From 78cf455fb679063d8f824b3439d8adef87119d19 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20H=C3=B8ydahl?= Date: Fri, 27 Oct 2023 14:36:53 +0200 Subject: [PATCH] Make busybox securityContext configurable --- api/v1beta1/common_types.go | 37 +++++++++++++++++++ api/v1beta1/solrcloud_types.go | 14 ++++++- api/v1beta1/zz_generated.deepcopy.go | 35 ++++++++++++++++++ .../crd/bases/solr.apache.org_solrclouds.yaml | 29 +++++++++++++++ controllers/util/solr_util.go | 1 + helm/solr-operator/crds/crds.yaml | 29 +++++++++++++++ helm/solr/values.yaml | 2 +- 7 files changed, 145 insertions(+), 2 deletions(-) diff --git a/api/v1beta1/common_types.go b/api/v1beta1/common_types.go index b440b900..ae124232 100644 --- a/api/v1beta1/common_types.go +++ b/api/v1beta1/common_types.go @@ -216,6 +216,43 @@ type AdditionalVolume struct { DefaultContainerMount *corev1.VolumeMount `json:"defaultContainerMount,omitempty"` } +// ContainerSecurityContext defines RunAsNonRoot, RunAsGroup and RunAsUser options +type ContainerSecurityContext struct { + // The UID to run the entrypoint of the container process. + // +optional + RunAsUser *int64 `json:"runAsUser,omitempty" protobuf:"varint,4,opt,name=runAsUser"` + // The GID to run the entrypoint of the container process. + // +optional + RunAsGroup *int64 `json:"runAsGroup,omitempty" protobuf:"varint,8,opt,name=runAsGroup"` + // Indicates that the container must run as a non-root user. + // +optional + RunAsNonRoot *bool `json:"runAsNonRoot,omitempty" protobuf:"varint,5,opt,name=runAsNonRoot"` +} + +func (c *ContainerSecurityContext) withDefaults(userId int64, groupId int64, nonRoot bool) (changed bool) { + if c.RunAsUser == nil { + changed = true + c.RunAsUser = &userId + } + if c.RunAsGroup == nil { + changed = true + c.RunAsGroup = &groupId + } + if c.RunAsNonRoot == nil { + changed = true + c.RunAsNonRoot = &nonRoot + } + return changed +} + +func (c *ContainerSecurityContext) ToSC() *corev1.SecurityContext { + return &corev1.SecurityContext{ + RunAsUser: c.RunAsUser, + RunAsGroup: c.RunAsGroup, + RunAsNonRoot: c.RunAsNonRoot, + } +} + // ContainerImage defines the fields needed for a Docker repository image. The // format here matches the predominant format used in Helm charts. type ContainerImage struct { diff --git a/api/v1beta1/solrcloud_types.go b/api/v1beta1/solrcloud_types.go index 99dc3f41..456ee505 100644 --- a/api/v1beta1/solrcloud_types.go +++ b/api/v1beta1/solrcloud_types.go @@ -44,7 +44,10 @@ const ( DefaultSolrGCTune = "" DefaultBusyBoxImageRepo = "library/busybox" - DefaultBusyBoxImageVersion = "1.28.0-glibc" + DefaultBusyBoxImageVersion = "1.36.1-glibc" + DefaultBusyBoxUserId = int64(65534) + DefaultBusyBoxGroupId = int64(65534) + DefaultBusyBoxRunAsNonRoot = true DefaultZkReplicas = int32(3) DefaultZkStorage = "5Gi" @@ -103,6 +106,9 @@ type SolrCloudSpec struct { // +optional BusyBoxImage *ContainerImage `json:"busyBoxImage,omitempty"` + // +optional + BusyBoxSecurityContext *ContainerSecurityContext `json:"busyBoxSecurityContext,omitempty"` + // +optional SolrJavaMem string `json:"solrJavaMem,omitempty"` @@ -204,6 +210,12 @@ func (spec *SolrCloudSpec) withDefaults(logger logr.Logger) (changed bool) { } changed = spec.BusyBoxImage.withDefaults(DefaultBusyBoxImageRepo, DefaultBusyBoxImageVersion, DefaultPullPolicy) || changed + if spec.BusyBoxSecurityContext == nil { + c := ContainerSecurityContext{} + spec.BusyBoxSecurityContext = &c + } + changed = spec.BusyBoxSecurityContext.withDefaults(DefaultBusyBoxUserId, DefaultBusyBoxGroupId, DefaultBusyBoxRunAsNonRoot) || changed + return changed } diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go index 718946d0..6ff64b06 100644 --- a/api/v1beta1/zz_generated.deepcopy.go +++ b/api/v1beta1/zz_generated.deepcopy.go @@ -137,6 +137,36 @@ func (in *ContainerImage) DeepCopy() *ContainerImage { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ContainerSecurityContext) DeepCopyInto(out *ContainerSecurityContext) { + *out = *in + if in.RunAsUser != nil { + in, out := &in.RunAsUser, &out.RunAsUser + *out = new(int64) + **out = **in + } + if in.RunAsGroup != nil { + in, out := &in.RunAsGroup, &out.RunAsGroup + *out = new(int64) + **out = **in + } + if in.RunAsNonRoot != nil { + in, out := &in.RunAsNonRoot, &out.RunAsNonRoot + *out = new(bool) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContainerSecurityContext. +func (in *ContainerSecurityContext) DeepCopy() *ContainerSecurityContext { + if in == nil { + return nil + } + out := new(ContainerSecurityContext) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CustomExporterKubeOptions) DeepCopyInto(out *CustomExporterKubeOptions) { *out = *in @@ -908,6 +938,11 @@ func (in *SolrCloudSpec) DeepCopyInto(out *SolrCloudSpec) { *out = new(ContainerImage) **out = **in } + if in.BusyBoxSecurityContext != nil { + in, out := &in.BusyBoxSecurityContext, &out.BusyBoxSecurityContext + *out = new(ContainerSecurityContext) + (*in).DeepCopyInto(*out) + } if in.SolrTLS != nil { in, out := &in.SolrTLS, &out.SolrTLS *out = new(SolrTLSOptions) diff --git a/config/crd/bases/solr.apache.org_solrclouds.yaml b/config/crd/bases/solr.apache.org_solrclouds.yaml index ded65039..49b7b878 100644 --- a/config/crd/bases/solr.apache.org_solrclouds.yaml +++ b/config/crd/bases/solr.apache.org_solrclouds.yaml @@ -2015,6 +2015,35 @@ spec: tag: type: string type: object + busyBoxSecurityContext: + description: ContainerSecurityContext defines RunAsNonRoot, RunAsGroup + and RunAsUser options + properties: + runAsGroup: + description: The GID to run the entrypoint of the container process. + Uses runtime default if unset. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, the value + specified in SecurityContext takes precedence. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run as a non-root + user. If true, the Kubelet will validate the image at runtime + to ensure that it does not run as UID 0 (root) and fail to start + the container if it does. If unset or false, no such validation + will be performed. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, the value + specified in SecurityContext takes precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the container process. + Defaults to user specified in image metadata if unspecified. + May also be set in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence. + format: int64 + type: integer + type: object customSolrKubeOptions: description: Provide custom options for kubernetes objects created for the Solr Cloud. diff --git a/controllers/util/solr_util.go b/controllers/util/solr_util.go index 0c7f0980..84086f76 100644 --- a/controllers/util/solr_util.go +++ b/controllers/util/solr_util.go @@ -757,6 +757,7 @@ func generateSolrSetupInitContainers(solrCloud *solr.SolrCloud, solrCloudStatus Requests: volumePrepResources, Limits: volumePrepResources, }, + SecurityContext: solrCloud.Spec.BusyBoxSecurityContext.ToSC(), } containers = append(containers, volumePrepInitContainer) diff --git a/helm/solr-operator/crds/crds.yaml b/helm/solr-operator/crds/crds.yaml index bd311a50..e4cc1b09 100644 --- a/helm/solr-operator/crds/crds.yaml +++ b/helm/solr-operator/crds/crds.yaml @@ -2264,6 +2264,35 @@ spec: tag: type: string type: object + busyBoxSecurityContext: + description: ContainerSecurityContext defines RunAsNonRoot, RunAsGroup + and RunAsUser options + properties: + runAsGroup: + description: The GID to run the entrypoint of the container process. + Uses runtime default if unset. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, the value + specified in SecurityContext takes precedence. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run as a non-root + user. If true, the Kubelet will validate the image at runtime + to ensure that it does not run as UID 0 (root) and fail to start + the container if it does. If unset or false, no such validation + will be performed. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, the value + specified in SecurityContext takes precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the container process. + Defaults to user specified in image metadata if unspecified. + May also be set in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence. + format: int64 + type: integer + type: object customSolrKubeOptions: description: Provide custom options for kubernetes objects created for the Solr Cloud. diff --git a/helm/solr/values.yaml b/helm/solr/values.yaml index 216944d5..79a47445 100644 --- a/helm/solr/values.yaml +++ b/helm/solr/values.yaml @@ -48,7 +48,7 @@ image: busyBoxImage: {} # repository: "busybox" - # tag: "1.28.0-glibc" + # tag: "1.36.1-glibc" # pullPolicy: "" # imagePullSecret: ""