janhoy commented on issue #671: URL: https://github.com/apache/solr-operator/issues/671#issuecomment-2034596523
My client uses [Kyverno](https://kyverno.io/policies/?policytypes=Pod%2520Security%2520Standards%2520%28Baseline%29) to warn or enforce various best practices. They recently added rules to warn about deployments that will not run in K8S PSA "restricted" mode: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted. I managed to apply these for solr containers and custom init containers, but not for the operator-managed init containers. Since Solr runs well with these restrictions, I support making them standard. On the POD level: ```yaml podSecurityContext: seccompProfile: type: RuntimeDefault ``` On the container level: ```yaml securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL ``` While OpenShift will require even more changes, the PSA "restricted" mode is a generic k8s thing that I support aiming for as default. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For additional commands, e-mail: issues-h...@solr.apache.org
