Don't run init container as root and avoid chmod and chowning (#282)

# Description

This is a first test to build the operator image

https://ci.stackable.tech/view/02%20Operator%20Tests%20(custom)/job/hdfs-operator-it-custom/30/



Co-authored-by: maltesander <malte.sander.it@gmail.com>
Co-authored-by: Malte Sander <malte.sander.it@gmail.com>

Author: maltesander

rust/operator/src/hdfs_controller.rs

@@ -383,7 +383,7 @@ fn rolegroup_statefulset(
         }
         HdfsRole::JournalNode => {
             replicas = hdfs.rolegroup_journalnode_replicas(rolegroup_ref)?;
-            init_containers = journalnode_init_containers(hadoop_container);
+            init_containers = None;
             containers = journalnode_containers(rolegroup_ref, hadoop_container, &resources)?;
         }
     }
@@ -408,8 +408,8 @@ fn rolegroup_statefulset(
             service_account: Some(rbac_sa.to_string()),
             security_context: Some(
                 PodSecurityContextBuilder::new()
-                    .run_as_user(rbac::HDFS_UID)
-                    .run_as_group(0)
+                    .run_as_user(1000)
+                    .run_as_group(1000)
                     .fs_group(1000) // Needed for secret-operator
                     .build(),
             ),
@@ -622,15 +622,13 @@ fn datanode_init_containers(
     namenode_podrefs: &[HdfsPodRef],
     hadoop_container: &Container,
 ) -> Option<Vec<Container>> {
-    Some(vec![
-        chown_init_container(&HdfsNodeDataDirectory::default().datanode, hadoop_container),
-        Container {
-            name: "wait-for-namenodes".to_string(),
-            args: Some(vec![
-                "sh".to_string(),
-                "-c".to_string(),
-                format!(
-                    "
+    Some(vec![Container {
+        name: "wait-for-namenodes".to_string(),
+        args: Some(vec![
+            "sh".to_string(),
+            "-c".to_string(),
+            format!(
+                "
                 echo \"Waiting for namenodes to get ready:\"
                 n=0
                 while [ ${{n}} -lt 12 ];
@@ -658,32 +656,23 @@ fn datanode_init_containers(
                   sleep 5
                 done
             ",
-                    hadoop_home = HADOOP_HOME,
-                    pod_names = namenode_podrefs
-                        .iter()
-                        .map(|pod_ref| pod_ref.pod_name.as_ref())
-                        .collect::<Vec<&str>>()
-                        .join(" ")
-                ),
-            ]),
-            ..hadoop_container.clone()
-        },
-    ])
-}
-
-fn journalnode_init_containers(hadoop_container: &Container) -> Option<Vec<Container>> {
-    Some(vec![chown_init_container(
-        &HdfsNodeDataDirectory::default().journalnode,
-        hadoop_container,
-    )])
+                hadoop_home = HADOOP_HOME,
+                pod_names = namenode_podrefs
+                    .iter()
+                    .map(|pod_ref| pod_ref.pod_name.as_ref())
+                    .collect::<Vec<&str>>()
+                    .join(" ")
+            ),
+        ]),
+        ..hadoop_container.clone()
+    }])
 }
 
 fn namenode_init_containers(
     namenode_podrefs: &[HdfsPodRef],
     hadoop_container: &Container,
 ) -> Option<Vec<Container>> {
     Some(vec![
-    chown_init_container(&HdfsNodeDataDirectory::default().namenode, hadoop_container),
     Container {
         name: "format-namenode".to_string(),
         args: Some(vec![
@@ -733,6 +722,7 @@ fn namenode_init_containers(
         ]),
         security_context: Some(SecurityContext {
             run_as_user: Some(1000),
+            run_as_group: Some(1000),
             ..SecurityContext::default()
         }),
         ..hadoop_container.clone()
@@ -749,27 +739,6 @@ fn namenode_init_containers(
     ])
 }
 
-/// Creates a container that chowns and chmods the provided `node_dir`.
-fn chown_init_container(node_dir: &str, hadoop_container: &Container) -> Container {
-    Container {
-        name: "chown-data".to_string(),
-        args: Some(vec![
-            "sh".to_string(),
-            "-c".to_string(),
-            format!(
-                "mkdir -p {node_dir} && chown -R stackable:stackable {data_dir} && chmod -R a=,u=rwX {data_dir}",
-                node_dir = node_dir,
-                data_dir = ROOT_DATA_DIR
-            ),
-        ]),
-        security_context: Some(SecurityContext {
-            run_as_user: Some(0),
-            ..SecurityContext::default()
-        }),
-        ..hadoop_container.clone()
-    }
-}
-
 /// Creates a probe for [`stackable_operator::k8s_openapi::api::core::v1::TCPSocketAction`]
 /// for liveness or readiness probes
 fn tcp_socket_action_probe(

rust/operator/src/rbac.rs

@@ -4,9 +4,6 @@ use stackable_operator::k8s_openapi::api::core::v1::ServiceAccount;
 use stackable_operator::k8s_openapi::api::rbac::v1::{RoleBinding, RoleRef, Subject};
 use stackable_operator::kube::{Resource, ResourceExt};
 
-/// Used as runAsUser in the pod security context. This is specified in the Hadoop image file
-pub const HDFS_UID: i64 = 1000;
-
 /// Build RBAC objects for the product workloads.
 /// The `rbac_prefix` is meant to be the product name, for example: zookeeper, airflow, etc.
 /// and it is a assumed that a ClusterRole named `hdfs-clusterrole` exists.