Don't require IPC_LOCK and SYS_RESOURCE capabilities by default

[johananl]

We should consider removing the extra capabilities which are currently added to the Cassandra containers by the operator:

cassandra-operator/pkg/controller/cassandradatacenter/statefulset.go

Lines 119 to 126 in 5616166

	SecurityContext: &corev1.SecurityContext{
	Capabilities: &corev1.Capabilities{
	Add: []corev1.Capability{
	"IPC_LOCK", // C* wants to mlock/mlockall
	"SYS_RESOURCE", // permit ulimit adjustments
	},
	},
	},

Following #219 (comment) it is likely that we don't actually need these capabilities in the Cassandra container since things seem to work without them (albeit with potentially reduced performance). We may want to conditionally add these capabilities only when the sysctl support flag discussed in #208 is set to true.

[smiklosovic]

Seems as a good idea to me. What is the progress on 208?

[johananl]

@smiklosovic looks like we are waiting for a response from @zegelin and @benbromhead.

I can take the initiative there and propose a solution for #208 following my comment in a new PR, but I thought @alourie was on it so didn't want to interfere.

[alourie]

@johananl @benbromhead @zegelin yes, I am basically waiting on the comment in #208. I can do this either stand alone or as a part of #218.

[DestyNova]

Hello, is there a workaround to avoid this problem? As it stands, I can't deploy Cassandra in one of our test clusters:

Warning  FailedCreate      60s (x26 over 6m16s)  statefulset-controller  create
  Pod cassandra-eolas-dc-0 in StatefulSet cassandra-eolas-dc failed error: pods
  "cassandra-eolas-dc-0" is forbidden: unable to validate against any pod security
  policy: [spec.initContainers[0].securityContext.privileged: Invalid value: true:
  Privileged containers are not allowed spec.containers[0].securityContext.capabilities.add:
  Invalid value: "IPC_LOCK": capability may not be added
  spec.containers[0].securityContext.capabilities.add:
  Invalid value: "SYS_RESOURCE": capability may not be added]

[johananl]

Hello @DestyNova. Could you provide some information regarding your setup?

• The version of the operator you are running.
• Manifest used to create the Cassandra instance.

Relevant work is being done in #208.

As a workaround in the meantime, you may be able to tweak the relevant pod security policy in your cluster to allow the following:

• Privileged containers
• The IPC_LOCK capability
• The SYS_RESOURCE capability

If you are not sure which PSP to edit, the following may give you a hint:

kubectl get pods <cassandra pod> -oyaml | grep psp

[DestyNova]

Thanks @johananl! I don't have access now, but I'll try that tomorrow 👍

[DestyNova]

@johananl I'm not sure what the version is, but::

image: gcr.io/cassandra-operator/cassandra-operator:latest
    imageID: docker-pullable://gcr.io/cassandra-operator/cassandra-operator@sha256:bf3a2d21f4036a9bc267c66bb4ed3fd6da0a8d94ec6db2b021ce6bb3bb3474b4

[johananl]

Fixed in #269.