search

apache / solr-operator

Official Kubernetes operator for Apache Solr
https://solr.apache.org/operator
Apache License 2.0
242 stars 112 forks source link

adding automountServiceAccountToken #701

Open jojay opened 2 months ago

jojay commented 2 months ago

Hi, is there an option to set in kind: SolrCloud somehow automountServiceAccountToken = false ? This will solve a security recommendation in AKS. So in STS (below the SolrCloud installed with solr-operator 8.0.0 but enriched post install with mentioned attribute. The same I would like to accomplish for zookeeper too. I would like to avoid some post processing with kustomize or forking the helm charts by myself) you would finally have: Excerpt:

apiVersion: apps/v1
kind: StatefulSet
metadata:
  annotations:
    solr.apache.org/zkConnectionString: test-platformdev-solrcloud-zookeeper-0.test-platformdev-solrcloud-zookeeper-headless.test-platformdev.svc.cluster.local:2181,test-platformdev-solrcloud-zookeeper-1.test-platformdev-solrcloud-zookeeper-headless.test-platformdev.svc.cluster.local:2181,test-platformdev-solrcloud-zookeeper-2.test-platformdev-solrcloud-zookeeper-headless.test-platformdev.svc.cluster.local:2181/test-platformdev
  creationTimestamp: "2024-04-12T12:36:20Z"
  generation: 3
  labels:
    solr-cloud: test-platformdev
    technology: solr-cloud
  name: test-platformdev-solrcloud
  namespace: test-platformdev
  ownerReferences:
  - apiVersion: solr.apache.org/v1beta1
    blockOwnerDeletion: true
    controller: true
    kind: SolrCloud
    name: test-platformdev
    uid: 9ef08181-2d5e-401a-904d-6c6cd8f6e87b
  resourceVersion: "666711970"
  uid: 8f9393c1-0692-40dd-816a-8292ce2e63db
spec:
  persistentVolumeClaimRetentionPolicy:
    whenDeleted: Retain
    whenScaled: Retain
  podManagementPolicy: Parallel
  replicas: 2
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      solr-cloud: test-platformdev
      technology: solr-cloud
  serviceName: test-platformdev-solrcloud-headless
  template:
    metadata:
      annotations:
        solr.apache.org/solrXmlMd5: 843652bc6b529b66f46bcdae6764ab4e
      creationTimestamp: null
      labels:
        solr-cloud: test-platformdev
        technology: solr-cloud
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: agentpool
                operator: In
                values:
                - agentpool
      **automountServiceAccountToken: false**
      containers:
      - env:
        - name: SOLR_JAVA_MEM

Thank you very much in advance!

jojay commented 2 months ago

BTW: This is the finding in Azure Defender: "Kubernetes clusters should disable automounting API credentials There are multiple ways to opt out of automounting API credentials for a service account. To opt out of automounting API credentials for a single pod, set automountServiceAccountToken: false in PodSpec.[...]" My tests were succeful so far with my other deployments but like described I am struggeling with this property in kind: SolrCloud file that applied is managing the installation.