fix: extend a component's security context to its config init container

[adalimayeu]

The current approach allows overriding custom securityContext settings for each component. At the same time, the securityContext of the config init container is hardcoded to runAsNonRoot=true and runAsUser=1000, which is not sufficient to meet the restricted policy level in accordance with the Pod Security Standards.

it can be briefly checked with psa-checker tool:

with the following Milvus specs:

spec:
  components:
    dataNode:
      securityContext:
        allowPrivilegeEscalation: false
        capabilities:
          drop:
          - ALL
        runAsNonRoot: true
        runAsUser: 1000
        seccompProfile:
          type: RuntimeDefault
    disableMetric: false
# ...

the check complains about the config init container, whereas the main pod container passes:

go run cmd/psa-cluster-checker/main.go --level restricted --namespace default
Pod default/milvus-cluster-milvus-datanode-64dd5f9547-cr5wc is not allowed to run in restricted: container "config" must set securityContext.allowPrivilegeEscalation=false
Pod default/milvus-cluster-milvus-datanode-64dd5f9547-cr5wc is not allowed to run in restricted: container "config" must set securityContext.capabilities.drop=["ALL"]
Pod default/milvus-cluster-milvus-datanode-64dd5f9547-cr5wc is not allowed to run in restricted: pod or container "config" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost"
Pod default/milvus-cluster-milvus-datanode-64dd5f9547-hb6c5 is not allowed to run in restricted: container "config" must set securityContext.allowPrivilegeEscalation=false
Pod default/milvus-cluster-milvus-datanode-64dd5f9547-hb6c5 is not allowed to run in restricted: container "config" must set securityContext.capabilities.drop=["ALL"]
Pod default/milvus-cluster-milvus-datanode-64dd5f9547-hb6c5 is not allowed to run in restricted: pod or container "config" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost"

PR changes:

• added security context checks to the renderInitContainer function, which now requires passing updater as an argument instead of toolImage
• the logic remains the same: the config container is not updated when UpdateToolImage is set to false
• added unit tests

[sre-ci-robot]

Welcome @adalimayeu! It looks like this is your first PR to zilliztech/milvus-operator 🎉

[codecov]

Codecov Report

❌ Patch coverage is 66.66667% with 6 lines in your changes missing coverage. Please review.
✅ Project coverage is 76.63%. Comparing base (bdc7466) to head (9b73270).
⚠️ Report is 5 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/controllers/deployment_updater.go	33.33%	5 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #464      +/-   ##
==========================================
+ Coverage   76.60%   76.63%   +0.03%     
==========================================
  Files          66       66              
  Lines        6116     6124       +8     
==========================================
+ Hits         4685     4693       +8     
  Misses       1173     1173              
  Partials      258      258              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[haorenfsa]

Thank you @adalimayeu. There're 2 things to be done before we could merge your patch:

• Please help us add security context configuration in https://github.com/zilliztech/milvus-operator/blob/main/test/min-milvus-feature.yaml to verify it work as expected in integration tests.
• Please sign-off all your commits https://github.com/zilliztech/milvus-operator/pull/464/checks?check_run_id=61981782499

the CI failure is due to the action easimon/maximize-build-space compatibility with newest github action, which we'll fix soon.

[adalimayeu]

There're 2 things to be done before we could merge your patch:

hi @haorenfsa, it's done, could you please review it once again?

[sre-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: adalimayeu, haorenfsa

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [haorenfsa]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[haorenfsa]

@adalimayeu thank you! we can get it merged after CI passed

[haorenfsa]

It looks like we need to make some other changes to the milvus image before merging.

[haorenfsa]

/assign

[adalimayeu]

@haorenfsa , could you please run the pipelines once again? It’s working fine on my local setup now.

currently, the data volume /var/lib/milvus is created only for WoodPecker, RocketMQ, or NATS message streaming types. Whether it is emptyDir or pvc-based depends on the persistence setting (see link).

However, MilvusDB attempts to call mkdir for /var/lib/milvus regardless of the selected message streaming type - link. For a non-root user, it is necessary that this directory already exists and has the appropriate ownership and permissions.

This is achieved by mounting an emptyDir data volume in case we run as non-root user + specifying fsGroup=1000 in the PodSecurityContext.

Updated min-milvus-feature.yaml accordingly.

[adalimayeu]

@haorenfsa, @LoveEachDay, can you please review the PR once again? thanks!