Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support to set capabilities on Solr cloud container's security context #489

Closed
pareekdevanshu opened this issue Nov 3, 2022 · 12 comments
Milestone

Comments

@pareekdevanshu
Copy link

Hi Team,
Currently It is possible to set capabilities for initContainers and sidecarContainers, Eg:

securityContext:
  capabilities:
    drop:
      - ALL

But, there is no way to set capabilities on Solr cloud container's security context, can you please help in adding support for it?

@ollixy
Copy link

ollixy commented Nov 18, 2022

@HoustonPutman is support for setting capabilities on customSolrKubeOptions.podOptions.podSecurityContext confirmed to be added eventually (and if it is, is there already an indication on when)? Or is this only under consideration and might be not added at all?

@mmoscher
Copy link
Contributor

@ollixy you cannot set capabilities on the podSecurityContext, cf. https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#podsecuritycontext-v1-core. What we need is a separate option to specify the securityContext of each container in the pod.

@HoustonPutman +1 for this issue, since solr is incompatible when using sokme restricted PSS and enforcing these with keyverno (for example).

I'll try to file an PR, but my knowledge about operators is quite limited.

@HoustonPutman
Copy link
Contributor

Sounds good, I'm very happy to help once you get a start 🙂

@ollixy
Copy link

ollixy commented Jun 1, 2023

@mmoscher @HoustonPutman any news on this one?

@aaronsuns
Copy link

Any news on this one?

@HoustonPutman
Copy link
Contributor

No news from me. I'm not running openshift, so I don't really know what needs to be done. If someone wants to start a PR, then I'm very happy to help usher it through.

@AyzekTime
Copy link

Hi all! a new version was recently released (April 12, 2024, Apache Solr Operator™ v0.8.1 available, there is no solution to our problem) is there any news on our problem?

@janhoy
Copy link
Contributor

janhoy commented May 3, 2024

Hi all! a new version was recently released (April 12, 2024, Apache Solr Operator™ v0.8.1 available, there is no solution to our problem) is there any news on our problem?

@ollixy , @pareekdevanshu, @mmoscher, @aaronsuns , @AyzekTime
This is an open source project, and we rely on contributions. If your day-job has a need for this and are willing to sponsor such a feature, then the best way forward is to arrange so that you can contribute a PR directly, and we'll help get it in to the next version.

@bentastic27
Copy link

I'm running into this issue on EKS.

@janhoy / @HoustonPutman Are these extra capabilties/privs ever actually needed? If not, we can likely hardcode in the changes made in this comment:
#671 (comment)

Here is an example of a values.yaml I'm trying to use for a Solr Cluster:

securityContext: &securityContext
  allowPrivilegeEscalation: false
  capabilities:
    drop: ["ALL"]
  runAsNonRoot: true
  seccompProfile:
    type: RuntimeDefault
  allowPrivilegeEscalation: false

podOptions:
  labels:
    sidecar.istio.io/inject: 'false'
  podSecurityContext:
    <<: *securityContext
zk:
  provided:
    zookeeperPodPolicy:
      securityContext:
        <<: *securityContext
      labels:
        sidecar.istio.io/inject: 'false'

@gerlowskija
Copy link
Contributor

gerlowskija commented Jan 7, 2025

Are these extra capabilties/privs ever actually needed? If not, we can likely hardcode

In a vanilla setup, probably not. But users have a lot of flexibility in the particular docker images, Solr plugins, used in the Solr container. It's plausible IMO that someone out there has a usecase requiring additional privs. So if we add a stock security context, there should probably be a way to disable it.

@gerlowskija
Copy link
Contributor

Alright all - I've added support for setting arbitrary container-level SecurityContext settings in the recently merged PR #743.

Hoping to do an operator release in the next week or two to get this, and other recent bug fixes, out to folks. If anyone has a few minutes, please build from main and try out the new support and let me know what you think. I'd love to catch any limitations or bugs before the release.

@gerlowskija
Copy link
Contributor

gerlowskija commented Jan 17, 2025

I meant to close this ticket when #743 was merged, but neglected to. Doing so now.

(Of course, I'll still share an update here for folks when an RC is available, so folks can kick the tires a bit and catch any potential bugs before it goes out!)

@gerlowskija gerlowskija added this to the v0.9.0 milestone Jan 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

9 participants