Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support to set capabilities on Solr cloud container's security context #489

Open
pareekdevanshu opened this issue Nov 3, 2022 · 9 comments · May be fixed by #702
Open

Add support to set capabilities on Solr cloud container's security context #489

pareekdevanshu opened this issue Nov 3, 2022 · 9 comments · May be fixed by #702

Comments

@pareekdevanshu
Copy link

Hi Team,
Currently It is possible to set capabilities for initContainers and sidecarContainers, Eg:

securityContext:
  capabilities:
    drop:
      - ALL

But, there is no way to set capabilities on Solr cloud container's security context, can you please help in adding support for it?
@pareekdevanshu pareekdevanshu mentioned this issue Nov 3, 2022
Closed
@ollixy
Copy link

ollixy commented Nov 18, 2022
edited
Loading

@HoustonPutman is support for setting capabilities on customSolrKubeOptions.podOptions.podSecurityContext confirmed to be added eventually (and if it is, is there already an indication on when)? Or is this only under consideration and might be not added at all?

@mmoscher
Copy link
Contributor

@ollixy you cannot set capabilities on the podSecurityContext, cf. https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#podsecuritycontext-v1-core. What we need is a separate option to specify the securityContext of each container in the pod.

@HoustonPutman +1 for this issue, since solr is incompatible when using sokme restricted PSS and enforcing these with keyverno (for example).

I'll try to file an PR, but my knowledge about operators is quite limited.

@HoustonPutman
Copy link
Contributor

Sounds good, I'm very happy to help once you get a start 🙂

@ollixy
Copy link

ollixy commented Jun 1, 2023

@mmoscher @HoustonPutman any news on this one?

@aaronsuns aaronsuns mentioned this issue Jan 3, 2024
Open
@aaronsuns
Copy link

Any news on this one?

@HoustonPutman
Copy link
Contributor

No news from me. I'm not running openshift, so I don't really know what needs to be done. If someone wants to start a PR, then I'm very happy to help usher it through.

@AyzekTime
Copy link

Hi all! a new version was recently released (April 12, 2024, Apache Solr Operator™ v0.8.1 available, there is no solution to our problem) is there any news on our problem?

@janhoy
Copy link
Contributor

janhoy commented May 3, 2024

Hi all! a new version was recently released (April 12, 2024, Apache Solr Operator™ v0.8.1 available, there is no solution to our problem) is there any news on our problem?

@ollixy , @pareekdevanshu, @mmoscher, @aaronsuns , @AyzekTime
This is an open source project, and we rely on contributions. If your day-job has a need for this and are willing to sponsor such a feature, then the best way forward is to arrange so that you can contribute a PR directly, and we'll help get it in to the next version.

@bentastic27
Copy link

I'm running into this issue on EKS.

@janhoy / @HoustonPutman Are these extra capabilties/privs ever actually needed? If not, we can likely hardcode in the changes made in this comment:
#671 (comment)

Here is an example of a values.yaml I'm trying to use for a Solr Cluster:

securityContext: &securityContext
  allowPrivilegeEscalation: false
  capabilities:
    drop: ["ALL"]
  runAsNonRoot: true
  seccompProfile:
    type: RuntimeDefault
  allowPrivilegeEscalation: false

podOptions:
  labels:
    sidecar.istio.io/inject: 'false'
  podSecurityContext:
    <<: *securityContext
zk:
  provided:
    zookeeperPodPolicy:
      securityContext:
        <<: *securityContext
      labels:
        sidecar.istio.io/inject: 'false'

@bentastic27 bentastic27 linked a pull request May 6, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add security context config to SOLR containers bentastic27/solr-operator
8 participants
@janhoy @ollixy @aaronsuns @mmoscher @HoustonPutman @bentastic27 @pareekdevanshu @AyzekTime