Support setting the security context and pod topology spread constraints for Milvus components

[bcbrockway]

For security reasons, we use Kyverno's admission controller on our cluster to ensure that certain Linux capabilities are dropped and that containers run as non-root, along with other policies. While we can change the security contexts of the components using the Bitnami Helm charts (etcd, Kafka, etc.) we are unable to do this for MinIO and the Milvus components.

In addition, in order to improve resiliency, we would like to be able to set Pod Topology Spread Constraints for the same components.

This is a feature request to expose these through the Milvus CRD.

[haorenfsa]

In milvus-operator we can support this for Milvus components.
By default milvus-operator uses minio chart in https://github.com/zilliztech/milvus-helm/tree/master/charts/minio. So we also need a patch for milvus-helm. Or does bitnami provide a helm chart for MinIO, too?

[bcbrockway]

does bitnami provide a helm chart for MinIO, too?

Looks like it: https://github.com/bitnami/charts/tree/main/bitnami/minio. Was there not a specific reason for using your own one?

[haorenfsa]

Hi @bcbrockway, I just talked a previous maintainer. There're some bug fixes added to this chart , that're not merged by bitnami at that time, so they decided to maintain a fork by themselves.

[bcbrockway]

Thanks @haorenfsa. Should I raise an issue there for the MinIO changes?

Also, FYI, I also added Pod Topology Spread Constraints as a request to this ticket since it's a very similar type of change for the same components.

[bcbrockway]

Sorry to hassle you @haorenfsa - I know you will have competing priorities! - but I was wondering how likely it was that this will be in 1.3.0? We had an outage recently because all our proxy pods were on the same spot node when it got interrupted. I had a go at it myself but there's a lot I need to learn about Kubebuilder and the operator's implementation of it before I can be very useful.