GoogleCloudPlatform
diff --git a/‎api/v1beta1/flinkcluster_default_test.go‎
Lines changed: 14 additions & 0 deletions b/‎api/v1beta1/flinkcluster_default_test.go‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎api/v1beta1/flinkcluster_types.go‎
Lines changed: 8 additions & 0 deletions b/‎api/v1beta1/flinkcluster_types.go‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎config/crd/bases/flinkoperator.k8s.io_flinkclusters.yaml‎
Lines changed: 159 additions & 0 deletions b/‎config/crd/bases/flinkoperator.k8s.io_flinkclusters.yaml‎
Lines changed: 159 additions & 0 deletions
diff --git a/‎config/samples/flinkoperator_v1beta1_flinksessioncluster.yaml‎
Lines changed: 3 additions & 0 deletions b/‎config/samples/flinkoperator_v1beta1_flinksessioncluster.yaml‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎controllers/flinkcluster_converter.go‎
Lines changed: 9 additions & 1 deletion b/‎controllers/flinkcluster_converter.go‎
Lines changed: 9 additions & 1 deletion
@@ -81,6 +81,7 @@ func TestSetDefault(t *testing.T) {
 				MemoryOffHeapMin:   defaultMemoryOffHeapMin,
 				Volumes:            nil,
 				VolumeMounts:       nil,
+				SecurityContext:    nil,
 			},
 			TaskManager: TaskManagerSpec{
 				Replicas: 0,
@@ -93,6 +94,7 @@ func TestSetDefault(t *testing.T) {
 				MemoryOffHeapRatio: &defaultMemoryOffHeapRatio,
 				MemoryOffHeapMin:   defaultMemoryOffHeapMin,
 				Volumes:            nil,
+				SecurityContext:    nil,
 			},
 			Job: &JobSpec{
 				AllowNonRestoredState: &defaultJobAllowNonRestoredState,
@@ -104,6 +106,7 @@ func TestSetDefault(t *testing.T) {
 					AfterJobFails:     "KeepCluster",
 					AfterJobCancelled: "DeleteCluster",
 				},
+				SecurityContext: nil,
 			},
 			FlinkProperties: nil,
 			HadoopConfig: &HadoopConfig{
@@ -138,6 +141,11 @@ func TestSetNonDefault(t *testing.T) {
 	var jobManagerIngressTLSUse = true
 	var memoryOffHeapRatio = int32(50)
 	var memoryOffHeapMin = resource.MustParse("600M")
+	var securityContextUserGroup = int64(9999)
+	var securityContext = corev1.PodSecurityContext{
+		RunAsUser:  &securityContextUserGroup,
+		RunAsGroup: &securityContextUserGroup,
+	}
 	var cluster = FlinkCluster{
 		TypeMeta:   metav1.TypeMeta{},
 		ObjectMeta: metav1.ObjectMeta{},
@@ -164,6 +172,7 @@ func TestSetNonDefault(t *testing.T) {
 				MemoryOffHeapMin:   memoryOffHeapMin,
 				Volumes:            nil,
 				VolumeMounts:       nil,
+				SecurityContext:    &securityContext,
 			},
 			TaskManager: TaskManagerSpec{
 				Replicas: 0,
@@ -176,12 +185,14 @@ func TestSetNonDefault(t *testing.T) {
 				MemoryOffHeapRatio: &memoryOffHeapRatio,
 				MemoryOffHeapMin:   memoryOffHeapMin,
 				Volumes:            nil,
+				SecurityContext:    &securityContext,
 			},
 			Job: &JobSpec{
 				AllowNonRestoredState: &jobAllowNonRestoredState,
 				Parallelism:           &jobParallelism,
 				NoLoggingToStdout:     &jobNoLoggingToStdout,
 				RestartPolicy:         &jobRestartPolicy,
+				SecurityContext:       &securityContext,
 				CleanupPolicy: &CleanupPolicy{
 					AfterJobSucceeds:  "DeleteTaskManagers",
 					AfterJobFails:     "DeleteCluster",
@@ -225,6 +236,7 @@ func TestSetNonDefault(t *testing.T) {
 				MemoryOffHeapMin:   memoryOffHeapMin,
 				Volumes:            nil,
 				VolumeMounts:       nil,
+				SecurityContext:    &securityContext,
 			},
 			TaskManager: TaskManagerSpec{
 				Replicas: 0,
@@ -237,12 +249,14 @@ func TestSetNonDefault(t *testing.T) {
 				MemoryOffHeapRatio: &memoryOffHeapRatio,
 				MemoryOffHeapMin:   memoryOffHeapMin,
 				Volumes:            nil,
+				SecurityContext:    &securityContext,
 			},
 			Job: &JobSpec{
 				AllowNonRestoredState: &jobAllowNonRestoredState,
 				Parallelism:           &jobParallelism,
 				NoLoggingToStdout:     &jobNoLoggingToStdout,
 				RestartPolicy:         &jobRestartPolicy,
+				SecurityContext:       &securityContext,
 				CleanupPolicy: &CleanupPolicy{
 					AfterJobSucceeds:  "DeleteTaskManagers",
 					AfterJobFails:     "DeleteCluster",
 
@@ -222,6 +222,9 @@ type JobManagerSpec struct {
 	// JobManager Deployment pod template annotations.
 	PodAnnotations map[string]string `json:"podAnnotations,omitempty"`
 
+	// SecurityContext of the JM pod.
+	SecurityContext *corev1.PodSecurityContext `json:"securityContext,omitempty"`
+
 	// JobManager Deployment pod template labels.
 	PodLabels map[string]string `json:"podLabels,omitempty"`
 }
@@ -292,6 +295,9 @@ type TaskManagerSpec struct {
 	// TaskManager Deployment pod template annotations.
 	PodAnnotations map[string]string `json:"podAnnotations,omitempty"`
 
+	// SecurityContext of the TM pod.
+	SecurityContext *corev1.PodSecurityContext `json:"securityContext,omitempty"`
+
 	// TaskManager Deployment pod template labels.
 	PodLabels map[string]string `json:"podLabels,omitempty"`
 }
@@ -396,6 +402,8 @@ type JobSpec struct {
 	// Cannot be updated.
 	// More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
 	Resources corev1.ResourceRequirements `json:"resources,omitempty"`
+
+	SecurityContext *corev1.PodSecurityContext `json:"securityContext,omitempty"`
 }
 
 // FlinkClusterSpec defines the desired state of FlinkCluster
 
@@ -753,6 +753,59 @@ spec:
                   type: integer
                 savepointsDir:
                   type: string
+                securityContext:
+                  properties:
+                    fsGroup:
+                      format: int64
+                      type: integer
+                    fsGroupChangePolicy:
+                      type: string
+                    runAsGroup:
+                      format: int64
+                      type: integer
+                    runAsNonRoot:
+                      type: boolean
+                    runAsUser:
+                      format: int64
+                      type: integer
+                    seLinuxOptions:
+                      properties:
+                        level:
+                          type: string
+                        role:
+                          type: string
+                        type:
+                          type: string
+                        user:
+                          type: string
+                      type: object
+                    supplementalGroups:
+                      items:
+                        format: int64
+                        type: integer
+                      type: array
+                    sysctls:
+                      items:
+                        properties:
+                          name:
+                            type: string
+                          value:
+                            type: string
+                        required:
+                        - name
+                        - value
+                        type: object
+                      type: array
+                    windowsOptions:
+                      properties:
+                        gmsaCredentialSpec:
+                          type: string
+                        gmsaCredentialSpecName:
+                          type: string
+                        runAsUserName:
+                          type: string
+                      type: object
+                  type: object
                 volumeMounts:
                   items:
                     properties:
@@ -2001,6 +2054,59 @@ spec:
                         x-kubernetes-int-or-string: true
                       type: object
                   type: object
+                securityContext:
+                  properties:
+                    fsGroup:
+                      format: int64
+                      type: integer
+                    fsGroupChangePolicy:
+                      type: string
+                    runAsGroup:
+                      format: int64
+                      type: integer
+                    runAsNonRoot:
+                      type: boolean
+                    runAsUser:
+                      format: int64
+                      type: integer
+                    seLinuxOptions:
+                      properties:
+                        level:
+                          type: string
+                        role:
+                          type: string
+                        type:
+                          type: string
+                        user:
+                          type: string
+                      type: object
+                    supplementalGroups:
+                      items:
+                        format: int64
+                        type: integer
+                      type: array
+                    sysctls:
+                      items:
+                        properties:
+                          name:
+                            type: string
+                          value:
+                            type: string
+                        required:
+                        - name
+                        - value
+                        type: object
+                      type: array
+                    windowsOptions:
+                      properties:
+                        gmsaCredentialSpec:
+                          type: string
+                        gmsaCredentialSpecName:
+                          type: string
+                        runAsUserName:
+                          type: string
+                      type: object
+                  type: object
                 sidecars:
                   items:
                     properties:
@@ -3789,6 +3895,59 @@ spec:
                         x-kubernetes-int-or-string: true
                       type: object
                   type: object
+                securityContext:
+                  properties:
+                    fsGroup:
+                      format: int64
+                      type: integer
+                    fsGroupChangePolicy:
+                      type: string
+                    runAsGroup:
+                      format: int64
+                      type: integer
+                    runAsNonRoot:
+                      type: boolean
+                    runAsUser:
+                      format: int64
+                      type: integer
+                    seLinuxOptions:
+                      properties:
+                        level:
+                          type: string
+                        role:
+                          type: string
+                        type:
+                          type: string
+                        user:
+                          type: string
+                      type: object
+                    supplementalGroups:
+                      items:
+                        format: int64
+                        type: integer
+                      type: array
+                    sysctls:
+                      items:
+                        properties:
+                          name:
+                            type: string
+                          value:
+                            type: string
+                        required:
+                        - name
+                        - value
+                        type: object
+                      type: array
+                    windowsOptions:
+                      properties:
+                        gmsaCredentialSpec:
+                          type: string
+                        gmsaCredentialSpecName:
+                          type: string
+                        runAsUserName:
+                          type: string
+                      type: object
+                  type: object
                 sidecars:
                   items:
                     properties:
 
@@ -22,6 +22,9 @@ spec:
     pullPolicy: Always
   jobManager:
     accessScope: Cluster
+    securityContext:
+      runAsUser: 9999
+      runAsGroup: 9999
     ports:
       ui: 8081
     resources:
 
@@ -100,6 +100,7 @@ func getDesiredJobManagerDeployment(
 	var podLabels = getComponentLabels(*flinkCluster, "jobmanager")
 	podLabels = mergeLabels(podLabels, jobManagerSpec.PodLabels)
 	var deploymentLabels = mergeLabels(podLabels, getRevisionHashLabels(flinkCluster.Status))
+	var securityContext = jobManagerSpec.SecurityContext
 	// Make Volume, VolumeMount to use configMap data for flink-conf.yaml, if flinkProperties is provided.
 	var volumes []corev1.Volume
 	var volumeMounts []corev1.VolumeMount
@@ -201,8 +202,8 @@ func getDesiredJobManagerDeployment(
 		NodeSelector:     jobManagerSpec.NodeSelector,
 		Tolerations:      jobManagerSpec.Tolerations,
 		ImagePullSecrets: imageSpec.PullSecrets,
+		SecurityContext:  securityContext,
 	}
-
 	var jobManagerDeployment = &appsv1.Deployment{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace:       clusterNamespace,
@@ -392,6 +393,9 @@ func getDesiredTaskManagerDeployment(
 	var podLabels = getComponentLabels(*flinkCluster, "taskmanager")
 	podLabels = mergeLabels(podLabels, taskManagerSpec.PodLabels)
 	var deploymentLabels = mergeLabels(podLabels, getRevisionHashLabels(flinkCluster.Status))
+
+	var securityContext = taskManagerSpec.SecurityContext
+
 	// Make Volume, VolumeMount to use configMap data for flink-conf.yaml
 	var volumes []corev1.Volume
 	var volumeMounts []corev1.VolumeMount
@@ -492,6 +496,7 @@ func getDesiredTaskManagerDeployment(
 		NodeSelector:     taskManagerSpec.NodeSelector,
 		Tolerations:      taskManagerSpec.Tolerations,
 		ImagePullSecrets: imageSpec.PullSecrets,
+		SecurityContext:  securityContext,
 	}
 	var taskManagerDeployment = &appsv1.Deployment{
 		ObjectMeta: metav1.ObjectMeta{
@@ -628,6 +633,8 @@ func getDesiredJob(
 	}
 	jobArgs = append(jobArgs, "--detached")
 
+	var securityContext = jobSpec.SecurityContext
+
 	var envVars = []corev1.EnvVar{}
 
 	// If the JAR file is remote, put the URI in the env variable
@@ -700,6 +707,7 @@ func getDesiredJob(
 		RestartPolicy:    corev1.RestartPolicyNever,
 		Volumes:          volumes,
 		ImagePullSecrets: imageSpec.PullSecrets,
+		SecurityContext:  securityContext,
 	}
 
 	// Disable the retry mechanism of k8s Job, all retires should be initiated