This is an automated email from the ASF dual-hosted git repository.
gerlowskija pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/solr-operator.git
The following commit(s) were added to refs/heads/main by this push:
new 9f3109e Allow users to configure Solr container's SecurityContext
(#743)
9f3109e is described below
commit 9f3109e9ffcefcf70fc27dddbe2d973581b41dcb
Author: Jason Gerlowski <[email protected]>
AuthorDate: Fri Jan 10 14:08:16 2025 -0500
Allow users to configure Solr container's SecurityContext (#743)
---
api/v1beta1/common_types.go | 4 +
api/v1beta1/zz_generated.deepcopy.go | 5 +
config/crd/bases/solr.apache.org_solrclouds.yaml | 168 +++++++++++
.../solr.apache.org_solrprometheusexporters.yaml | 168 +++++++++++
controllers/solrcloud_controller_test.go | 18 +-
controllers/util/common.go | 6 +
controllers/util/prometheus_exporter_util.go | 6 +
controllers/util/solr_util.go | 6 +
helm/solr-operator/Chart.yaml | 7 +
helm/solr-operator/crds/crds.yaml | 336 +++++++++++++++++++++
helm/solr/README.md | 1 +
helm/solr/templates/_custom_option_helpers.tpl | 4 +
helm/solr/values.yaml | 1 +
13 files changed, 729 insertions(+), 1 deletion(-)
diff --git a/api/v1beta1/common_types.go b/api/v1beta1/common_types.go
index 6f921a4..2200224 100644
--- a/api/v1beta1/common_types.go
+++ b/api/v1beta1/common_types.go
@@ -73,6 +73,10 @@ type PodOptions struct {
// +optional
PodSecurityContext *corev1.PodSecurityContext
`json:"podSecurityContext,omitempty"`
+ // ContainerSecurityContext the container-level security context used
by the pod's primary container
+ // +optional
+ ContainerSecurityContext *corev1.SecurityContext
`json:"containerSecurityContext,omitempty"`
+
// Additional environment variables to pass to the default container.
// +optional
EnvVariables []corev1.EnvVar `json:"envVars,omitempty"`
diff --git a/api/v1beta1/zz_generated.deepcopy.go
b/api/v1beta1/zz_generated.deepcopy.go
index 87e030f..d48f048 100644
--- a/api/v1beta1/zz_generated.deepcopy.go
+++ b/api/v1beta1/zz_generated.deepcopy.go
@@ -439,6 +439,11 @@ func (in *PodOptions) DeepCopyInto(out *PodOptions) {
*out = new(v1.PodSecurityContext)
(*in).DeepCopyInto(*out)
}
+ if in.ContainerSecurityContext != nil {
+ in, out := &in.ContainerSecurityContext,
&out.ContainerSecurityContext
+ *out = new(v1.SecurityContext)
+ (*in).DeepCopyInto(*out)
+ }
if in.EnvVariables != nil {
in, out := &in.EnvVariables, &out.EnvVariables
*out = make([]v1.EnvVar, len(*in))
diff --git a/config/crd/bases/solr.apache.org_solrclouds.yaml
b/config/crd/bases/solr.apache.org_solrclouds.yaml
index 17feeab..38abb60 100644
--- a/config/crd/bases/solr.apache.org_solrclouds.yaml
+++ b/config/crd/bases/solr.apache.org_solrclouds.yaml
@@ -2816,6 +2816,174 @@ spec:
type: string
description: Annotations to be added for pods.
type: object
+ containerSecurityContext:
+ description: ContainerSecurityContext the
container-level
+ security context used by the pod's primary container
+ properties:
+ allowPrivilegeEscalation:
+ description: |-
+ AllowPrivilegeEscalation controls whether a
process can gain more
+ privileges than its parent process. This bool
directly controls if
+ the no_new_privs flag will be set on the
container process.
+ AllowPrivilegeEscalation is true always when the
container is:
+ 1) run as Privileged
+ 2) has CAP_SYS_ADMIN
+ Note that this field cannot be set when
spec.os.name is windows.
+ type: boolean
+ capabilities:
+ description: |-
+ The capabilities to add/drop when running
containers.
+ Defaults to the default set of capabilities
granted by the container runtime.
+ Note that this field cannot be set when
spec.os.name is windows.
+ properties:
+ add:
+ description: Added capabilities
+ items:
+ description: Capability represent POSIX
capabilities
+ type
+ type: string
+ type: array
+ drop:
+ description: Removed capabilities
+ items:
+ description: Capability represent POSIX
capabilities
+ type
+ type: string
+ type: array
+ type: object
+ privileged:
+ description: |-
+ Run container in privileged mode.
+ Processes in privileged containers are
essentially equivalent to root on the host.
+ Defaults to false.
+ Note that this field cannot be set when
spec.os.name is windows.
+ type: boolean
+ procMount:
+ description: |-
+ procMount denotes the type of proc mount to use
for the containers.
+ The default is DefaultProcMount which uses the
container runtime defaults for
+ readonly paths and masked paths.
+ This requires the ProcMountType feature flag to
be enabled.
+ Note that this field cannot be set when
spec.os.name is windows.
+ type: string
+ readOnlyRootFilesystem:
+ description: |-
+ Whether this container has a read-only root
filesystem.
+ Default is false.
+ Note that this field cannot be set when
spec.os.name is windows.
+ type: boolean
+ runAsGroup:
+ description: |-
+ The GID to run the entrypoint of the container
process.
+ Uses runtime default if unset.
+ May also be set in PodSecurityContext. If set
in both SecurityContext and
+ PodSecurityContext, the value specified in
SecurityContext takes precedence.
+ Note that this field cannot be set when
spec.os.name is windows.
+ format: int64
+ type: integer
+ runAsNonRoot:
+ description: |-
+ Indicates that the container must run as a
non-root user.
+ If true, the Kubelet will validate the image at
runtime to ensure that it
+ does not run as UID 0 (root) and fail to start
the container if it does.
+ If unset or false, no such validation will be
performed.
+ May also be set in PodSecurityContext. If set
in both SecurityContext and
+ PodSecurityContext, the value specified in
SecurityContext takes precedence.
+ type: boolean
+ runAsUser:
+ description: |-
+ The UID to run the entrypoint of the container
process.
+ Defaults to user specified in image metadata if
unspecified.
+ May also be set in PodSecurityContext. If set
in both SecurityContext and
+ PodSecurityContext, the value specified in
SecurityContext takes precedence.
+ Note that this field cannot be set when
spec.os.name is windows.
+ format: int64
+ type: integer
+ seLinuxOptions:
+ description: |-
+ The SELinux context to be applied to the
container.
+ If unspecified, the container runtime will
allocate a random SELinux context for each
+ container. May also be set in
PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in
SecurityContext takes precedence.
+ Note that this field cannot be set when
spec.os.name is windows.
+ properties:
+ level:
+ description: Level is SELinux level label that
applies
+ to the container.
+ type: string
+ role:
+ description: Role is a SELinux role label that
applies
+ to the container.
+ type: string
+ type:
+ description: Type is a SELinux type label that
applies
+ to the container.
+ type: string
+ user:
+ description: User is a SELinux user label that
applies
+ to the container.
+ type: string
+ type: object
+ seccompProfile:
+ description: |-
+ The seccomp options to use by this container. If
seccomp options are
+ provided at both the pod & container level, the
container options
+ override the pod options.
+ Note that this field cannot be set when
spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile defined
in a file on the node should be used.
+ The profile must be preconfigured on the
node to work.
+ Must be a descending path, relative to the
kubelet's configured seccomp profile location.
+ Must be set if type is "Localhost". Must NOT
be set for any other type.
+ type: string
+ type:
+ description: |-
+ type indicates which kind of seccomp profile
will be applied.
+ Valid options are:
+
+
+ Localhost - a profile defined in a file on
the node should be used.
+ RuntimeDefault - the container runtime
default profile should be used.
+ Unconfined - no profile should be applied.
+ type: string
+ required:
+ - type
+ type: object
+ windowsOptions:
+ description: |-
+ The Windows specific settings applied to all
containers.
+ If unspecified, the options from the
PodSecurityContext will be used.
+ If set in both SecurityContext and
PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when
spec.os.name is linux.
+ properties:
+ gmsaCredentialSpec:
+ description: |-
+ GMSACredentialSpec is where the GMSA
admission webhook
+
(https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+ GMSA credential spec named by the
GMSACredentialSpecName field.
+ type: string
+ gmsaCredentialSpecName:
+ description: GMSACredentialSpecName is the
name of
+ the GMSA credential spec to use.
+ type: string
+ hostProcess:
+ description: |-
+ HostProcess determines if a container should
be run as a 'Host Process' container.
+ All of a Pod's containers must have the same
effective HostProcess value
+ (it is not allowed to have a mix of
HostProcess containers and non-HostProcess containers).
+ In addition, if HostProcess is true then
HostNetwork must also be set to true.
+ type: boolean
+ runAsUserName:
+ description: |-
+ The UserName in Windows to run the
entrypoint of the container process.
+ Defaults to the user specified in image
metadata if unspecified.
+ May also be set in PodSecurityContext. If
set in both SecurityContext and
+ PodSecurityContext, the value specified in
SecurityContext takes precedence.
+ type: string
+ type: object
+ type: object
defaultInitContainerResources:
description: DefaultInitContainerResources are the
resource
requirements for the default init container(s)
created by
diff --git a/config/crd/bases/solr.apache.org_solrprometheusexporters.yaml
b/config/crd/bases/solr.apache.org_solrprometheusexporters.yaml
index 808140d..cb658a1 100644
--- a/config/crd/bases/solr.apache.org_solrprometheusexporters.yaml
+++ b/config/crd/bases/solr.apache.org_solrprometheusexporters.yaml
@@ -907,6 +907,174 @@ spec:
type: string
description: Annotations to be added for pods.
type: object
+ containerSecurityContext:
+ description: ContainerSecurityContext the
container-level
+ security context used by the pod's primary container
+ properties:
+ allowPrivilegeEscalation:
+ description: |-
+ AllowPrivilegeEscalation controls whether a
process can gain more
+ privileges than its parent process. This bool
directly controls if
+ the no_new_privs flag will be set on the
container process.
+ AllowPrivilegeEscalation is true always when the
container is:
+ 1) run as Privileged
+ 2) has CAP_SYS_ADMIN
+ Note that this field cannot be set when
spec.os.name is windows.
+ type: boolean
+ capabilities:
+ description: |-
+ The capabilities to add/drop when running
containers.
+ Defaults to the default set of capabilities
granted by the container runtime.
+ Note that this field cannot be set when
spec.os.name is windows.
+ properties:
+ add:
+ description: Added capabilities
+ items:
+ description: Capability represent POSIX
capabilities
+ type
+ type: string
+ type: array
+ drop:
+ description: Removed capabilities
+ items:
+ description: Capability represent POSIX
capabilities
+ type
+ type: string
+ type: array
+ type: object
+ privileged:
+ description: |-
+ Run container in privileged mode.
+ Processes in privileged containers are
essentially equivalent to root on the host.
+ Defaults to false.
+ Note that this field cannot be set when
spec.os.name is windows.
+ type: boolean
+ procMount:
+ description: |-
+ procMount denotes the type of proc mount to use
for the containers.
+ The default is DefaultProcMount which uses the
container runtime defaults for
+ readonly paths and masked paths.
+ This requires the ProcMountType feature flag to
be enabled.
+ Note that this field cannot be set when
spec.os.name is windows.
+ type: string
+ readOnlyRootFilesystem:
+ description: |-
+ Whether this container has a read-only root
filesystem.
+ Default is false.
+ Note that this field cannot be set when
spec.os.name is windows.
+ type: boolean
+ runAsGroup:
+ description: |-
+ The GID to run the entrypoint of the container
process.
+ Uses runtime default if unset.
+ May also be set in PodSecurityContext. If set
in both SecurityContext and
+ PodSecurityContext, the value specified in
SecurityContext takes precedence.
+ Note that this field cannot be set when
spec.os.name is windows.
+ format: int64
+ type: integer
+ runAsNonRoot:
+ description: |-
+ Indicates that the container must run as a
non-root user.
+ If true, the Kubelet will validate the image at
runtime to ensure that it
+ does not run as UID 0 (root) and fail to start
the container if it does.
+ If unset or false, no such validation will be
performed.
+ May also be set in PodSecurityContext. If set
in both SecurityContext and
+ PodSecurityContext, the value specified in
SecurityContext takes precedence.
+ type: boolean
+ runAsUser:
+ description: |-
+ The UID to run the entrypoint of the container
process.
+ Defaults to user specified in image metadata if
unspecified.
+ May also be set in PodSecurityContext. If set
in both SecurityContext and
+ PodSecurityContext, the value specified in
SecurityContext takes precedence.
+ Note that this field cannot be set when
spec.os.name is windows.
+ format: int64
+ type: integer
+ seLinuxOptions:
+ description: |-
+ The SELinux context to be applied to the
container.
+ If unspecified, the container runtime will
allocate a random SELinux context for each
+ container. May also be set in
PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in
SecurityContext takes precedence.
+ Note that this field cannot be set when
spec.os.name is windows.
+ properties:
+ level:
+ description: Level is SELinux level label that
applies
+ to the container.
+ type: string
+ role:
+ description: Role is a SELinux role label that
applies
+ to the container.
+ type: string
+ type:
+ description: Type is a SELinux type label that
applies
+ to the container.
+ type: string
+ user:
+ description: User is a SELinux user label that
applies
+ to the container.
+ type: string
+ type: object
+ seccompProfile:
+ description: |-
+ The seccomp options to use by this container. If
seccomp options are
+ provided at both the pod & container level, the
container options
+ override the pod options.
+ Note that this field cannot be set when
spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile defined
in a file on the node should be used.
+ The profile must be preconfigured on the
node to work.
+ Must be a descending path, relative to the
kubelet's configured seccomp profile location.
+ Must be set if type is "Localhost". Must NOT
be set for any other type.
+ type: string
+ type:
+ description: |-
+ type indicates which kind of seccomp profile
will be applied.
+ Valid options are:
+
+
+ Localhost - a profile defined in a file on
the node should be used.
+ RuntimeDefault - the container runtime
default profile should be used.
+ Unconfined - no profile should be applied.
+ type: string
+ required:
+ - type
+ type: object
+ windowsOptions:
+ description: |-
+ The Windows specific settings applied to all
containers.
+ If unspecified, the options from the
PodSecurityContext will be used.
+ If set in both SecurityContext and
PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when
spec.os.name is linux.
+ properties:
+ gmsaCredentialSpec:
+ description: |-
+ GMSACredentialSpec is where the GMSA
admission webhook
+
(https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+ GMSA credential spec named by the
GMSACredentialSpecName field.
+ type: string
+ gmsaCredentialSpecName:
+ description: GMSACredentialSpecName is the
name of
+ the GMSA credential spec to use.
+ type: string
+ hostProcess:
+ description: |-
+ HostProcess determines if a container should
be run as a 'Host Process' container.
+ All of a Pod's containers must have the same
effective HostProcess value
+ (it is not allowed to have a mix of
HostProcess containers and non-HostProcess containers).
+ In addition, if HostProcess is true then
HostNetwork must also be set to true.
+ type: boolean
+ runAsUserName:
+ description: |-
+ The UserName in Windows to run the
entrypoint of the container process.
+ Defaults to the user specified in image
metadata if unspecified.
+ May also be set in PodSecurityContext. If
set in both SecurityContext and
+ PodSecurityContext, the value specified in
SecurityContext takes precedence.
+ type: string
+ type: object
+ type: object
defaultInitContainerResources:
description: DefaultInitContainerResources are the
resource
requirements for the default init container(s)
created by
diff --git a/controllers/solrcloud_controller_test.go
b/controllers/solrcloud_controller_test.go
index c1dbc11..1bd01ff 100644
--- a/controllers/solrcloud_controller_test.go
+++ b/controllers/solrcloud_controller_test.go
@@ -30,6 +30,7 @@ import (
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/intstr"
+ pointer "k8s.io/utils/pointer"
"strconv"
"strings"
)
@@ -141,6 +142,7 @@ var _ = FDescribe("SolrCloud controller - General", func() {
Expect(statefulSet.Spec.Template.Spec.Affinity).To(Equal(testAffinity),
"Affinity is not the same as the one provided in podOptions")
Expect(statefulSet.Spec.Template.Spec.Containers[0].Resources.Limits).To(Equal(testResources.Limits),
"Resources.Limits is not the same as the one provided in podOptions")
Expect(statefulSet.Spec.Template.Spec.Containers[0].Resources.Requests).To(Equal(testResources.Requests),
"Resources.Requests is not the same as the one provided in podOptions")
+
Expect(statefulSet.Spec.Template.Spec.Containers[0].SecurityContext).To(BeNil(),
"SecurityContext is not the expected default value, 'nil'")
extraVolumes[0].DefaultContainerMount.Name =
extraVolumes[0].Name
Expect(statefulSet.Spec.Template.Spec.Containers[0].VolumeMounts).To(HaveLen(len(extraVolumes)+1),
"Container has wrong number of volumeMounts")
Expect(statefulSet.Spec.Template.Spec.Containers[0].VolumeMounts[1]).To(Equal(*extraVolumes[0].DefaultContainerMount),
"Additional Volume from podOptions not mounted into container properly.")
@@ -216,7 +218,15 @@ var _ = FDescribe("SolrCloud controller - General", func()
{
TopologySpreadConstraints:
testTopologySpreadConstraints,
DefaultInitContainerResources:
testResources2,
InitContainers:
extraContainers1,
- ShareProcessNamespace:
testShareProcessNamespace,
+ ContainerSecurityContext:
&corev1.SecurityContext{
+ RunAsNonRoot:
newBoolPtr(true),
+ ReadOnlyRootFilesystem:
newBoolPtr(true),
+ RunAsUser:
pointer.Int64(123),
+ Capabilities:
&corev1.Capabilities{
+ Add:
[]corev1.Capability{"someCapability"},
+ },
+ },
+ ShareProcessNamespace:
testShareProcessNamespace,
},
StatefulSetOptions:
&solrv1beta1.StatefulSetOptions{
Annotations:
testSSAnnotations,
@@ -278,6 +288,12 @@ var _ = FDescribe("SolrCloud controller - General", func()
{
Expect(statefulSet.Spec.Template.Spec.Containers[0].StartupProbe,
testProbeStartup, "Incorrect Startup Probe")
Expect(statefulSet.Spec.Template.Spec.Containers[0].Lifecycle).To(Equal(testLifecycle),
"Incorrect container lifecycle")
Expect(statefulSet.Spec.Template.Spec.Containers[0].Resources).To(Equal(testResources),
"Incorrect container resources")
+
Expect(statefulSet.Spec.Template.Spec.Containers[0].SecurityContext).To(Not(BeNil()))
+
Expect(statefulSet.Spec.Template.Spec.Containers[0].SecurityContext.RunAsNonRoot).To(PointTo(BeTrue()))
+
Expect(statefulSet.Spec.Template.Spec.Containers[0].SecurityContext.ReadOnlyRootFilesystem).To(PointTo(BeTrue()))
+
Expect(statefulSet.Spec.Template.Spec.Containers[0].SecurityContext.RunAsUser).To(PointTo(Equal(int64(123))))
+
Expect(statefulSet.Spec.Template.Spec.Containers[0].SecurityContext.Capabilities.Add).To(HaveLen(1))
+
Expect(statefulSet.Spec.Template.Spec.Containers[0].SecurityContext.Capabilities.Add[0]).To(Equal(corev1.Capability("someCapability")))
Expect(statefulSet.Spec.Template.Spec.InitContainers[0].Resources).To(Equal(testResources2),
"Incorrect initContainer[0] resources")
Expect(statefulSet.Spec.Template.Spec.InitContainers[1].Resources).To(Equal(testResources2),
"Incorrect initContainer[1] resources")
Expect(statefulSet.Spec.Template.Spec.InitContainers[2].Resources).ToNot(Equal(testResources2),
"Incorrect initContainer[2] resources, should not use the default override")
diff --git a/controllers/util/common.go b/controllers/util/common.go
index 3eca00b..64bf654 100644
--- a/controllers/util/common.go
+++ b/controllers/util/common.go
@@ -618,6 +618,12 @@ func CopyPodContainers(fromPtr, toPtr *[]corev1.Container,
basePath string, logg
logger.Info("Update required because field
changed", "field", containerBasePath+"TerminationMessagePolicy", "from",
to[i].TerminationMessagePolicy, "to", from[i].TerminationMessagePolicy)
to[i].TerminationMessagePolicy =
from[i].TerminationMessagePolicy
}
+
+ if !DeepEqualWithNils(to[i].SecurityContext,
from[i].SecurityContext) {
+ requireUpdate = true
+ logger.Info("Update required because field
changed", "field", containerBasePath+"SecurityContext", "from",
to[i].SecurityContext, "to", from[i].SecurityContext)
+ to[i].SecurityContext = from[i].SecurityContext
+ }
}
}
return requireUpdate
diff --git a/controllers/util/prometheus_exporter_util.go
b/controllers/util/prometheus_exporter_util.go
index 1792e88..f8ef4a7 100644
--- a/controllers/util/prometheus_exporter_util.go
+++ b/controllers/util/prometheus_exporter_util.go
@@ -213,6 +213,11 @@ func
GenerateSolrPrometheusExporterDeployment(solrPrometheusExporter *solr.SolrP
},
}
+ var containerSecurityContext *corev1.SecurityContext
+ if customPodOptions != nil {
+ containerSecurityContext =
customPodOptions.ContainerSecurityContext
+ }
+
containers := []corev1.Container{
{
Name: SolrPrometheusExporterContainer,
@@ -245,6 +250,7 @@ func
GenerateSolrPrometheusExporterDeployment(solrPrometheusExporter *solr.SolrP
SuccessThreshold: 1,
FailureThreshold: 3,
},
+ SecurityContext: containerSecurityContext,
},
}
diff --git a/controllers/util/solr_util.go b/controllers/util/solr_util.go
index 64b9ba1..db4c408 100644
--- a/controllers/util/solr_util.go
+++ b/controllers/util/solr_util.go
@@ -455,6 +455,11 @@ func GenerateStatefulSet(solrCloud *solr.SolrCloud,
solrCloudStatus *solr.SolrCl
initContainers = append(initContainers,
customPodOptions.InitContainers...)
}
+ var containerSecurityContext *corev1.SecurityContext
+ if customPodOptions != nil {
+ containerSecurityContext =
customPodOptions.ContainerSecurityContext
+ }
+
containers := []corev1.Container{
{
Name: SolrNodeContainer,
@@ -498,6 +503,7 @@ func GenerateStatefulSet(solrCloud *solr.SolrCloud,
solrCloudStatus *solr.SolrCl
PostStart: postStart,
PreStop: preStop,
},
+ SecurityContext: containerSecurityContext,
},
}
diff --git a/helm/solr-operator/Chart.yaml b/helm/solr-operator/Chart.yaml
index 060ae16..2509c43 100644
--- a/helm/solr-operator/Chart.yaml
+++ b/helm/solr-operator/Chart.yaml
@@ -127,6 +127,13 @@ annotations:
url: https://github.com/apache/solr-operator/issues/718
- name: Github PR
url: https://github.com/apache/solr-operator/pull/734
+ - kind: added
+ description: "SolrCloud now accepts container-level securityContext
settings for Solr container."
+ links:
+ - name: Github Issue
+ url: https://github.com/apache/solr-operator/issues/489
+ - name: Github PR
+ url: https://github.com/apache/solr-operator/pull/743
artifacthub.io/images: |
- name: solr-operator
image: apache/solr-operator:v0.9.0-prerelease
diff --git a/helm/solr-operator/crds/crds.yaml
b/helm/solr-operator/crds/crds.yaml
index 0f807e3..c8b3cd0 100644
--- a/helm/solr-operator/crds/crds.yaml
+++ b/helm/solr-operator/crds/crds.yaml
@@ -3077,6 +3077,174 @@ spec:
type: string
description: Annotations to be added for pods.
type: object
+ containerSecurityContext:
+ description: ContainerSecurityContext the
container-level
+ security context used by the pod's primary container
+ properties:
+ allowPrivilegeEscalation:
+ description: |-
+ AllowPrivilegeEscalation controls whether a
process can gain more
+ privileges than its parent process. This bool
directly controls if
+ the no_new_privs flag will be set on the
container process.
+ AllowPrivilegeEscalation is true always when the
container is:
+ 1) run as Privileged
+ 2) has CAP_SYS_ADMIN
+ Note that this field cannot be set when
spec.os.name is windows.
+ type: boolean
+ capabilities:
+ description: |-
+ The capabilities to add/drop when running
containers.
+ Defaults to the default set of capabilities
granted by the container runtime.
+ Note that this field cannot be set when
spec.os.name is windows.
+ properties:
+ add:
+ description: Added capabilities
+ items:
+ description: Capability represent POSIX
capabilities
+ type
+ type: string
+ type: array
+ drop:
+ description: Removed capabilities
+ items:
+ description: Capability represent POSIX
capabilities
+ type
+ type: string
+ type: array
+ type: object
+ privileged:
+ description: |-
+ Run container in privileged mode.
+ Processes in privileged containers are
essentially equivalent to root on the host.
+ Defaults to false.
+ Note that this field cannot be set when
spec.os.name is windows.
+ type: boolean
+ procMount:
+ description: |-
+ procMount denotes the type of proc mount to use
for the containers.
+ The default is DefaultProcMount which uses the
container runtime defaults for
+ readonly paths and masked paths.
+ This requires the ProcMountType feature flag to
be enabled.
+ Note that this field cannot be set when
spec.os.name is windows.
+ type: string
+ readOnlyRootFilesystem:
+ description: |-
+ Whether this container has a read-only root
filesystem.
+ Default is false.
+ Note that this field cannot be set when
spec.os.name is windows.
+ type: boolean
+ runAsGroup:
+ description: |-
+ The GID to run the entrypoint of the container
process.
+ Uses runtime default if unset.
+ May also be set in PodSecurityContext. If set
in both SecurityContext and
+ PodSecurityContext, the value specified in
SecurityContext takes precedence.
+ Note that this field cannot be set when
spec.os.name is windows.
+ format: int64
+ type: integer
+ runAsNonRoot:
+ description: |-
+ Indicates that the container must run as a
non-root user.
+ If true, the Kubelet will validate the image at
runtime to ensure that it
+ does not run as UID 0 (root) and fail to start
the container if it does.
+ If unset or false, no such validation will be
performed.
+ May also be set in PodSecurityContext. If set
in both SecurityContext and
+ PodSecurityContext, the value specified in
SecurityContext takes precedence.
+ type: boolean
+ runAsUser:
+ description: |-
+ The UID to run the entrypoint of the container
process.
+ Defaults to user specified in image metadata if
unspecified.
+ May also be set in PodSecurityContext. If set
in both SecurityContext and
+ PodSecurityContext, the value specified in
SecurityContext takes precedence.
+ Note that this field cannot be set when
spec.os.name is windows.
+ format: int64
+ type: integer
+ seLinuxOptions:
+ description: |-
+ The SELinux context to be applied to the
container.
+ If unspecified, the container runtime will
allocate a random SELinux context for each
+ container. May also be set in
PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in
SecurityContext takes precedence.
+ Note that this field cannot be set when
spec.os.name is windows.
+ properties:
+ level:
+ description: Level is SELinux level label that
applies
+ to the container.
+ type: string
+ role:
+ description: Role is a SELinux role label that
applies
+ to the container.
+ type: string
+ type:
+ description: Type is a SELinux type label that
applies
+ to the container.
+ type: string
+ user:
+ description: User is a SELinux user label that
applies
+ to the container.
+ type: string
+ type: object
+ seccompProfile:
+ description: |-
+ The seccomp options to use by this container. If
seccomp options are
+ provided at both the pod & container level, the
container options
+ override the pod options.
+ Note that this field cannot be set when
spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile defined
in a file on the node should be used.
+ The profile must be preconfigured on the
node to work.
+ Must be a descending path, relative to the
kubelet's configured seccomp profile location.
+ Must be set if type is "Localhost". Must NOT
be set for any other type.
+ type: string
+ type:
+ description: |-
+ type indicates which kind of seccomp profile
will be applied.
+ Valid options are:
+
+
+ Localhost - a profile defined in a file on
the node should be used.
+ RuntimeDefault - the container runtime
default profile should be used.
+ Unconfined - no profile should be applied.
+ type: string
+ required:
+ - type
+ type: object
+ windowsOptions:
+ description: |-
+ The Windows specific settings applied to all
containers.
+ If unspecified, the options from the
PodSecurityContext will be used.
+ If set in both SecurityContext and
PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when
spec.os.name is linux.
+ properties:
+ gmsaCredentialSpec:
+ description: |-
+ GMSACredentialSpec is where the GMSA
admission webhook
+
(https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+ GMSA credential spec named by the
GMSACredentialSpecName field.
+ type: string
+ gmsaCredentialSpecName:
+ description: GMSACredentialSpecName is the
name of
+ the GMSA credential spec to use.
+ type: string
+ hostProcess:
+ description: |-
+ HostProcess determines if a container should
be run as a 'Host Process' container.
+ All of a Pod's containers must have the same
effective HostProcess value
+ (it is not allowed to have a mix of
HostProcess containers and non-HostProcess containers).
+ In addition, if HostProcess is true then
HostNetwork must also be set to true.
+ type: boolean
+ runAsUserName:
+ description: |-
+ The UserName in Windows to run the
entrypoint of the container process.
+ Defaults to the user specified in image
metadata if unspecified.
+ May also be set in PodSecurityContext. If
set in both SecurityContext and
+ PodSecurityContext, the value specified in
SecurityContext takes precedence.
+ type: string
+ type: object
+ type: object
defaultInitContainerResources:
description: DefaultInitContainerResources are the
resource
requirements for the default init container(s)
created by
@@ -17194,6 +17362,174 @@ spec:
type: string
description: Annotations to be added for pods.
type: object
+ containerSecurityContext:
+ description: ContainerSecurityContext the
container-level
+ security context used by the pod's primary container
+ properties:
+ allowPrivilegeEscalation:
+ description: |-
+ AllowPrivilegeEscalation controls whether a
process can gain more
+ privileges than its parent process. This bool
directly controls if
+ the no_new_privs flag will be set on the
container process.
+ AllowPrivilegeEscalation is true always when the
container is:
+ 1) run as Privileged
+ 2) has CAP_SYS_ADMIN
+ Note that this field cannot be set when
spec.os.name is windows.
+ type: boolean
+ capabilities:
+ description: |-
+ The capabilities to add/drop when running
containers.
+ Defaults to the default set of capabilities
granted by the container runtime.
+ Note that this field cannot be set when
spec.os.name is windows.
+ properties:
+ add:
+ description: Added capabilities
+ items:
+ description: Capability represent POSIX
capabilities
+ type
+ type: string
+ type: array
+ drop:
+ description: Removed capabilities
+ items:
+ description: Capability represent POSIX
capabilities
+ type
+ type: string
+ type: array
+ type: object
+ privileged:
+ description: |-
+ Run container in privileged mode.
+ Processes in privileged containers are
essentially equivalent to root on the host.
+ Defaults to false.
+ Note that this field cannot be set when
spec.os.name is windows.
+ type: boolean
+ procMount:
+ description: |-
+ procMount denotes the type of proc mount to use
for the containers.
+ The default is DefaultProcMount which uses the
container runtime defaults for
+ readonly paths and masked paths.
+ This requires the ProcMountType feature flag to
be enabled.
+ Note that this field cannot be set when
spec.os.name is windows.
+ type: string
+ readOnlyRootFilesystem:
+ description: |-
+ Whether this container has a read-only root
filesystem.
+ Default is false.
+ Note that this field cannot be set when
spec.os.name is windows.
+ type: boolean
+ runAsGroup:
+ description: |-
+ The GID to run the entrypoint of the container
process.
+ Uses runtime default if unset.
+ May also be set in PodSecurityContext. If set
in both SecurityContext and
+ PodSecurityContext, the value specified in
SecurityContext takes precedence.
+ Note that this field cannot be set when
spec.os.name is windows.
+ format: int64
+ type: integer
+ runAsNonRoot:
+ description: |-
+ Indicates that the container must run as a
non-root user.
+ If true, the Kubelet will validate the image at
runtime to ensure that it
+ does not run as UID 0 (root) and fail to start
the container if it does.
+ If unset or false, no such validation will be
performed.
+ May also be set in PodSecurityContext. If set
in both SecurityContext and
+ PodSecurityContext, the value specified in
SecurityContext takes precedence.
+ type: boolean
+ runAsUser:
+ description: |-
+ The UID to run the entrypoint of the container
process.
+ Defaults to user specified in image metadata if
unspecified.
+ May also be set in PodSecurityContext. If set
in both SecurityContext and
+ PodSecurityContext, the value specified in
SecurityContext takes precedence.
+ Note that this field cannot be set when
spec.os.name is windows.
+ format: int64
+ type: integer
+ seLinuxOptions:
+ description: |-
+ The SELinux context to be applied to the
container.
+ If unspecified, the container runtime will
allocate a random SELinux context for each
+ container. May also be set in
PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in
SecurityContext takes precedence.
+ Note that this field cannot be set when
spec.os.name is windows.
+ properties:
+ level:
+ description: Level is SELinux level label that
applies
+ to the container.
+ type: string
+ role:
+ description: Role is a SELinux role label that
applies
+ to the container.
+ type: string
+ type:
+ description: Type is a SELinux type label that
applies
+ to the container.
+ type: string
+ user:
+ description: User is a SELinux user label that
applies
+ to the container.
+ type: string
+ type: object
+ seccompProfile:
+ description: |-
+ The seccomp options to use by this container. If
seccomp options are
+ provided at both the pod & container level, the
container options
+ override the pod options.
+ Note that this field cannot be set when
spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile defined
in a file on the node should be used.
+ The profile must be preconfigured on the
node to work.
+ Must be a descending path, relative to the
kubelet's configured seccomp profile location.
+ Must be set if type is "Localhost". Must NOT
be set for any other type.
+ type: string
+ type:
+ description: |-
+ type indicates which kind of seccomp profile
will be applied.
+ Valid options are:
+
+
+ Localhost - a profile defined in a file on
the node should be used.
+ RuntimeDefault - the container runtime
default profile should be used.
+ Unconfined - no profile should be applied.
+ type: string
+ required:
+ - type
+ type: object
+ windowsOptions:
+ description: |-
+ The Windows specific settings applied to all
containers.
+ If unspecified, the options from the
PodSecurityContext will be used.
+ If set in both SecurityContext and
PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when
spec.os.name is linux.
+ properties:
+ gmsaCredentialSpec:
+ description: |-
+ GMSACredentialSpec is where the GMSA
admission webhook
+
(https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+ GMSA credential spec named by the
GMSACredentialSpecName field.
+ type: string
+ gmsaCredentialSpecName:
+ description: GMSACredentialSpecName is the
name of
+ the GMSA credential spec to use.
+ type: string
+ hostProcess:
+ description: |-
+ HostProcess determines if a container should
be run as a 'Host Process' container.
+ All of a Pod's containers must have the same
effective HostProcess value
+ (it is not allowed to have a mix of
HostProcess containers and non-HostProcess containers).
+ In addition, if HostProcess is true then
HostNetwork must also be set to true.
+ type: boolean
+ runAsUserName:
+ description: |-
+ The UserName in Windows to run the
entrypoint of the container process.
+ Defaults to the user specified in image
metadata if unspecified.
+ May also be set in PodSecurityContext. If
set in both SecurityContext and
+ PodSecurityContext, the value specified in
SecurityContext takes precedence.
+ type: string
+ type: object
+ type: object
defaultInitContainerResources:
description: DefaultInitContainerResources are the
resource
requirements for the default init container(s)
created by
diff --git a/helm/solr/README.md b/helm/solr/README.md
index bbd0075..7541843 100644
--- a/helm/solr/README.md
+++ b/helm/solr/README.md
@@ -291,6 +291,7 @@ When using the helm chart, omit `customSolrKubeOptions.`
| podOptions.initContainers | []object | | An optional list of additional
initContainers to run before the Solr container starts |
| podOptions.envVars | []object | | List of additional environment variables
for the Solr container |
| podOptions.podSecurityContext | object | | Security context for the Solr
pod |
+| podOptions.containerSecurityContext | object | | Security context for the
Solr container in each pod |
| podOptions.terminationGracePeriodSeconds | int | | Optional amount of time
to wait for Solr to stop on its own, before manually killing it |
| podOptions.livenessProbe | object | | Custom liveness probe for the Solr
container |
| podOptions.readinessProbe | object | | Custom readiness probe for the Solr
container |
diff --git a/helm/solr/templates/_custom_option_helpers.tpl
b/helm/solr/templates/_custom_option_helpers.tpl
index f0b4aba..34f7298 100644
--- a/helm/solr/templates/_custom_option_helpers.tpl
+++ b/helm/solr/templates/_custom_option_helpers.tpl
@@ -62,6 +62,10 @@ nodeSelector:
podSecurityContext:
{{- toYaml .Values.podOptions.podSecurityContext | nindent 2 }}
{{ end }}
+{{- if .Values.podOptions.containerSecurityContext -}}
+containerSecurityContext:
+ {{- toYaml .Values.podOptions.containerSecurityContext | nindent 2 }}
+{{ end }}
{{- if (or .Values.podOptions.imagePullSecrets
.Values.global.imagePullSecrets) -}}
imagePullSecrets:
{{- toYaml (append .Values.podOptions.imagePullSecrets
.Values.global.imagePullSecrets) | nindent 2 }}
diff --git a/helm/solr/values.yaml b/helm/solr/values.yaml
index 15171f1..e6addba 100644
--- a/helm/solr/values.yaml
+++ b/helm/solr/values.yaml
@@ -295,6 +295,7 @@ podOptions:
priorityClassName: ""
envVars: []
podSecurityContext: {}
+ containerSecurityContext: {}
terminationGracePeriodSeconds: null
# Set Solr service account individually instead of the global
"serviceAccount.name"
