Override default Mission Control security settings for Helm installations

To enforce the principle of least privilege, you can configure Mission Control platform and database components to override their default permission settings.

You can specify the Pod Security Context and Container Security Context across many of the Mission Control components.

Prerequisites

Before you begin, ensure that you are using Helm to install Mission Control or have an existing Helm installation. For more information, see Install Mission Control with Helm.

KOTS installations do not support security overrides.

Override platform security settings

Override platform security settings for your environment by setting the podSecurityContext and securityContext parameters using Helm.

YAML file with security overrides
dex:
  podSecurityContext:
    runAsNonRoot: true
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - ALL
    readOnlyRootFilesystem: true

agent:
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - ALL
    readOnlyRootFilesystem: true
    runAsNonRoot: true
  podSecurityContext:
    fsGroup: 1001
    runAsUser: 1001
    runAsNonRoot: true

aggregator:
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - ALL
    readOnlyRootFilesystem: true
    runAsNonRoot: true
  podSecurityContext:
    fsGroup: 1001
    runAsUser: 1001
    runAsNonRoot: true

loki:
  sidecar:
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - ALL
      readOnlyRootFilesystem: true
      runAsNonRoot: true
  loki:
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - ALL
      readOnlyRootFilesystem: true
      runAsNonRoot: true
  podSecurityContext:
    runAsNonRoot: true

k8ssandra-operator:
  podSecurityContext:
    runAsNonRoot: true
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - ALL
    readOnlyRootFilesystem: true

cass-operator:
  podSecurityContext:
    runAsNonRoot: true
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - ALL
    readOnlyRootFilesystem: true

Apply the overrides:

helm upgrade mission-control oci://registry.replicated.com/mission-control/mission-control --namespace mission-control --create-namespace -f PLATFORM_SECURITY_OVERRIDES.yaml

Replace PLATFORM_SECURITY_OVERRIDES.yaml with the name of the file that contains the security overrides.

Deploy a MissionControlCluster with security overrides

Override security settings for the MissionControlCluster custom resource by setting the containerSecurityContext and podSecurityContext parameters using kubectl.

YAML file with security overrides
apiVersion:
kind: MissionControlCluster
metadata:
  name: MISSION_CONTROL_CLUSTER_NAME
  namespace: NAMESPACE
spec:
  k8ssandra:
    cassandra:
      initContainers:
        # Cassandra v...
        - name: cass-config-builder
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            privileged: false
            readOnlyRootFilesystem: true
            runAsGroup: 999
            runAsNonRoot: true
            runAsUser: 999

        # DSE v...
        - name: ...
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            privileged: false
            readOnlyRootFilesystem: true
            runAsGroup: 999
            runAsNonRoot: true
            runAsUser: 999

        # HCD v...
        - name: ...
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            privileged: false
            readOnlyRootFilesystem: true
            runAsGroup: 999
            runAsNonRoot: true
            runAsUser: 999

        # Medusa
        - name: ...
      containers:
        - name: cassandra
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            privileged: false
            readOnlyRootFilesystem: true
            runAsGroup: 999
            runAsNonRoot: true
            runAsUser: 999
        - name: server-system-logger
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            privileged: false
            readOnlyRootFilesystem: true
            runAsGroup: 999
            runAsNonRoot: true
            runAsUser: 999
      podSecurityContext:
        fsGroup: 999
        runAsGroup: 999
        runAsNonRoot: true
        runAsUser: 999
  cqlsh:
    spec:
      initContainers: []
      containers:
        - name: ...
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            privileged: false
            readOnlyRootFilesystem: true
            runAsGroup: 999
            runAsNonRoot: true
            runAsUser: 999
      securityContext:
        fsGroup: 999
        runAsGroup: 999
        runAsNonRoot: true
        runAsUser: 999

Replace the following:

  • MISSION_CONTROL_CLUSTER_NAME: The name of the MissionControlCluster custom resource

  • NAMESPACE: The namespace where the MissionControlCluster custom resource is deployed

Deploy the MissionControlCluster with overrides:

kubectl apply -f MISSION_CONTROL_CLUSTER.yaml

Replace MISSION_CONTROL_CLUSTER.yaml with the name of the file that contains the settings for your MissionControlCluster.

Override settings for the CqlConnectivity API custom resource

Override settings for the CqlConnectivity custom resource by setting the containerSecurityContext and podSecurityContext parameters using kubectl.

YAML file with security overrides
apiVersion: missioncontrol.datastax.com/v1alpha1
kind: CqlConnectivity
metadata:
  name: CQL_CONNECTIVITY_NAME
spec:
  cassandraDatacenterRef:
    name: DATACENTER_NAME
  loadBalancers:
    nativePort: 9042
    serviceConfig: {}
    size: 2
    podConfig:
      containerSecurityContext:
        allowPrivilegeEscalation: false
        capabilities:
          drop:
            - ALL
        privileged: false
        readOnlyRootFilesystem: true
        runAsGroup: 999
        runAsNonRoot: true
        runAsUser: 999
      podSecurityContext:
        fsGroup: 999
        runAsGroup: 999
        runAsNonRoot: true
        runAsUser: 999

Replace the following:

  • CQL_CONNECTIVITY_NAME: The name of the CqlConnectivity custom resource

  • DATACENTER_NAME: The name of the datacenter

Create the CqlConnectivity custom resource with overrides:

kubectl apply -f CQL_CONNECTIVITY.yaml

Replace CQL_CONNECTIVITY.yaml with the name of the manifest file that contains the security overrides.

Override settings for the Data API

Override security settings for the Data API custom resource by setting the containerSecurityContext and podSecurityContext parameters using kubectl.

YAML file with security overrides
apiVersion: missioncontrol.datastax.com/v1alpha1
kind: DataApi
metadata:
  name: DATA_API_NAME
  namespace: NAMESPACE
spec:
  cassandraDatacenterRef:
    name: DATACENTER_NAME
  replicas: 1
  services:
    nodePort:
      port: NODE_PORT
    clusterIP:
      port: CLUSTER_IP_PORT
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - ALL
    privileged: false
    readOnlyRootFilesystem: true
  podSecurityContext:
    runAsNonRoot: true

Replace the following:

  • DATA_API_NAME: The name of the Data API custom resource

  • NAMESPACE: The namespace where the Data API custom resource is deployed

  • DATACENTER_NAME: The name of the datacenter

  • NODE_PORT: The port number for the nodePort service

  • CLUSTER_IP_PORT: The port number for the clusterIP service

Create or update the Data API custom resource with overrides:

kubectl apply -f DATA_API.yaml

Replace DATA_API.yaml with the name of the manifest file that contains the settings for your Data API custom resource.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com