Override default Mission Control security settings for Helm installations

To enforce the principle of least privilege, you can configure Mission Control platform and database components to override their default permission settings.

You can specify the Pod Security Context and Container Security Context across many of the Mission Control components.

Prerequisites

Before you begin, ensure that you are using Helm to install Mission Control or have an existing Helm installation. For more information, see Install and configure Mission Control using Helm.

KOTS installations do not support security overrides.

Override platform security settings

You can override platform security settings for your environment by setting the podSecurityContext and securityContext parameters using kubectl.

YAML file with security overrides
dex:
  podSecurityContext:
    runAsNonRoot: true
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - ALL
    readOnlyRootFilesystem: true

agent:
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - ALL
    readOnlyRootFilesystem: true
    runAsNonRoot: true
  podSecurityContext:
    fsGroup: 1001
    runAsUser: 1001
    runAsNonRoot: true

aggregator:
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - ALL
    readOnlyRootFilesystem: true
    runAsNonRoot: true
  podSecurityContext:
    fsGroup: 1001
    runAsUser: 1001
    runAsNonRoot: true

loki:
  sidecar:
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - ALL
      readOnlyRootFilesystem: true
      runAsNonRoot: true
  loki:
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - ALL
      readOnlyRootFilesystem: true
      runAsNonRoot: true
  podSecurityContext:
    runAsNonRoot: true

k8ssandra-operator:
  podSecurityContext:
    runAsNonRoot: true
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - ALL
    readOnlyRootFilesystem: true

cass-operator:
  podSecurityContext:
    runAsNonRoot: true
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - ALL
    readOnlyRootFilesystem: true

Apply the overrides:

kubectl apply -f PLATFORM_SECURITY_OVERRIDES.yaml

Replace PLATFORM_SECURITY_OVERRIDES.yaml with the name of the file that contains the security overrides.

Deploy a MissionControlCluster with security overrides

You can override security settings for the MissionControlCluster custom resource by setting the containerSecurityContext and podSecurityContext parameters using kubectl.

YAML file with security overrides
apiVersion:
kind: MissionControlCluster
metadata:
  name: sample-cluster
  namespace: sample-project
spec:
  k8ssandra:
    cassandra:
      initContainers:
        # Cassandra v...
        - name: cass-config-builder
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            privileged: false
            readOnlyRootFilesystem: true
            runAsGroup: 999
            runAsNonRoot: true
            runAsUser: 999

        # DSE v...
        - name: ...
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            privileged: false
            readOnlyRootFilesystem: true
            runAsGroup: 999
            runAsNonRoot: true
            runAsUser: 999

        # HCD v...
        - name: ...
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            privileged: false
            readOnlyRootFilesystem: true
            runAsGroup: 999
            runAsNonRoot: true
            runAsUser: 999

        # Medusa
        - name: ...
      containers:
        - name: cassandra
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            privileged: false
            readOnlyRootFilesystem: true
            runAsGroup: 999
            runAsNonRoot: true
            runAsUser: 999
        - name: server-system-logger
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            privileged: false
            readOnlyRootFilesystem: true
            runAsGroup: 999
            runAsNonRoot: true
            runAsUser: 999
      podSecurityContext:
        fsGroup: 999
        runAsGroup: 999
        runAsNonRoot: true
        runAsUser: 999
  cqlsh:
    spec:
      initContainers: [] # Is this used?
      containers:
        - name: ...
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            privileged: false
            readOnlyRootFilesystem: true
            runAsGroup: 999
            runAsNonRoot: true
            runAsUser: 999
      securityContext:
        fsGroup: 999
        runAsGroup: 999
        runAsNonRoot: true
        runAsUser: 999

Deploy the MissionControlCluster with overrides:

kubectl apply -f MISSION_CONTROL_CLUSTER.yaml

Replace MISSION_CONTROL_CLUSTER.yaml with the name of the file that contains the settings for your MissionControlCluster.

Override settings for the CqlConnectivity API custom resource

You can override settings for the CqlConnectivity custom resource by setting the containerSecurityContext and podSecurityContext parameters using kubectl.

YAML file with security overrides
apiVersion: missioncontrol.datastax.com/v1alpha1
kind: CqlConnectivity
metadata:
  name: cql-connectivity
spec:
  cassandraDatacenterRef:
    name: test-dc1
  loadBalancers:
    nativePort: 9042
    serviceConfig: {}
    size: 2
    podConfig:
      containerSecurityContext:
        allowPrivilegeEscalation: false
        capabilities:
          drop:
            - ALL
        privileged: false
        readOnlyRootFilesystem: true
        runAsGroup: 999
        runAsNonRoot: true
        runAsUser: 999
      podSecurityContext:
        fsGroup: 999
        runAsGroup: 999
        runAsNonRoot: true
        runAsUser: 999

Create the CqlConnectivity custom resource with overrides:

kubectl apply -f CQL_CONNECTIVITY.yaml

Replace CQL_CONNECTIVITY.yaml with the name of the file that contains the security overrides.

Override settings for the Data API

You can override security settings for the Data API custom resource by setting the containerSecurityContext and podSecurityContext parameters using kubectl.

YAML file with security overrides
apiVersion: missioncontrol.datastax.com/v1alpha1
kind: DataApi
metadata:
  name: test
  namespace: test
spec:
  cassandraDatacenterRef:
    name: dc1
  replicas: 1
  services:
    nodePort:
      port: 30001
    clusterIP:
      port: 11000
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - ALL
    privileged: false
    readOnlyRootFilesystem: true
  podSecurityContext:
    runAsNonRoot: true

Create or update the Data API custom resource with overrides:

kubectl apply -f DATA_API.yaml

Replace DATA_API.yaml with the name of the file that contains the settings for your Data API custom resource.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com