSeconds:
                     description: |-
                       ReadinessProbeFailureSeconds defines the total failure seconds of readiness Probe.
@@ -7581,6 +7588,13 @@ spec:
                       type: string
                     description: the pod labels for user select or classify pods.
                     type: object
+                  readOnlyRootFilesystem:
+                    description: "Whether this container has a read-only root filesystem.\nDefault
+                      is false.\nNote that:\n\t1. This field cannot be set when spec.os.name
+                      is windows.\n\t2. The FE/BE/CN container should support read-only
+                      root filesystem. The newest version of FE/BE/CN is 3.3.6,\n
+                      \   and does not support read-only root filesystem"
+                    type: boolean
                   readinessProbeFailureSeconds:
                     description: |-
                       ReadinessProbeFailureSeconds defines the total failure seconds of readiness Probe.
@@ -13413,6 +13427,13 @@ spec:
                       type: string
                     description: the pod labels for user select or classify pods.
                     type: object
+                  readOnlyRootFilesystem:
+                    description: "Whether this container has a read-only root filesystem.\nDefault
+                      is false.\nNote that:\n\t1. This field cannot be set when spec.os.name
+                      is windows.\n\t2. The FE/BE/CN container should support read-only
+                      root filesystem. The newest version of FE/BE/CN is 3.3.6,\n
+                      \   and does not support read-only root filesystem"
+                    type: boolean
                   readinessProbeFailureSeconds:
                     description: |-
                       ReadinessProbeFailureSeconds defines the total failure seconds of readiness Probe.

config/crd/bases/starrocks.com_starrockswarehouses.yaml

@@ -3230,6 +3230,13 @@ spec:
                       type: string
                     description: the pod labels for user select or classify pods.
                     type: object
+                  readOnlyRootFilesystem:
+                    description: "Whether this container has a read-only root filesystem.\nDefault
+                      is false.\nNote that:\n\t1. This field cannot be set when spec.os.name
+                      is windows.\n\t2. The FE/BE/CN container should support read-only
+                      root filesystem. The newest version of FE/BE/CN is 3.3.6,\n
+                      \   and does not support read-only root filesystem"
+                    type: boolean
                   readinessProbeFailureSeconds:
                     description: |-
                       ReadinessProbeFailureSeconds defines the total failure seconds of readiness Probe.

deploy/starrocks.com_starrocksclusters.yaml

@@ -1281,6 +1281,8 @@ spec:
                     additionalProperties:
                       type: string
                     type: object
+                  readOnlyRootFilesystem:
+                    type: boolean
                   readinessProbeFailureSeconds:
                     format: int32
                     type: integer
@@ -3634,6 +3636,8 @@ spec:
                     additionalProperties:
                       type: string
                     type: object
+                  readOnlyRootFilesystem:
+                    type: boolean
                   readinessProbeFailureSeconds:
                     format: int32
                     type: integer
@@ -6333,6 +6337,8 @@ spec:
                     additionalProperties:
                       type: string
                     type: object
+                  readOnlyRootFilesystem:
+                    type: boolean
                   readinessProbeFailureSeconds:
                     format: int32
                     type: integer

deploy/starrocks.com_starrockswarehouses.yaml

@@ -1603,6 +1603,8 @@ spec:
                     additionalProperties:
                       type: string
                     type: object
+                  readOnlyRootFilesystem:
+                    type: boolean
                   readinessProbeFailureSeconds:
                     format: int32
                     type: integer

helm-charts/charts/kube-starrocks/charts/starrocks/templates/starrockscluster.yaml

@@ -86,6 +86,9 @@ spec:
     serviceAccount: {{ include "starrockscluster.fe.serviceAccount" . }}
     {{- end }}
     runAsNonRoot: {{ include "starrockscluster.fe.runAsNonRoot" . }}
+    {{- if .Values.starrocksFESpec.readOnlyRootFilesystem }}
+    readOnlyRootFilesystem: {{ .Values.starrocksFESpec.readOnlyRootFilesystem }}
+    {{-end }}
     {{- if or .Values.starrocksFESpec.nodeSelector .Values.starrocksCluster.componentValues.nodeSelector }}
     nodeSelector:
       {{- include "starrockscluster.fe.nodeSelector" . | nindent 6 }}
@@ -319,6 +322,9 @@ spec:
     serviceAccount: {{ include "starrockscluster.be.serviceAccount" . }}
     {{- end }}
     runAsNonRoot: {{ include "starrockscluster.be.runAsNonRoot" . }}
+    {{- if .Values.starrocksBeSpec.readOnlyRootFilesystem }}
+    readOnlyRootFilesystem: {{ .Values.starrocksBeSpec.readOnlyRootFilesystem }}
+    {{-end }}
     {{- if or .Values.starrocksBeSpec.capabilities .Values.datadog.profiling.be }}
     capabilities:
       {{- if or .Values.starrocksBeSpec.capabilities.add .Values.datadog.profiling.be }}
@@ -531,6 +537,9 @@ spec:
     serviceAccount: {{ include "starrockscluster.cn.serviceAccount" . }}
     {{- end }}
     runAsNonRoot: {{ include "starrockscluster.cn.runAsNonRoot" . }}
+    {{- if .Values.starrocksCnSpec.readOnlyRootFilesystem }}
+    readOnlyRootFilesystem: {{ .Values.starrocksCnSpec.readOnlyRootFilesystem }}
+    {{-end }}
     {{- if or .Values.starrocksCnSpec.capabilities .Values.datadog.profiling.cn }}
     capabilities:
       {{- if or .Values.starrocksCnSpec.capabilities.add .Values.datadog.profiling.cn }}

helm-charts/charts/kube-starrocks/charts/starrocks/values.yaml

@@ -162,6 +162,9 @@ starrocksFESpec:
   # If runAsNonRoot is true, the container is run as non-root user.
   # The userId will be set to 1000, and the groupID will be set to 1000.
   runAsNonRoot: false
+  # Whether this container has a read-only root filesystem.
+  # Note: The FE/BE/CN container should support read-only root filesystem. The newest version of FE/BE/CN is 3.3.6, and does not support read-only root filesystem.
+  readOnlyRootFilesystem: false
   # specify the service name and port config and serviceType
   # the service type refer https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
   service:
@@ -420,6 +423,9 @@ starrocksCnSpec:
   # If runAsNonRoot is true, the container is run as non-root user.
   # The userId will be set to 1000, and the groupID will be set to 1000.
   runAsNonRoot: false
+  # Whether this container has a read-only root filesystem.
+  # Note: The FE/BE/CN container should support read-only root filesystem. The newest version of FE/BE/CN is 3.3.6, and does not support read-only root filesystem.
+  readOnlyRootFilesystem: false
   # add/drop capabilities for CN container.
   capabilities: {}
   #  add:
@@ -723,6 +729,9 @@ starrocksBeSpec:
   # If runAsNonRoot is true, the container is run as non-root user.
   # The userId will be set to 1000, and the groupID will be set to 1000.
   runAsNonRoot: false
+  # Whether this container has a read-only root filesystem.
+  # Note: The FE/BE/CN container should support read-only root filesystem. The newest version of FE/BE/CN is 3.3.6, and does not support read-only root filesystem.
+  readOnlyRootFilesystem: false
   # add/drop capabilities for BE container.
   capabilities: {}
   #  add:

helm-charts/charts/kube-starrocks/values.yaml

@@ -270,6 +270,9 @@ starrocks:
     # If runAsNonRoot is true, the container is run as non-root user.
     # The userId will be set to 1000, and the groupID will be set to 1000.
     runAsNonRoot: false
+    # Whether this container has a read-only root filesystem.
+    # Note: The FE/BE/CN container should support read-only root filesystem. The newest version of FE/BE/CN is 3.3.6, and does not support read-only root filesystem.
+    readOnlyRootFilesystem: false
     # specify the service name and port config and serviceType
     # the service type refer https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
     service:
@@ -528,6 +531,9 @@ starrocks:
     # If runAsNonRoot is true, the container is run as non-root user.
     # The userId will be set to 1000, and the groupID will be set to 1000.
     runAsNonRoot: false
+    # Whether this container has a read-only root filesystem.
+    # Note: The FE/BE/CN container should support read-only root filesystem. The newest version of FE/BE/CN is 3.3.6, and does not support read-only root filesystem.
+    readOnlyRootFilesystem: false
     # add/drop capabilities for CN container.
     capabilities: {}
     #  add:
@@ -831,6 +837,9 @@ starrocks:
     # If runAsNonRoot is true, the container is run as non-root user.
     # The userId will be set to 1000, and the groupID will be set to 1000.
     runAsNonRoot: false
+    # Whether this container has a read-only root filesystem.
+    # Note: The FE/BE/CN container should support read-only root filesystem. The newest version of FE/BE/CN is 3.3.6, and does not support read-only root filesystem.
+    readOnlyRootFilesystem: false
     # add/drop capabilities for BE container.
     capabilities: {}
     #  add:

pkg/apis/starrocks/v1/component_type.go

@@ -100,6 +100,15 @@ type StarRocksComponentSpec struct {
 	//       MaxUnavailableStatefulSet feature gate enabled.
 	// +optional
 	UpdateStrategy *appv1.StatefulSetUpdateStrategy `json:"updateStrategy,omitempty"`
+
+	// Whether this container has a read-only root filesystem.
+	// Default is false.
+	// Note that:
+	// 	1. This field cannot be set when spec.os.name is windows.
+	//	2. The FE/BE/CN container should support read-only root filesystem. The newest version of FE/BE/CN is 3.3.6,
+	//     and does not support read-only root filesystem
+	// +optional
+	ReadOnlyRootFilesystem *bool `json:"readOnlyRootFilesystem,omitempty" protobuf:"varint,6,opt,name=readOnlyRootFilesystem"`
 }
 
 // StarRocksComponentStatus represents the status of a starrocks component.
@@ -234,3 +243,11 @@ func ValidUpdateStrategy(updateStrategy *appv1.StatefulSetUpdateStrategy) error
 	}
 	return nil
 }
+
+func (spec *StarRocksComponentSpec) IsReadOnlyRootFilesystem() *bool {
+	if spec.ReadOnlyRootFilesystem == nil {
+		b := false
+		return &b
+	}
+	return spec.ReadOnlyRootFilesystem
+}

pkg/apis/starrocks/v1/starrockscluster_types.go

@@ -78,6 +78,7 @@ type SpecInterface interface {
 	GetCapabilities() *corev1.Capabilities
 	GetSidecars() []corev1.Container
 	GetInitContainers() []corev1.Container
+	IsReadOnlyRootFilesystem() *bool
 }
 
 var _ SpecInterface = &StarRocksFeSpec{}
@@ -219,7 +220,7 @@ func (spec *StarRocksFeProxySpec) GetInitContainers() []corev1.Container {
 
 // GetCommand
 // fe proxy does not have field command, the reason why implementing this method is
-// // that StarRocksFeProxySpec needs to implement SpecInterface interface
+// that StarRocksFeProxySpec needs to implement SpecInterface interface
 func (spec *StarRocksFeProxySpec) GetCommand() []string {
 	return nil
 }
@@ -236,6 +237,13 @@ func (spec *StarRocksFeProxySpec) GetUpdateStrategy() *appv1.StatefulSetUpdateSt
 	return nil
 }
 
+// IsReadOnlyRootFilesystem
+// fe proxy does not have field ReadOnlyRootFilesystem, the reason why implementing this method is
+// that StarRocksFeProxySpec needs to implement SpecInterface interface
+func (spec *StarRocksFeProxySpec) IsReadOnlyRootFilesystem() *bool {
+	return nil
+}
+
 // Phase is defined under status, e.g.
 // 1. StarRocksClusterStatus.Phase represents the phase of starrocks cluster.
 // 2. StarRocksWarehouseStatus.Phase represents the phase of starrocks warehouse.

pkg/k8sutils/templates/pod/spec.go

@@ -311,8 +311,7 @@ func ContainerSecurityContext(spec v1.SpecInterface) *corev1.SecurityContext {
 		RunAsGroup:               groupID,
 		RunAsNonRoot:             runAsNonRoot,
 		AllowPrivilegeEscalation: func() *bool { b := false; return &b }(),
-		// starrocks will create pid file, e.g. /opt/starrocks/fe/bin/fe.pid, so set it to false
-		ReadOnlyRootFilesystem: func() *bool { b := false; return &b }(),
+		ReadOnlyRootFilesystem:   spec.IsReadOnlyRootFilesystem(),
 		// set additional Capabilities
 		Capabilities: spec.GetCapabilities(),
 	}