From d6dc4c8c3529601931af493774eb2c20870846be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20Kara=C5=9B?= Date: Wed, 1 Oct 2025 15:47:16 +0200 Subject: [PATCH 1/2] Fixes Operator crash when `securityContext.readOnlyRootFilesystem=true` --- config/manager/manager.yaml | 6 ++++++ helm_chart/templates/operator.yaml | 13 ++++++++++--- public/mongodb-kubernetes-multi-cluster.yaml | 7 +++++++ public/mongodb-kubernetes-openshift.yaml | 6 ++++++ public/mongodb-kubernetes.yaml | 9 +++++++++ 5 files changed, 38 insertions(+), 3 deletions(-) diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 7483d955f..79b8a2977 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -33,6 +33,9 @@ spec: - -watch-resource=clustermongodbroles command: - /usr/local/bin/mongodb-kubernetes-operator + volumeMounts: + - mountPath: /tmp/k8s-webhook-server + name: webhook-server-dir resources: limits: cpu: 1100m @@ -313,3 +316,6 @@ spec: value: "mongodb-search" - name: MDB_SEARCH_VERSION value: "0.53.1" + volumes: + - name: webhook-server-dir + emptyDir: {} diff --git a/helm_chart/templates/operator.yaml b/helm_chart/templates/operator.yaml index 6e54112ce..c67a925dc 100644 --- a/helm_chart/templates/operator.yaml +++ b/helm_chart/templates/operator.yaml @@ -36,6 +36,8 @@ spec: securityContext: runAsNonRoot: true runAsUser: 2000 + runAsGroup: 2000 + fsGroup: 2000 seccompProfile: type: RuntimeDefault {{- end }} @@ -64,8 +66,10 @@ spec: command: - /usr/local/bin/mongodb-kubernetes-operator {{- end }} - {{- if .Values.multiCluster.clusters }} volumeMounts: + - mountPath: /tmp/k8s-webhook-server + name: webhook-server-dir + {{- if .Values.multiCluster.clusters }} - mountPath: /etc/config/kubeconfig name: kube-config-volume {{- end }} @@ -79,6 +83,7 @@ spec: {{- if not .Values.managedSecurityContext }} securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: - ALL @@ -290,13 +295,15 @@ spec: value: '{{ (split "=" .)._1 }}' {{- end }} {{- end }} -{{- if .Values.multiCluster.clusters }} volumes: + - name: webhook-server-dir + emptyDir: {} + {{- if .Values.multiCluster.clusters }} - name: kube-config-volume secret: defaultMode: 420 secretName: {{ .Values.multiCluster.kubeConfigSecretName }} -{{- end }} + {{- end }} {{- with .Values.operator }} {{- with .nodeSelector }} diff --git a/public/mongodb-kubernetes-multi-cluster.yaml b/public/mongodb-kubernetes-multi-cluster.yaml index 2e5cb638e..41265f4db 100644 --- a/public/mongodb-kubernetes-multi-cluster.yaml +++ b/public/mongodb-kubernetes-multi-cluster.yaml @@ -329,6 +329,8 @@ spec: securityContext: runAsNonRoot: true runAsUser: 2000 + runAsGroup: 2000 + fsGroup: 2000 seccompProfile: type: RuntimeDefault containers: @@ -346,6 +348,8 @@ spec: command: - /usr/local/bin/mongodb-kubernetes-operator volumeMounts: + - mountPath: /tmp/k8s-webhook-server + name: webhook-server-dir - mountPath: /etc/config/kubeconfig name: kube-config-volume resources: @@ -357,6 +361,7 @@ spec: memory: 200Mi securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: - ALL @@ -445,6 +450,8 @@ spec: - name: MDB_SEARCH_VERSION value: "0.53.1" volumes: + - name: webhook-server-dir + emptyDir: {} - name: kube-config-volume secret: defaultMode: 420 diff --git a/public/mongodb-kubernetes-openshift.yaml b/public/mongodb-kubernetes-openshift.yaml index 6de50f25f..b79d118d2 100644 --- a/public/mongodb-kubernetes-openshift.yaml +++ b/public/mongodb-kubernetes-openshift.yaml @@ -339,6 +339,9 @@ spec: - -watch-resource=clustermongodbroles command: - /usr/local/bin/mongodb-kubernetes-operator + volumeMounts: + - mountPath: /tmp/k8s-webhook-server + name: webhook-server-dir resources: limits: cpu: 1100m @@ -617,3 +620,6 @@ spec: value: "mongodb-search" - name: MDB_SEARCH_VERSION value: "0.53.1" + volumes: + - name: webhook-server-dir + emptyDir: {} diff --git a/public/mongodb-kubernetes.yaml b/public/mongodb-kubernetes.yaml index 16872c440..73dba89a5 100644 --- a/public/mongodb-kubernetes.yaml +++ b/public/mongodb-kubernetes.yaml @@ -329,6 +329,8 @@ spec: securityContext: runAsNonRoot: true runAsUser: 2000 + runAsGroup: 2000 + fsGroup: 2000 seccompProfile: type: RuntimeDefault containers: @@ -344,6 +346,9 @@ spec: - -watch-resource=clustermongodbroles command: - /usr/local/bin/mongodb-kubernetes-operator + volumeMounts: + - mountPath: /tmp/k8s-webhook-server + name: webhook-server-dir resources: limits: cpu: 1100m @@ -353,6 +358,7 @@ spec: memory: 200Mi securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: - ALL @@ -440,3 +446,6 @@ spec: value: "mongodb-search" - name: MDB_SEARCH_VERSION value: "0.53.1" + volumes: + - name: webhook-server-dir + emptyDir: {} From 649cf97c07ae77e5f04dc5b50581da05a9d91f32 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20Kara=C5=9B?= Date: Wed, 1 Oct 2025 15:57:25 +0200 Subject: [PATCH 2/2] Add changelog --- ...1001_fix_operator_crash_when_readonly_root_filesystem.md | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 changelog/20251001_fix_operator_crash_when_readonly_root_filesystem.md diff --git a/changelog/20251001_fix_operator_crash_when_readonly_root_filesystem.md b/changelog/20251001_fix_operator_crash_when_readonly_root_filesystem.md new file mode 100644 index 000000000..5e967e706 --- /dev/null +++ b/changelog/20251001_fix_operator_crash_when_readonly_root_filesystem.md @@ -0,0 +1,6 @@ +--- +kind: fix +date: 2025-10-01 +--- + +* **MongoDB Kubernetes Operator**: Operator crashed when `securityContext.readOnlyRootFilesystem=true` was set, because it was trying to create `/tmp/k8s-webhook-server` directory that was unmounted.