Kafka and Zookeeper are not running with non-root user

[yogeshbidari]

Please use this to only for bug reports. For questions or when you need help, you can use the GitHub Discussions, our #strimzi Slack channel or out user mailing list.

Describe the bug
While I am creating the cluster for kafka and zookeeper with not root user using runAsUser: 1001, the pods are failing with some permission issues.
I want to mount the voulme also as non root user, like fsGroup other then 0.

To Reproduce
Run the kafka CRD with below SecurityContext added to kafka and zookeeper section
securityContext: runAsUser: 1001 fsGroup: 1001

Expected behavior
Kafka and zookeeper should run with non root user and non root group.
The below code should work:
securityContext: runAsUser: 1001 fsGroup: 1001
Does it support runAsGroup ?

Environment (please complete the following information):

• Strimzi version: [0.22.1]
• Installation method: operator via Helm chart, CRD via yaml file
• Kubernetes cluster: 1.18.17
• Infrastructure: GKE

YAML files and logs

LOG
2021-06-01 06:22:42,378 INFO [ThrottledChannelReaper-Fetch]: Starting (kafka.server.ClientQuotaManager$ThrottledChannelReaper) [ThrottledChannelReaper-Fetch] 2021-06-01 06:22:42,379 INFO [ThrottledChannelReaper-Produce]: Starting (kafka.server.ClientQuotaManager$ThrottledChannelReaper) [ThrottledChannelReaper-Produce] 2021-06-01 06:22:42,383 INFO [ThrottledChannelReaper-Request]: Starting (kafka.server.ClientQuotaManager$ThrottledChannelReaper) [ThrottledChannelReaper-Request] 2021-06-01 06:22:42,448 INFO Log directory /var/lib/kafka/data/kafka-log0 not found, creating it. (kafka.log.LogManager) [main] 2021-06-01 06:22:42,450 ERROR Failed to create or validate data directory /var/lib/kafka/data/kafka-log0 (kafka.server.LogDirFailureChannel) [main] java.io.IOException: Failed to create data directory /var/lib/kafka/data/kafka-log0 at kafka.log.LogManager.$anonfun$createAndValidateLogDirs$1(LogManager.scala:155) at scala.collection.mutable.ResizableArray.foreach(ResizableArray.scala:62) at scala.collection.mutable.ResizableArray.foreach$(ResizableArray.scala:55) at scala.collection.mutable.ArrayBuffer.foreach(ArrayBuffer.scala:49) at kafka.log.LogManager.createAndValidateLogDirs(LogManager.scala:146) at kafka.log.LogManager.<init>(LogManager.scala:80) at kafka.log.LogManager$.apply(LogManager.scala:1084) at kafka.server.KafkaServer.startup(KafkaServer.scala:253) at kafka.server.KafkaServerStartable.startup(KafkaServerStartable.scala:44) at kafka.Kafka$.main(Kafka.scala:82) at kafka.Kafka.main(Kafka.scala)

Additional context
Additional documents on adding runAsGroup to kafka, zookeeper, exporter, entity-operator CRDs.

[scholzj]

The containers do not run as root by default. So normally, you should not need to configure anything. But if you want, you can customize the security context as you want. However, you / your platform need to make sure that the storage is writable under such configuration.

[scholzj]

My understanding is that the group id 0 has (unlike the user id 0) nothing to do with root privileges. But as I said, you can run it as whatever user and group you want, but it is your / your platform responsibility to make sure the volumes are writable under this configuration. There is nothing we can do about it (since we are not running as root and cannot change the access rights / ownership even if we wanted to ;-))

[yogeshbidari]

I am planning to build the image with new group.

Is there any we can add securityContext to strimzi-cluster-operator pod to add runAsUser, runAsGroup and fsGroup?

[scholzj]

You mean how to set the security context for the operator it self? You can just edit the deployment of the operator when you are installing it.

[yogeshbidari]

Yes, I am talking about security context for the operator it self.
I am installing it via Helm.

Is there any way we can set it in values.yaml or something similar?

[scholzj]

I'm not a Helm user. I do not think our Helm Chart supports it (but feel free to open some PR) and I have no clue if Helm has some general way to configure this.