Comments (6)
aaronsuns
commented on June 16, 2024
1
Update:
create a service account and SCC could run it on openshift without the above change in solr-operator.
# Service Account
apiVersion: v1
kind: ServiceAccount
metadata:
name: solr-service-account
---
# SCC
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: solr-scc
priority: 10
allowPrivilegedContainer: false
runAsUser:
type: MustRunAs
uid: 8983
seLinuxContext:
type: MustRunAs
fsGroup:
type: MustRunAs
ranges:
- min: 8983
max: 8983
---
# RoleBinding
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: solr-scc-binding
subjects:
- kind: ServiceAccount
name: solr-service-account
roleRef:
kind: Role
name: solr-scc-role
apiGroup: rbac.authorization.k8s.io
# Role
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: solr-scc-role
rules:
- apiGroups: ["security.openshift.io"]
resources: ["securitycontextconstraints"]
verbs: ["use"]
from solr-operator.
janhoy
commented on June 16, 2024
1
My client uses Kyverno to warn or enforce various best practices. They recently added rules to warn about deployments that will not run in K8S PSA "restricted" mode: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted. I managed to apply these for solr containers and custom init containers, but not for the operator-managed init containers.
Since Solr runs well with these restrictions, I support making them standard.
On the POD level:
podSecurityContext:
seccompProfile:
type: RuntimeDefaultOn the container level:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALLWhile OpenShift will require even more changes, the PSA "restricted" mode is a generic k8s thing that I support aiming for as default.
from solr-operator.
aaronsuns
commented on June 16, 2024
It looks like related with this issue: #489
from solr-operator.
aaronsuns
commented on June 16, 2024
Here is the quick hack to add those container securityContext
diff --git a/controllers/util/solr_util.go b/controllers/util/solr_util.go
index 0c7f098..47fde76 100644
--- a/controllers/util/solr_util.go
+++ b/controllers/util/solr_util.go
@@ -446,6 +446,7 @@ func GenerateStatefulSet(solrCloud *solr.SolrCloud, solrCloudStatus *solr.SolrCl
initContainers = append(initContainers, customPodOptions.InitContainers...)
}
+ AllowPrivilegeEscalationValue := false
containers := []corev1.Container{
{
Name: SolrNodeContainer,
@@ -489,6 +490,14 @@ func GenerateStatefulSet(solrCloud *solr.SolrCloud, solrCloudStatus *solr.SolrCl
PostStart: postStart,
PreStop: preStop,
},
+
+ // Add the SecurityContext with hardcoded options
+ SecurityContext: &corev1.SecurityContext{
+ AllowPrivilegeEscalation: &AllowPrivilegeEscalationValue,
+ Capabilities: &corev1.Capabilities{
+ Drop: []corev1.Capability{"ALL"},
+ },
+ },
},
}
@@ -747,6 +756,8 @@ func generateSolrSetupInitContainers(solrCloud *solr.SolrCloud, solrCloudStatus
corev1.ResourceCPU: *DefaultSolrVolumePrepInitContainerCPU,
corev1.ResourceMemory: *DefaultSolrVolumePrepInitContainerMemory,
}
+
+ AllowPrivilegeEscalationValue := false
volumePrepInitContainer := corev1.Container{
Name: "cp-solr-xml",
Image: solrCloud.Spec.BusyBoxImage.ToImageName(),
@@ -757,6 +768,13 @@ func generateSolrSetupInitContainers(solrCloud *solr.SolrCloud, solrCloudStatus
Requests: volumePrepResources,
Limits: volumePrepResources,
},
+ // Add the SecurityContext with hardcoded options
+ SecurityContext: &corev1.SecurityContext{
+ AllowPrivilegeEscalation: &AllowPrivilegeEscalationValue,
+ Capabilities: &corev1.Capabilities{
+ Drop: []corev1.Capability{"ALL"},
+ },
+ },
}
containers = append(containers, volumePrepInitContainer)
According to PSS, it's needed:
https://sdk.operatorframework.io/docs/best-practices/pod-security-standards/
from solr-operator.
HoustonPutman
commented on June 16, 2024
If these changes are ok to run in other environments, we could utilize that patch. Make a PR and we can go from there.
I'm glad you found a workaround without modifying the operator though.
Most of the maintainers don't run openshift, so it's hard for us to fix this ourselves. We need to rely on contributions from people running openshift.
from solr-operator.
aaronsuns
commented on June 16, 2024
Expose container securityContext as configuration in chart values file can be the solution, so user could have full control about what they want to run, it's up to user to follow "Pod Security Standards" or not.
from solr-operator.
Related Issues (20)
- Improve documentation for additional volumes HOT 1
- Resources limits and requests configuration not set on SolrCloud pod HOT 1
- Add the ability to add Environment variables as a configmap HOT 1
- Not create the StatefulSets when add the custom security.json in helm HOT 4
- Missing permission for "/admin/info/system" endpoint in security.json template in the SolrCloud CRD documentation
- Authentication not woking with solr-cloud. Pods are getting restarted. HOT 4
- Shards in a down state after an HPA scale up / scale down event. HOT 2
- User helm chart 0.8.0 with default values thorw the error in ValidationError(SolrCloud.spec): unknown field "scaling" in org.apache.solr.v1beta1.SolrCloud.spec HOT 1
- gen-pkcs12-keystore init container fails if the tls secret contains no ca.crt HOT 1
- Support running the solr operator on ARM nodes HOT 4
- Solr Backup recurrence/schedule not enabled by helm 0.7.1 HOT 1
- Actual running pod counts are different from the HPA-allocated HOT 1
- Add useful Operator metrics
- Support replicaPlacementFactory in solr.xml HOT 2
- Liveness probe failing for Prometheus Exporter connected to a large SolrCloud
- Disabling PodDisruptionBudgets for both zk pods and solr pods HOT 3
- adding automountServiceAccountToken HOT 1
- Replica allocation after Node is DisabledScheduling HOT 1
- zkHost and zkServer generated incorrectly - helm templates HOT 2
- Solr 8.11 with SolrMetrics produces duplicate samples with prometheus v2.52 HOT 8
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from solr-operator.