Re: [I] Run solr-operator and solr helm chart on openshift get error "would violate PodSecurity "restricted:v1.24"" [solr-operator]

Wed, 03 Jan 2024 06:17:29 -0800 


aaronsuns commented on issue #671:
URL: https://github.com/apache/solr-operator/issues/671#issuecomment-1875441585

   Here is the quick hack to add those container securityContext
   ```
   diff --git a/controllers/util/solr_util.go b/controllers/util/solr_util.go
   index 0c7f098..47fde76 100644
   --- a/controllers/util/solr_util.go
   +++ b/controllers/util/solr_util.go
   @@ -446,6 +446,7 @@ func GenerateStatefulSet(solrCloud *solr.SolrCloud, 
solrCloudStatus *solr.SolrCl
                   initContainers = append(initContainers, 
customPodOptions.InitContainers...)
           }
    
   +       AllowPrivilegeEscalationValue := false
           containers := []corev1.Container{
                   {
                           Name:            SolrNodeContainer,
   @@ -489,6 +490,14 @@ func GenerateStatefulSet(solrCloud *solr.SolrCloud, 
solrCloudStatus *solr.SolrCl
                                   PostStart: postStart,
                                   PreStop:   preStop,
                           },
   +
   +                       // Add the SecurityContext with hardcoded options
   +                       SecurityContext: &corev1.SecurityContext{
   +                               AllowPrivilegeEscalation: 
&AllowPrivilegeEscalationValue,
   +                               Capabilities: &corev1.Capabilities{
   +                                       Drop: []corev1.Capability{"ALL"},
   +                               },
   +                       },
                   },
           }
    
   @@ -747,6 +756,8 @@ func generateSolrSetupInitContainers(solrCloud 
*solr.SolrCloud, solrCloudStatus
                   corev1.ResourceCPU:    
*DefaultSolrVolumePrepInitContainerCPU,
                   corev1.ResourceMemory: 
*DefaultSolrVolumePrepInitContainerMemory,
           }
   +
   +       AllowPrivilegeEscalationValue := false
           volumePrepInitContainer := corev1.Container{
                   Name:            "cp-solr-xml",
                   Image:           solrCloud.Spec.BusyBoxImage.ToImageName(),
   @@ -757,6 +768,13 @@ func generateSolrSetupInitContainers(solrCloud 
*solr.SolrCloud, solrCloudStatus
                           Requests: volumePrepResources,
                           Limits:   volumePrepResources,
                   },
   +               // Add the SecurityContext with hardcoded options
   +               SecurityContext: &corev1.SecurityContext{
   +                       AllowPrivilegeEscalation: 
&AllowPrivilegeEscalationValue,
   +                       Capabilities: &corev1.Capabilities{
   +                               Drop: []corev1.Capability{"ALL"},
   +                       },
   +               },
           }
    
           containers = append(containers, volumePrepInitContainer)
   
   ```
   
   According to PSS, it's needed:
   https://sdk.operatorframework.io/docs/best-practices/pod-security-standards/


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org

Reply via email to