fix(collector): default fsGroup when volumeClaimTemplates are present#5106
fix(collector): default fsGroup when volumeClaimTemplates are present#5106ozzywalsh wants to merge 4 commits into
Conversation
|
Is there any reasoning behind picking 65532 for the GID? |
I think there is a convention for distroless container images to do that for non-root users. |
|
If we want to make the pvcs writable by default, then we should probably add an e2e test that verifies this. |
frzifus
left a comment
There was a problem hiding this comment.
What will happen when I mount a volume to persist my sending queue with the current version fsgroup: 0 and run an operator upgrade and the default fsgroup will change?
Shouldnt the collector in that case have permission issues?
| @@ -1,16 +1,20 @@ | |||
| # One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix' | |||
| change_type: enhancement | |||
| change_type: bug_fix | |||
There was a problem hiding this comment.
I wonder if that should be marked as breaking. Depending on the current configuration.
Please add some e2e tests.
Collectors using persistent storage via volumeClaimTemplates can fail with "permission denied" on PVC mounts when running as a non-root user without fsGroup set. The mutating webhook now defaults podSecurityContext.fsGroup to 65532 (the upstream collector image's nonroot UID) when VCTs are present and no fsGroup is configured. An explicitly set fsGroup is never overwritten.
79a2946 to
f67d6dc
Compare
E2E Test Results 38 files 271 suites 2h 22m 23s ⏱️ Results for commit bc372e4. ♻️ This comment has been updated with latest results. |
|
@frzifus @swiatekm I can for example add an assertion to this e2e test to check the produced A test that actually attempts to write to the container would be nice. But I'm not sure if that's feasible on kind. From my investigation; it seems like kinds storage provisioner doesn't replicate the same permissions one would see in a production environment. See below for example. I'm open to correction if this is wrong. |
|
I'm really not sure we should be doing this. Largely, it should be on the user to ensure their volumes have the right permissions. Maybe there's a point in favor of making this work out of the box for the default collector image we ship, but even then I'd find this default surprising. That it's a breaking change is another argument against. Thoughts @open-telemetry/operator-approvers ? |
On OpenShift, the restricted SCC injects fsGroup from the namespace range, but permissive SCCs (e.g. anyuid) do not. When a user grants privileges to the collector ServiceAccount, the effective SCC changes and PVC volumes become inaccessible due to missing group ownership. The controller now defaults podSecurityContext.fsGroup from the namespace's supplemental-groups annotation (falling back to uid-range) when running on OpenShift and no explicit fsGroup is configured. This follows the same pattern used by migtools/crane and istio/istio. An explicitly set fsGroup is never overwritten. Closes open-telemetry#5106
Summary
volumeClaimTemplates) fail withpermission deniedon PVC mounts when running as a non-root user withoutfsGroupset inpodSecurityContextpodSecurityContext.fsGroupto65532when VCTs are present and nofsGroupis configuredfsGroupis never overwrittenTest plan
TestCollectorDefaultingWebhook/StatefulSet_with_volumeClaimTemplates_gets_default_fsGroup— verifies webhook injectsfsGroup: 65532TestCollectorDefaultingWebhook/StatefulSet_with_volumeClaimTemplates_preserves_explicit_fsGroup— verifies user-set value is not overwrittenfile_storagesending queue +anyuidSCC — nofsGroupin CR. Webhook injectedfsGroup: 65532, pod started successfully with no permission errors. Same config without the fix crashes withopen /var/otelcol/storage/exporter_otlp_blackhole_traces: permission denied