[Feature] Allow to change Pod Network and PID settings (#1195)

CHANGELOG.md

@@ -30,6 +30,7 @@
 - (Improvement) Add Resource kerror Type
 - (Bugfix) Do not block reconciliation in case of Resource failure
 - (Improvement) Multi-arch support for ID member
+- (Feature) Allow to change Pod Network and PID settings
 
 ## [1.2.20](https://github.com/arangodb/kube-arangodb/tree/1.2.20) (2022-10-25)
 - (Feature) Add action progress

pkg/apis/deployment/v1/server_group_spec.go

@@ -157,6 +157,9 @@ type ServerGroupSpec struct {
 	TerminationGracePeriodSeconds *int64 `json:"terminationGracePeriodSeconds,omitempty"`
 	// IndexMethod define group Indexing method
 	IndexMethod *ServerGroupIndexMethod `json:"indexMethod,omitempty"`
+
+	// PodModes define additional modes enabled on the Pod level
+	PodModes *ServerGroupSpecPodMode `json:"podModes,omitempty"`
 }
 
 // ServerGroupProbesSpec contains specification for probes for pods of the server group

pkg/apis/deployment/v1/server_group_spec_network_mode.go

@@ -0,0 +1,63 @@
+//
+// DISCLAIMER
+//
+// Copyright 2016-2022 ArangoDB GmbH, Cologne, Germany
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Copyright holder is ArangoDB GmbH, Cologne, Germany
+//
+
+package v1
+
+import "github.com/arangodb/kube-arangodb/pkg/util/errors"
+
+// ServerGroupNetworkMode is used to define Network mode of the Pod
+type ServerGroupNetworkMode string
+
+const (
+	// ServerGroupNetworkModePod enable Pod level isolation of the network, default
+	ServerGroupNetworkModePod ServerGroupNetworkMode = "pod"
+
+	// ServerGroupNetworkModeHost enable Host level network access to the Pod
+	ServerGroupNetworkModeHost ServerGroupNetworkMode = "host"
+
+	DefaultServerGroupNetworkMode = ServerGroupNetworkModePod
+)
+
+func (n *ServerGroupNetworkMode) Validate() error {
+	switch v := n.Get(); v {
+	case ServerGroupNetworkModePod, ServerGroupNetworkModeHost:
+		return nil
+	default:
+		return errors.WithStack(errors.Wrapf(ValidationError, "Unknown NetworkMode %s", v.String()))
+	}
+}
+
+func (n *ServerGroupNetworkMode) Get() ServerGroupNetworkMode {
+	if n == nil {
+		return DefaultServerGroupNetworkMode
+	}
+
+	return *n
+}
+
+func (n *ServerGroupNetworkMode) String() string {
+	return string(n.Get())
+}
+
+func (n *ServerGroupNetworkMode) New() *ServerGroupNetworkMode {
+	v := n.Get()
+
+	return &v
+}

pkg/apis/deployment/v1/server_group_spec_pid_mode.go

@@ -0,0 +1,64 @@
+//
+// DISCLAIMER
+//
+// Copyright 2016-2022 ArangoDB GmbH, Cologne, Germany
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Copyright holder is ArangoDB GmbH, Cologne, Germany
+//
+
+package v1
+
+import "github.com/arangodb/kube-arangodb/pkg/util/errors"
+
+// ServerGroupPIDMode define Pod PID share strategy
+type ServerGroupPIDMode string
+
+const (
+	// ServerGroupPIDModeIsolated enable isolation of the Processes within Pod Container, default
+	ServerGroupPIDModeIsolated ServerGroupPIDMode = "isolated"
+	// ServerGroupPIDModePod enable isolation of the Processes on the Pod level. Processes started in this mode will have PID different from 1
+	ServerGroupPIDModePod ServerGroupPIDMode = "pod"
+	// ServerGroupPIDModeHost disable isolation of the Processes. Processes started in this mode are shared with the entire host
+	ServerGroupPIDModeHost ServerGroupPIDMode = "host"
+
+	DefaultServerGroupPIDMode = ServerGroupPIDModeIsolated
+)
+
+func (n *ServerGroupPIDMode) Validate() error {
+	switch v := n.Get(); v {
+	case ServerGroupPIDModeIsolated, ServerGroupPIDModePod, ServerGroupPIDModeHost:
+		return nil
+	default:
+		return errors.WithStack(errors.Wrapf(ValidationError, "Unknown PIDMode %s", v.String()))
+	}
+}
+
+func (n *ServerGroupPIDMode) Get() ServerGroupPIDMode {
+	if n == nil {
+		return DefaultServerGroupPIDMode
+	}
+
+	return *n
+}
+
+func (n *ServerGroupPIDMode) String() string {
+	return string(n.Get())
+}
+
+func (n *ServerGroupPIDMode) New() *ServerGroupPIDMode {
+	v := n.Get()
+
+	return &v
+}

pkg/apis/deployment/v1/server_group_spec_pod_modes.go

@@ -0,0 +1,74 @@
+//
+// DISCLAIMER
+//
+// Copyright 2016-2022 ArangoDB GmbH, Cologne, Germany
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Copyright holder is ArangoDB GmbH, Cologne, Germany
+//
+
+package v1
+
+import (
+	core "k8s.io/api/core/v1"
+
+	"github.com/arangodb/kube-arangodb/pkg/util"
+	"github.com/arangodb/kube-arangodb/pkg/util/errors"
+)
+
+type ServerGroupSpecPodMode struct {
+	Network *ServerGroupNetworkMode `json:"network,omitempty"`
+	PID     *ServerGroupPIDMode     `json:"pid,omitempty"`
+}
+
+func (s *ServerGroupSpecPodMode) GetNetwork() *ServerGroupNetworkMode {
+	if s == nil {
+		return nil
+	}
+
+	return s.Network
+}
+
+func (s *ServerGroupSpecPodMode) GetPID() *ServerGroupPIDMode {
+	if s == nil {
+		return nil
+	}
+
+	return s.PID
+}
+
+func (s *ServerGroupSpecPodMode) Validate() error {
+	return errors.Wrapf(errors.Errors(s.GetNetwork().Validate(), s.GetPID().Validate()), "Validation of Pod modes failed")
+}
+
+func (s *ServerGroupSpecPodMode) Apply(p *core.PodSpec) {
+	switch s.GetPID().Get() {
+	case ServerGroupPIDModeIsolated:
+	// Default, no change
+	case ServerGroupPIDModePod:
+		// Enable Pod shared namespaces
+		p.ShareProcessNamespace = util.NewBool(true)
+	case ServerGroupPIDModeHost:
+		// Enable Host shared namespaces
+		p.HostPID = true
+	}
+
+	switch s.GetNetwork().Get() {
+	case ServerGroupNetworkModePod:
+	// Default, no change
+	case ServerGroupNetworkModeHost:
+		// Enable Pod shared namespaces
+		p.HostNetwork = true
+	}
+}

pkg/apis/deployment/v1/zz_generated.deepcopy.go

@@ -2440,6 +2440,11 @@ func (in *ServerGroupSpec) DeepCopyInto(out *ServerGroupSpec) {
 		*out = new(ServerGroupIndexMethod)
 		**out = **in
 	}
+	if in.PodModes != nil {
+		in, out := &in.PodModes, &out.PodModes
+		*out = new(ServerGroupSpecPodMode)
+		(*in).DeepCopyInto(*out)
+	}
 	return
 }
 
@@ -2453,6 +2458,32 @@ func (in *ServerGroupSpec) DeepCopy() *ServerGroupSpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ServerGroupSpecPodMode) DeepCopyInto(out *ServerGroupSpecPodMode) {
+	*out = *in
+	if in.Network != nil {
+		in, out := &in.Network, &out.Network
+		*out = new(ServerGroupNetworkMode)
+		**out = **in
+	}
+	if in.PID != nil {
+		in, out := &in.PID, &out.PID
+		*out = new(ServerGroupPIDMode)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServerGroupSpecPodMode.
+func (in *ServerGroupSpecPodMode) DeepCopy() *ServerGroupSpecPodMode {
+	if in == nil {
+		return nil
+	}
+	out := new(ServerGroupSpecPodMode)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ServerGroupSpecSecurityContext) DeepCopyInto(out *ServerGroupSpecSecurityContext) {
 	*out = *in

pkg/apis/deployment/v2alpha1/architecture.go

@@ -59,6 +59,28 @@ func (a ArangoDeploymentArchitecture) IsArchAllowed(arch ArangoDeploymentArchite
 	return false
 }
 
+func (a ArangoDeploymentArchitecture) AsNodeSelectorRequirement() core.NodeSelectorTerm {
+	var archs []string
+
+	if len(a) == 0 {
+		archs = append(archs, ArangoDeploymentArchitectureDefault.String())
+	} else {
+		for _, arch := range a {
+			archs = append(archs, arch.String())
+		}
+	}
+
+	return core.NodeSelectorTerm{
+		MatchExpressions: []core.NodeSelectorRequirement{
+			{
+				Key:      shared.NodeArchAffinityLabel,
+				Operator: "In",
+				Values:   archs,
+			},
+		},
+	}
+}
+
 type ArangoDeploymentArchitectureType string
 
 const (
@@ -83,6 +105,10 @@ func (a ArangoDeploymentArchitectureType) Validate() error {
 	}
 }
 
+func (a ArangoDeploymentArchitectureType) String() string {
+	return string(a)
+}
+
 func (a *ArangoDeploymentArchitectureType) Default(def ArangoDeploymentArchitectureType) ArangoDeploymentArchitectureType {
 	if a == nil {
 		return def
@@ -97,7 +123,7 @@ func (a ArangoDeploymentArchitectureType) AsNodeSelectorRequirement() core.NodeS
 			{
 				Key:      shared.NodeArchAffinityLabel,
 				Operator: "In",
-				Values:   []string{string(a)},
+				Values:   []string{a.String()},
 			},
 		},
 	}

pkg/apis/deployment/v2alpha1/server_group_spec.go

@@ -157,6 +157,9 @@ type ServerGroupSpec struct {
 	TerminationGracePeriodSeconds *int64 `json:"terminationGracePeriodSeconds,omitempty"`
 	// IndexMethod define group Indexing method
 	IndexMethod *ServerGroupIndexMethod `json:"indexMethod,omitempty"`
+
+	// PodModes define additional modes enabled on the Pod level
+	PodModes *ServerGroupSpecPodMode `json:"podModes,omitempty"`
 }
 
 // ServerGroupProbesSpec contains specification for probes for pods of the server group

pkg/apis/deployment/v2alpha1/server_group_spec_network_mode.go

@@ -0,0 +1,63 @@
+//
+// DISCLAIMER
+//
+// Copyright 2016-2022 ArangoDB GmbH, Cologne, Germany
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Copyright holder is ArangoDB GmbH, Cologne, Germany
+//
+
+package v2alpha1
+
+import "github.com/arangodb/kube-arangodb/pkg/util/errors"
+
+// ServerGroupNetworkMode is used to define Network mode of the Pod
+type ServerGroupNetworkMode string
+
+const (
+	// ServerGroupNetworkModePod enable Pod level isolation of the network, default
+	ServerGroupNetworkModePod ServerGroupNetworkMode = "pod"
+
+	// ServerGroupNetworkModeHost enable Host level network access to the Pod
+	ServerGroupNetworkModeHost ServerGroupNetworkMode = "host"
+
+	DefaultServerGroupNetworkMode = ServerGroupNetworkModePod
+)
+
+func (n *ServerGroupNetworkMode) Validate() error {
+	switch v := n.Get(); v {
+	case ServerGroupNetworkModePod, ServerGroupNetworkModeHost:
+		return nil
+	default:
+		return errors.WithStack(errors.Wrapf(ValidationError, "Unknown NetworkMode %s", v.String()))
+	}
+}
+
+func (n *ServerGroupNetworkMode) Get() ServerGroupNetworkMode {
+	if n == nil {
+		return DefaultServerGroupNetworkMode
+	}
+
+	return *n
+}
+
+func (n *ServerGroupNetworkMode) String() string {
+	return string(n.Get())
+}
+
+func (n *ServerGroupNetworkMode) New() *ServerGroupNetworkMode {
+	v := n.Get()
+
+	return &v
+}

pkg/apis/deployment/v2alpha1/server_group_spec_pid_mode.go

@@ -0,0 +1,64 @@
+//
+// DISCLAIMER
+//
+// Copyright 2016-2022 ArangoDB GmbH, Cologne, Germany
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Copyright holder is ArangoDB GmbH, Cologne, Germany
+//
+
+package v2alpha1
+
+import "github.com/arangodb/kube-arangodb/pkg/util/errors"
+
+// ServerGroupPIDMode define Pod PID share strategy
+type ServerGroupPIDMode string
+
+const (
+	// ServerGroupPIDModeIsolated enable isolation of the Processes within Pod Container, default
+	ServerGroupPIDModeIsolated ServerGroupPIDMode = "isolated"
+	// ServerGroupPIDModePod enable isolation of the Processes on the Pod level. Processes started in this mode will have PID different from 1
+	ServerGroupPIDModePod ServerGroupPIDMode = "pod"
+	// ServerGroupPIDModeHost disable isolation of the Processes. Processes started in this mode are shared with the entire host
+	ServerGroupPIDModeHost ServerGroupPIDMode = "host"
+
+	DefaultServerGroupPIDMode = ServerGroupPIDModeIsolated
+)
+
+func (n *ServerGroupPIDMode) Validate() error {
+	switch v := n.Get(); v {
+	case ServerGroupPIDModeIsolated, ServerGroupPIDModePod, ServerGroupPIDModeHost:
+		return nil
+	default:
+		return errors.WithStack(errors.Wrapf(ValidationError, "Unknown PIDMode %s", v.String()))
+	}
+}
+
+func (n *ServerGroupPIDMode) Get() ServerGroupPIDMode {
+	if n == nil {
+		return DefaultServerGroupPIDMode
+	}
+
+	return *n
+}
+
+func (n *ServerGroupPIDMode) String() string {
+	return string(n.Get())
+}
+
+func (n *ServerGroupPIDMode) New() *ServerGroupPIDMode {
+	v := n.Get()
+
+	return &v
+}

pkg/apis/deployment/v2alpha1/server_group_spec_pod_modes.go

@@ -0,0 +1,74 @@
+//
+// DISCLAIMER
+//
+// Copyright 2016-2022 ArangoDB GmbH, Cologne, Germany
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Copyright holder is ArangoDB GmbH, Cologne, Germany
+//
+
+package v2alpha1
+
+import (
+	core "k8s.io/api/core/v1"
+
+	"github.com/arangodb/kube-arangodb/pkg/util"
+	"github.com/arangodb/kube-arangodb/pkg/util/errors"
+)
+
+type ServerGroupSpecPodMode struct {
+	Network *ServerGroupNetworkMode `json:"network,omitempty"`
+	PID     *ServerGroupPIDMode     `json:"pid,omitempty"`
+}
+
+func (s *ServerGroupSpecPodMode) GetNetwork() *ServerGroupNetworkMode {
+	if s == nil {
+		return nil
+	}
+
+	return s.Network
+}
+
+func (s *ServerGroupSpecPodMode) GetPID() *ServerGroupPIDMode {
+	if s == nil {
+		return nil
+	}
+
+	return s.PID
+}
+
+func (s *ServerGroupSpecPodMode) Validate() error {
+	return errors.Wrapf(errors.Errors(s.GetNetwork().Validate(), s.GetPID().Validate()), "Validation of Pod modes failed")
+}
+
+func (s *ServerGroupSpecPodMode) Apply(p *core.PodSpec) {
+	switch s.GetPID().Get() {
+	case ServerGroupPIDModeIsolated:
+	// Default, no change
+	case ServerGroupPIDModePod:
+		// Enable Pod shared namespaces
+		p.ShareProcessNamespace = util.NewBool(true)
+	case ServerGroupPIDModeHost:
+		// Enable Host shared namespaces
+		p.HostPID = true
+	}
+
+	switch s.GetNetwork().Get() {
+	case ServerGroupNetworkModePod:
+	// Default, no change
+	case ServerGroupNetworkModeHost:
+		// Enable Pod shared namespaces
+		p.HostNetwork = true
+	}
+}

pkg/apis/deployment/v2alpha1/zz_generated.deepcopy.go

@@ -2440,6 +2440,11 @@ func (in *ServerGroupSpec) DeepCopyInto(out *ServerGroupSpec) {
 		*out = new(ServerGroupIndexMethod)
 		**out = **in
 	}
+	if in.PodModes != nil {
+		in, out := &in.PodModes, &out.PodModes
+		*out = new(ServerGroupSpecPodMode)
+		(*in).DeepCopyInto(*out)
+	}
 	return
 }
 
@@ -2453,6 +2458,32 @@ func (in *ServerGroupSpec) DeepCopy() *ServerGroupSpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ServerGroupSpecPodMode) DeepCopyInto(out *ServerGroupSpecPodMode) {
+	*out = *in
+	if in.Network != nil {
+		in, out := &in.Network, &out.Network
+		*out = new(ServerGroupNetworkMode)
+		**out = **in
+	}
+	if in.PID != nil {
+		in, out := &in.PID, &out.PID
+		*out = new(ServerGroupPIDMode)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServerGroupSpecPodMode.
+func (in *ServerGroupSpecPodMode) DeepCopy() *ServerGroupSpecPodMode {
+	if in == nil {
+		return nil
+	}
+	out := new(ServerGroupSpecPodMode)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ServerGroupSpecSecurityContext) DeepCopyInto(out *ServerGroupSpecSecurityContext) {
 	*out = *in

pkg/deployment/resources/pod_creator_arangod.go

@@ -561,6 +561,8 @@ func (m *MemberArangoDPod) ApplyPodSpec(p *core.PodSpec) error {
 		p.SchedulerName = *s
 	}
 
+	m.groupSpec.PodModes.Apply(p)
+
 	return nil
 }
 

pkg/deployment/resources/pod_creator_sync.go

@@ -384,6 +384,8 @@ func (m *MemberSyncPod) ApplyPodSpec(spec *core.PodSpec) error {
 		spec.SchedulerName = *s
 	}
 
+	m.groupSpec.PodModes.Apply(spec)
+
 	return nil
 }