apache · janhoy · Oct 27, 2023
diff --git a/api/v1beta1/common_types.go b/api/v1beta1/common_types.go
@@ -216,6 +216,43 @@ type AdditionalVolume struct {
 	DefaultContainerMount *corev1.VolumeMount `json:"defaultContainerMount,omitempty"`
 }
 
+// ContainerSecurityContext defines RunAsNonRoot, RunAsGroup and RunAsUser options
+type ContainerSecurityContext struct {
+	// The UID to run the entrypoint of the container process.
+	// +optional
+	RunAsUser *int64 `json:"runAsUser,omitempty" protobuf:"varint,4,opt,name=runAsUser"`
+	// The GID to run the entrypoint of the container process.
+	// +optional
+	RunAsGroup *int64 `json:"runAsGroup,omitempty" protobuf:"varint,8,opt,name=runAsGroup"`
+	// Indicates that the container must run as a non-root user.
+	// +optional
+	RunAsNonRoot *bool `json:"runAsNonRoot,omitempty" protobuf:"varint,5,opt,name=runAsNonRoot"`
+}
+
+func (c *ContainerSecurityContext) withDefaults(userId int64, groupId int64, nonRoot bool) (changed bool) {
+	if c.RunAsUser == nil {
+		changed = true
+		c.RunAsUser = &userId
+	}
+	if c.RunAsGroup == nil {
+		changed = true
+		c.RunAsGroup = &groupId
+	}
+	if c.RunAsNonRoot == nil {
+		changed = true
+		c.RunAsNonRoot = &nonRoot
+	}
+	return changed
+}
+
+func (c *ContainerSecurityContext) ToSC() *corev1.SecurityContext {
+	return &corev1.SecurityContext{
+		RunAsUser:    c.RunAsUser,
+		RunAsGroup:   c.RunAsGroup,
+		RunAsNonRoot: c.RunAsNonRoot,
+	}
+}
+
 // ContainerImage defines the fields needed for a Docker repository image. The
 // format here matches the predominant format used in Helm charts.
 type ContainerImage struct {

diff --git a/api/v1beta1/solrcloud_types.go b/api/v1beta1/solrcloud_types.go
@@ -44,7 +44,10 @@ const (
 	DefaultSolrGCTune   = ""
 
 	DefaultBusyBoxImageRepo    = "library/busybox"
-	DefaultBusyBoxImageVersion = "1.28.0-glibc"
+	DefaultBusyBoxImageVersion = "1.36.1-glibc"
+	DefaultBusyBoxUserId       = int64(65534)
+	DefaultBusyBoxGroupId      = int64(65534)
+	DefaultBusyBoxRunAsNonRoot = true
 
 	DefaultZkReplicas                                = int32(3)
 	DefaultZkStorage                                 = "5Gi"
@@ -103,6 +106,9 @@ type SolrCloudSpec struct {
 	// +optional
 	BusyBoxImage *ContainerImage `json:"busyBoxImage,omitempty"`
 
+	// +optional
+	BusyBoxSecurityContext *ContainerSecurityContext `json:"busyBoxSecurityContext,omitempty"`
+
 	// +optional
 	SolrJavaMem string `json:"solrJavaMem,omitempty"`
 
@@ -204,6 +210,12 @@ func (spec *SolrCloudSpec) withDefaults(logger logr.Logger) (changed bool) {
 	}
 	changed = spec.BusyBoxImage.withDefaults(DefaultBusyBoxImageRepo, DefaultBusyBoxImageVersion, DefaultPullPolicy) || changed
 
+	if spec.BusyBoxSecurityContext == nil {
+		c := ContainerSecurityContext{}
+		spec.BusyBoxSecurityContext = &c
+	}
+	changed = spec.BusyBoxSecurityContext.withDefaults(DefaultBusyBoxUserId, DefaultBusyBoxGroupId, DefaultBusyBoxRunAsNonRoot) || changed
+
 	return changed
 }
 

diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/solr.apache.org_solrclouds.yaml b/config/crd/bases/solr.apache.org_solrclouds.yaml
@@ -2015,6 +2015,35 @@ spec:
                   tag:
                     type: string
                 type: object
+              busyBoxSecurityContext:
+                description: ContainerSecurityContext defines RunAsNonRoot, RunAsGroup
+                  and RunAsUser options
+                properties:
+                  runAsGroup:
+                    description: The GID to run the entrypoint of the container process.
+                      Uses runtime default if unset. May also be set in PodSecurityContext.  If
+                      set in both SecurityContext and PodSecurityContext, the value
+                      specified in SecurityContext takes precedence.
+                    format: int64
+                    type: integer
+                  runAsNonRoot:
+                    description: Indicates that the container must run as a non-root
+                      user. If true, the Kubelet will validate the image at runtime
+                      to ensure that it does not run as UID 0 (root) and fail to start
+                      the container if it does. If unset or false, no such validation
+                      will be performed. May also be set in PodSecurityContext.  If
+                      set in both SecurityContext and PodSecurityContext, the value
+                      specified in SecurityContext takes precedence.
+                    type: boolean
+                  runAsUser:
+                    description: The UID to run the entrypoint of the container process.
+                      Defaults to user specified in image metadata if unspecified.
+                      May also be set in PodSecurityContext.  If set in both SecurityContext
+                      and PodSecurityContext, the value specified in SecurityContext
+                      takes precedence.
+                    format: int64
+                    type: integer
+                type: object
               customSolrKubeOptions:
                 description: Provide custom options for kubernetes objects created
                   for the Solr Cloud.

diff --git a/controllers/util/solr_util.go b/controllers/util/solr_util.go
@@ -757,6 +757,7 @@ func generateSolrSetupInitContainers(solrCloud *solr.SolrCloud, solrCloudStatus
 			Requests: volumePrepResources,
 			Limits:   volumePrepResources,
 		},
+		SecurityContext: solrCloud.Spec.BusyBoxSecurityContext.ToSC(),
 	}
 
 	containers = append(containers, volumePrepInitContainer)

diff --git a/helm/solr-operator/crds/crds.yaml b/helm/solr-operator/crds/crds.yaml
@@ -2264,6 +2264,35 @@ spec:
                   tag:
                     type: string
                 type: object
+              busyBoxSecurityContext:
+                description: ContainerSecurityContext defines RunAsNonRoot, RunAsGroup
+                  and RunAsUser options
+                properties:
+                  runAsGroup:
+                    description: The GID to run the entrypoint of the container process.
+                      Uses runtime default if unset. May also be set in PodSecurityContext.  If
+                      set in both SecurityContext and PodSecurityContext, the value
+                      specified in SecurityContext takes precedence.
+                    format: int64
+                    type: integer
+                  runAsNonRoot:
+                    description: Indicates that the container must run as a non-root
+                      user. If true, the Kubelet will validate the image at runtime
+                      to ensure that it does not run as UID 0 (root) and fail to start
+                      the container if it does. If unset or false, no such validation
+                      will be performed. May also be set in PodSecurityContext.  If
+                      set in both SecurityContext and PodSecurityContext, the value
+                      specified in SecurityContext takes precedence.
+                    type: boolean
+                  runAsUser:
+                    description: The UID to run the entrypoint of the container process.
+                      Defaults to user specified in image metadata if unspecified.
+                      May also be set in PodSecurityContext.  If set in both SecurityContext
+                      and PodSecurityContext, the value specified in SecurityContext
+                      takes precedence.
+                    format: int64
+                    type: integer
+                type: object
               customSolrKubeOptions:
                 description: Provide custom options for kubernetes objects created
                   for the Solr Cloud.

diff --git a/helm/solr/values.yaml b/helm/solr/values.yaml
@@ -48,7 +48,7 @@ image:
 
 busyBoxImage: {}
   # repository: "busybox"
-  # tag: "1.28.0-glibc"
+  # tag: "1.36.1-glibc"
   # pullPolicy: ""
   # imagePullSecret: ""