Add support to set capabilities on Solr cloud container's security context

apache / solr-operator

Official Kubernetes operator for Apache Solr

https://solr.apache.org/operator

Apache License 2.0

246 stars 111 forks source link

Add support to set capabilities on Solr cloud container's security context #489

Open pareekdevanshu opened 1 year ago

pareekdevanshu commented 1 year ago

Hi Team, Currently It is possible to set capabilities for initContainers and sidecarContainers, Eg:

securityContext:
  capabilities:
    drop:
      - ALL

But, there is no way to set capabilities on Solr cloud container's security context, can you please help in adding support for it?

ollixy commented 1 year ago

@HoustonPutman is support for setting capabilities on customSolrKubeOptions.podOptions.podSecurityContext confirmed to be added eventually (and if it is, is there already an indication on when)? Or is this only under consideration and might be not added at all?

mmoscher commented 1 year ago

@ollixy you cannot set capabilities on the podSecurityContext, cf. https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#podsecuritycontext-v1-core. What we need is a separate option to specify the securityContext of each container in the pod.

@HoustonPutman +1 for this issue, since solr is incompatible when using sokme restricted PSS and enforcing these with keyverno (for example).

I'll try to file an PR, but my knowledge about operators is quite limited.

HoustonPutman commented 1 year ago

Sounds good, I'm very happy to help once you get a start 🙂

ollixy commented 1 year ago

@mmoscher @HoustonPutman any news on this one?

aaronsuns commented 9 months ago

Any news on this one?

HoustonPutman commented 6 months ago

No news from me. I'm not running openshift, so I don't really know what needs to be done. If someone wants to start a PR, then I'm very happy to help usher it through.

AyzekTime commented 5 months ago

Hi all! a new version was recently released (April 12, 2024, Apache Solr Operator™ v0.8.1 available, there is no solution to our problem) is there any news on our problem?

janhoy commented 5 months ago

Hi all! a new version was recently released (April 12, 2024, Apache Solr Operator™ v0.8.1 available, there is no solution to our problem) is there any news on our problem?

@ollixy , @pareekdevanshu, @mmoscher, @aaronsuns , @AyzekTime This is an open source project, and we rely on contributions. If your day-job has a need for this and are willing to sponsor such a feature, then the best way forward is to arrange so that you can contribute a PR directly, and we'll help get it in to the next version.

bentastic27 commented 5 months ago

I'm running into this issue on EKS.

@janhoy / @HoustonPutman Are these extra capabilties/privs ever actually needed? If not, we can likely hardcode in the changes made in this comment: https://github.com/apache/solr-operator/issues/671#issuecomment-1875441585

Here is an example of a values.yaml I'm trying to use for a Solr Cluster:

securityContext: &securityContext
  allowPrivilegeEscalation: false
  capabilities:
    drop: ["ALL"]
  runAsNonRoot: true
  seccompProfile:
    type: RuntimeDefault
  allowPrivilegeEscalation: false

podOptions:
  labels:
    sidecar.istio.io/inject: 'false'
  podSecurityContext:
    <<: *securityContext
zk:
  provided:
    zookeeperPodPolicy:
      securityContext:
        <<: *securityContext
      labels:
        sidecar.istio.io/inject: 'false'