search

apache / solr-operator

Official Kubernetes operator for Apache Solr
https://solr.apache.org/operator
Apache License 2.0
243 stars 112 forks source link

Make busybox securityContext configurable #649

Open janhoy opened 8 months ago

janhoy commented 8 months ago

Draft PR, only code, not docs, no helm support.

The busybox official image runs as root in cp-solr-xml init-container, and there is no way to configure it otherwise, other than point to a different image that has been manipulated as non-root.

By adding a SecurityContext for the init container defaulting to the nobody user and setting runAsNonRoot: true, we have a good default. By also making the securityContext configurable, we allow for people to switch to a different image with other UID etc. Example:

spec:
  busyBoxImage:
    tag: 1.36.1-glibc
  busyBoxSecurityContext:
    runAsUser: 123

Fixes #582

janhoy commented 8 months ago

Alternatively, should perhaps the spec for cp-solr-xml init container be configurable as one yaml dict instead of two? Still defaults in code, but end users could perhaps override more properties of the container in a more familiar and transparent way. Example:

spec:
  cpSolrXmlInitContainer:
    image:
      registry: public.ecr.aws
      repository: my-company/busybox
      tag: 1.37.0-custom
      imagePullSecret: foo
    securityContext:
      runAsUser: 1000
      runAsGroup: 1000

PS: By splitting image into registy, repository and tag, it is easier for downstream users to customize just the registry part.