diff --git a/Makefile b/Makefile index 25b8fecd..477ffb52 100644 --- a/Makefile +++ b/Makefile @@ -117,9 +117,9 @@ test-all: clean-all install-ci-tools verify-gen lint metalint test-all-gen bins @echo "--- $@" .PHONY: test -test: test-base +test: install-ci-tools test-base @echo "--- $@" - gocov convert $(coverfile) | gocov report + @PATH=$(combined_bin_paths):$(PATH) gocov convert $(coverfile) | gocov report .PHONY: test-e2e test-e2e: diff --git a/pkg/k8sops/generators_test.go b/pkg/k8sops/generators_test.go index 3f3e21de..12ceb218 100644 --- a/pkg/k8sops/generators_test.go +++ b/pkg/k8sops/generators_test.go @@ -353,6 +353,21 @@ func TestGenerateStatefulSet(t *testing.T) { assert.NoError(t, err) assert.NotNil(t, newSS) assert.Equal(t, ss, newSS) + + // Make sure nil security context adds one with SYS_RESOURCE + ss = baseSS.DeepCopy() + ss.Spec.Template.Spec.Containers[0].SecurityContext = &v1.SecurityContext{ + Capabilities: &v1.Capabilities{ + Add: []v1.Capability{v1.Capability("SYS_RESOURCE")}, + }, + } + fixture = getFixture("testM3DBCluster.yaml", t) + fixture.Spec.SecurityContext = nil + + newSS, err = GenerateStatefulSet(fixture, isolationGroup, *instanceAmount) + assert.NoError(t, err) + assert.NotNil(t, newSS) + assert.Equal(t, ss, newSS) } func TestGenerateM3DBService(t *testing.T) { diff --git a/pkg/k8sops/statefulset.go b/pkg/k8sops/statefulset.go index 757fe697..deffd6ed 100644 --- a/pkg/k8sops/statefulset.go +++ b/pkg/k8sops/statefulset.go @@ -39,6 +39,7 @@ import ( const ( podIdentityVolumePath = "/etc/m3db/pod-identity" podIdentityVolumeName = "pod-identity" + capabilitySysResource = v1.Capability("SYS_RESOURCE") ) var ( @@ -46,8 +47,6 @@ var ( errEmptyNodeAffinityValues = errors.New("node affinity term values cannot be empty") ) -// NewBaseProbe returns a probe configured for default ports. - // NewBaseStatefulSet returns a base configured stateful set. func NewBaseStatefulSet(ssName, isolationGroup string, cluster *myspec.M3DBCluster, instanceCount int32) *appsv1.StatefulSet { ic := instanceCount @@ -94,6 +93,17 @@ func NewBaseStatefulSet(ssName, isolationGroup string, cluster *myspec.M3DBClust }, } + // If security context is nil, add one with SYS_RESOURCE (required to raise + // rlimit nofile from the process in container) + specSecurityCtx := cluster.Spec.SecurityContext + if specSecurityCtx == nil { + specSecurityCtx = &v1.SecurityContext{ + Capabilities: &v1.Capabilities{ + Add: []v1.Capability{capabilitySysResource}, + }, + } + } + return &appsv1.StatefulSet{ ObjectMeta: metav1.ObjectMeta{ Name: ssName, @@ -117,7 +127,7 @@ func NewBaseStatefulSet(ssName, isolationGroup string, cluster *myspec.M3DBClust Containers: []v1.Container{ { Name: ssName, - SecurityContext: cluster.Spec.SecurityContext, + SecurityContext: specSecurityCtx, ReadinessProbe: probeReady, LivenessProbe: probeHealth, Command: []string{ diff --git a/tools.json b/tools.json index 36b2b892..b28b3128 100644 --- a/tools.json +++ b/tools.json @@ -35,6 +35,10 @@ { "Repository": "github.com/kubernetes/kube-openapi/cmd/openapi-gen", "Commit": "b52b5b0f5a7c473a00ca5580c49c83449146ac17" + }, + { + "Repository": "github.com/axw/gocov", + "Commit": "b6eca663ebb7e7ef9798914d19f53ba2c6f74c96" } ], "RetoolVersion": "1.3.7"