diff --git a/changelog/20251001_fix_operator_crash_when_readonly_root_filesystem.md b/changelog/20251001_fix_operator_crash_when_readonly_root_filesystem.md new file mode 100644 index 000000000..5e967e706 --- /dev/null +++ b/changelog/20251001_fix_operator_crash_when_readonly_root_filesystem.md @@ -0,0 +1,6 @@ +--- +kind: fix +date: 2025-10-01 +--- + +* **MongoDB Kubernetes Operator**: Operator crashed when `securityContext.readOnlyRootFilesystem=true` was set, because it was trying to create `/tmp/k8s-webhook-server` directory that was unmounted. diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 7483d955f..79b8a2977 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -33,6 +33,9 @@ spec: - -watch-resource=clustermongodbroles command: - /usr/local/bin/mongodb-kubernetes-operator + volumeMounts: + - mountPath: /tmp/k8s-webhook-server + name: webhook-server-dir resources: limits: cpu: 1100m @@ -313,3 +316,6 @@ spec: value: "mongodb-search" - name: MDB_SEARCH_VERSION value: "0.53.1" + volumes: + - name: webhook-server-dir + emptyDir: {} diff --git a/helm_chart/templates/operator.yaml b/helm_chart/templates/operator.yaml index 6e54112ce..c67a925dc 100644 --- a/helm_chart/templates/operator.yaml +++ b/helm_chart/templates/operator.yaml @@ -36,6 +36,8 @@ spec: securityContext: runAsNonRoot: true runAsUser: 2000 + runAsGroup: 2000 + fsGroup: 2000 seccompProfile: type: RuntimeDefault {{- end }} @@ -64,8 +66,10 @@ spec: command: - /usr/local/bin/mongodb-kubernetes-operator {{- end }} - {{- if .Values.multiCluster.clusters }} volumeMounts: + - mountPath: /tmp/k8s-webhook-server + name: webhook-server-dir + {{- if .Values.multiCluster.clusters }} - mountPath: /etc/config/kubeconfig name: kube-config-volume {{- end }} @@ -79,6 +83,7 @@ spec: {{- if not .Values.managedSecurityContext }} securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: - ALL @@ -290,13 +295,15 @@ spec: value: '{{ (split "=" .)._1 }}' {{- end }} {{- end }} -{{- if .Values.multiCluster.clusters }} volumes: + - name: webhook-server-dir + emptyDir: {} + {{- if .Values.multiCluster.clusters }} - name: kube-config-volume secret: defaultMode: 420 secretName: {{ .Values.multiCluster.kubeConfigSecretName }} -{{- end }} + {{- end }} {{- with .Values.operator }} {{- with .nodeSelector }} diff --git a/public/mongodb-kubernetes-multi-cluster.yaml b/public/mongodb-kubernetes-multi-cluster.yaml index 2e5cb638e..41265f4db 100644 --- a/public/mongodb-kubernetes-multi-cluster.yaml +++ b/public/mongodb-kubernetes-multi-cluster.yaml @@ -329,6 +329,8 @@ spec: securityContext: runAsNonRoot: true runAsUser: 2000 + runAsGroup: 2000 + fsGroup: 2000 seccompProfile: type: RuntimeDefault containers: @@ -346,6 +348,8 @@ spec: command: - /usr/local/bin/mongodb-kubernetes-operator volumeMounts: + - mountPath: /tmp/k8s-webhook-server + name: webhook-server-dir - mountPath: /etc/config/kubeconfig name: kube-config-volume resources: @@ -357,6 +361,7 @@ spec: memory: 200Mi securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: - ALL @@ -445,6 +450,8 @@ spec: - name: MDB_SEARCH_VERSION value: "0.53.1" volumes: + - name: webhook-server-dir + emptyDir: {} - name: kube-config-volume secret: defaultMode: 420 diff --git a/public/mongodb-kubernetes-openshift.yaml b/public/mongodb-kubernetes-openshift.yaml index 6de50f25f..b79d118d2 100644 --- a/public/mongodb-kubernetes-openshift.yaml +++ b/public/mongodb-kubernetes-openshift.yaml @@ -339,6 +339,9 @@ spec: - -watch-resource=clustermongodbroles command: - /usr/local/bin/mongodb-kubernetes-operator + volumeMounts: + - mountPath: /tmp/k8s-webhook-server + name: webhook-server-dir resources: limits: cpu: 1100m @@ -617,3 +620,6 @@ spec: value: "mongodb-search" - name: MDB_SEARCH_VERSION value: "0.53.1" + volumes: + - name: webhook-server-dir + emptyDir: {} diff --git a/public/mongodb-kubernetes.yaml b/public/mongodb-kubernetes.yaml index 16872c440..73dba89a5 100644 --- a/public/mongodb-kubernetes.yaml +++ b/public/mongodb-kubernetes.yaml @@ -329,6 +329,8 @@ spec: securityContext: runAsNonRoot: true runAsUser: 2000 + runAsGroup: 2000 + fsGroup: 2000 seccompProfile: type: RuntimeDefault containers: @@ -344,6 +346,9 @@ spec: - -watch-resource=clustermongodbroles command: - /usr/local/bin/mongodb-kubernetes-operator + volumeMounts: + - mountPath: /tmp/k8s-webhook-server + name: webhook-server-dir resources: limits: cpu: 1100m @@ -353,6 +358,7 @@ spec: memory: 200Mi securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: - ALL @@ -440,3 +446,6 @@ spec: value: "mongodb-search" - name: MDB_SEARCH_VERSION value: "0.53.1" + volumes: + - name: webhook-server-dir + emptyDir: {}