This is an automated email from the ASF dual-hosted git repository.
HoustonPutman pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/solr-operator.git
The following commit(s) were added to refs/heads/main by this push:
new 08e405a Add ability to configure initContainer
containerSecurityContext (#796)
08e405a is described below
commit 08e405a0e9cc67ff1f2d5d41c3222cd12cd6738c
Author: Alex Alexandrowitz <[email protected]>
AuthorDate: Wed Jun 17 02:41:48 2026 +0200
Add ability to configure initContainer containerSecurityContext (#796)
Co-authored-by: Alexander Alexandrowitz <[email protected]>
---
api/v1beta1/common_types.go | 4 +
api/v1beta1/zz_generated.deepcopy.go | 5 +
config/crd/bases/solr.apache.org_solrclouds.yaml | 194 +++++++++++
.../solr.apache.org_solrprometheusexporters.yaml | 194 +++++++++++
controllers/solrcloud_controller_test.go | 17 +-
controllers/util/solr_util.go | 12 +-
helm/solr-operator/Chart.yaml | 7 +
helm/solr-operator/crds/crds.yaml | 388 +++++++++++++++++++++
helm/solr/README.md | 1 +
helm/solr/templates/_custom_option_helpers.tpl | 4 +
helm/solr/values.yaml | 3 +
11 files changed, 825 insertions(+), 4 deletions(-)
diff --git a/api/v1beta1/common_types.go b/api/v1beta1/common_types.go
index d5c82a3..e228e2c 100644
--- a/api/v1beta1/common_types.go
+++ b/api/v1beta1/common_types.go
@@ -165,6 +165,10 @@ type PodOptions struct {
// DefaultInitContainerResources are the resource requirements for the
default init container(s) created by the Solr Operator, if any are created.
// +optional
DefaultInitContainerResources corev1.ResourceRequirements
`json:"defaultInitContainerResources,omitempty"`
+
+ // DefaultInitContainerSecurityContext is the security context for the
default init container(s) created by the Solr Operator, if any are created.
+ // +optional
+ DefaultInitContainerSecurityContext *corev1.SecurityContext
`json:"defaultInitContainerSecurityContext,omitempty"`
}
// ServiceOptions defines custom options for services
diff --git a/api/v1beta1/zz_generated.deepcopy.go
b/api/v1beta1/zz_generated.deepcopy.go
index a9edeac..5b0a424 100644
--- a/api/v1beta1/zz_generated.deepcopy.go
+++ b/api/v1beta1/zz_generated.deepcopy.go
@@ -536,6 +536,11 @@ func (in *PodOptions) DeepCopyInto(out *PodOptions) {
}
}
in.DefaultInitContainerResources.DeepCopyInto(&out.DefaultInitContainerResources)
+ if in.DefaultInitContainerSecurityContext != nil {
+ in, out := &in.DefaultInitContainerSecurityContext,
&out.DefaultInitContainerSecurityContext
+ *out = new(v1.SecurityContext)
+ (*in).DeepCopyInto(*out)
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver,
creating a new PodOptions.
diff --git a/config/crd/bases/solr.apache.org_solrclouds.yaml
b/config/crd/bases/solr.apache.org_solrclouds.yaml
index c560410..b15bc97 100644
--- a/config/crd/bases/solr.apache.org_solrclouds.yaml
+++ b/config/crd/bases/solr.apache.org_solrclouds.yaml
@@ -3403,6 +3403,200 @@ spec:
More info:
https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
type: object
+ defaultInitContainerSecurityContext:
+ description: DefaultInitContainerSecurityContext is
the security
+ context for the default init container(s) created by
the
+ Solr Operator, if any are created.
+ properties:
+ allowPrivilegeEscalation:
+ description: |-
+ AllowPrivilegeEscalation controls whether a
process can gain more
+ privileges than its parent process. This bool
directly controls if
+ the no_new_privs flag will be set on the
container process.
+ AllowPrivilegeEscalation is true always when the
container is:
+ 1) run as Privileged
+ 2) has CAP_SYS_ADMIN
+ Note that this field cannot be set when
spec.os.name is windows.
+ type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use
by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when
spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded
on the node that should be used.
+ The profile must be preconfigured on the
node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is
"Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor
profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the
node.
+ RuntimeDefault - the container runtime's
default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
+ capabilities:
+ description: |-
+ The capabilities to add/drop when running
containers.
+ Defaults to the default set of capabilities
granted by the container runtime.
+ Note that this field cannot be set when
spec.os.name is windows.
+ properties:
+ add:
+ description: Added capabilities
+ items:
+ description: Capability represent POSIX
capabilities
+ type
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ drop:
+ description: Removed capabilities
+ items:
+ description: Capability represent POSIX
capabilities
+ type
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ privileged:
+ description: |-
+ Run container in privileged mode.
+ Processes in privileged containers are
essentially equivalent to root on the host.
+ Defaults to false.
+ Note that this field cannot be set when
spec.os.name is windows.
+ type: boolean
+ procMount:
+ description: |-
+ procMount denotes the type of proc mount to use
for the containers.
+ The default value is Default which uses the
container runtime defaults for
+ readonly paths and masked paths.
+ This requires the ProcMountType feature flag to
be enabled.
+ Note that this field cannot be set when
spec.os.name is windows.
+ type: string
+ readOnlyRootFilesystem:
+ description: |-
+ Whether this container has a read-only root
filesystem.
+ Default is false.
+ Note that this field cannot be set when
spec.os.name is windows.
+ type: boolean
+ runAsGroup:
+ description: |-
+ The GID to run the entrypoint of the container
process.
+ Uses runtime default if unset.
+ May also be set in PodSecurityContext. If set
in both SecurityContext and
+ PodSecurityContext, the value specified in
SecurityContext takes precedence.
+ Note that this field cannot be set when
spec.os.name is windows.
+ format: int64
+ type: integer
+ runAsNonRoot:
+ description: |-
+ Indicates that the container must run as a
non-root user.
+ If true, the Kubelet will validate the image at
runtime to ensure that it
+ does not run as UID 0 (root) and fail to start
the container if it does.
+ If unset or false, no such validation will be
performed.
+ May also be set in PodSecurityContext. If set
in both SecurityContext and
+ PodSecurityContext, the value specified in
SecurityContext takes precedence.
+ type: boolean
+ runAsUser:
+ description: |-
+ The UID to run the entrypoint of the container
process.
+ Defaults to user specified in image metadata if
unspecified.
+ May also be set in PodSecurityContext. If set
in both SecurityContext and
+ PodSecurityContext, the value specified in
SecurityContext takes precedence.
+ Note that this field cannot be set when
spec.os.name is windows.
+ format: int64
+ type: integer
+ seLinuxOptions:
+ description: |-
+ The SELinux context to be applied to the
container.
+ If unspecified, the container runtime will
allocate a random SELinux context for each
+ container. May also be set in
PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in
SecurityContext takes precedence.
+ Note that this field cannot be set when
spec.os.name is windows.
+ properties:
+ level:
+ description: Level is SELinux level label that
applies
+ to the container.
+ type: string
+ role:
+ description: Role is a SELinux role label that
applies
+ to the container.
+ type: string
+ type:
+ description: Type is a SELinux type label that
applies
+ to the container.
+ type: string
+ user:
+ description: User is a SELinux user label that
applies
+ to the container.
+ type: string
+ type: object
+ seccompProfile:
+ description: |-
+ The seccomp options to use by this container. If
seccomp options are
+ provided at both the pod & container level, the
container options
+ override the pod options.
+ Note that this field cannot be set when
spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile defined
in a file on the node should be used.
+ The profile must be preconfigured on the
node to work.
+ Must be a descending path, relative to the
kubelet's configured seccomp profile location.
+ Must be set if type is "Localhost". Must NOT
be set for any other type.
+ type: string
+ type:
+ description: |-
+ type indicates which kind of seccomp profile
will be applied.
+ Valid options are:
+
+ Localhost - a profile defined in a file on
the node should be used.
+ RuntimeDefault - the container runtime
default profile should be used.
+ Unconfined - no profile should be applied.
+ type: string
+ required:
+ - type
+ type: object
+ windowsOptions:
+ description: |-
+ The Windows specific settings applied to all
containers.
+ If unspecified, the options from the
PodSecurityContext will be used.
+ If set in both SecurityContext and
PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when
spec.os.name is linux.
+ properties:
+ gmsaCredentialSpec:
+ description: |-
+ GMSACredentialSpec is where the GMSA
admission webhook
+
(https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+ GMSA credential spec named by the
GMSACredentialSpecName field.
+ type: string
+ gmsaCredentialSpecName:
+ description: GMSACredentialSpecName is the
name of
+ the GMSA credential spec to use.
+ type: string
+ hostProcess:
+ description: |-
+ HostProcess determines if a container should
be run as a 'Host Process' container.
+ All of a Pod's containers must have the same
effective HostProcess value
+ (it is not allowed to have a mix of
HostProcess containers and non-HostProcess containers).
+ In addition, if HostProcess is true then
HostNetwork must also be set to true.
+ type: boolean
+ runAsUserName:
+ description: |-
+ The UserName in Windows to run the
entrypoint of the container process.
+ Defaults to the user specified in image
metadata if unspecified.
+ May also be set in PodSecurityContext. If
set in both SecurityContext and
+ PodSecurityContext, the value specified in
SecurityContext takes precedence.
+ type: string
+ type: object
+ type: object
enableServiceLinks:
description: Should service environment variables be
created
on containers
diff --git a/config/crd/bases/solr.apache.org_solrprometheusexporters.yaml
b/config/crd/bases/solr.apache.org_solrprometheusexporters.yaml
index ad5d9b2..fef8bdc 100644
--- a/config/crd/bases/solr.apache.org_solrprometheusexporters.yaml
+++ b/config/crd/bases/solr.apache.org_solrprometheusexporters.yaml
@@ -1319,6 +1319,200 @@ spec:
More info:
https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
type: object
+ defaultInitContainerSecurityContext:
+ description: DefaultInitContainerSecurityContext is
the security
+ context for the default init container(s) created by
the
+ Solr Operator, if any are created.
+ properties:
+ allowPrivilegeEscalation:
+ description: |-
+ AllowPrivilegeEscalation controls whether a
process can gain more
+ privileges than its parent process. This bool
directly controls if
+ the no_new_privs flag will be set on the
container process.
+ AllowPrivilegeEscalation is true always when the
container is:
+ 1) run as Privileged
+ 2) has CAP_SYS_ADMIN
+ Note that this field cannot be set when
spec.os.name is windows.
+ type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use
by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when
spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded
on the node that should be used.
+ The profile must be preconfigured on the
node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is
"Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor
profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the
node.
+ RuntimeDefault - the container runtime's
default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
+ capabilities:
+ description: |-
+ The capabilities to add/drop when running
containers.
+ Defaults to the default set of capabilities
granted by the container runtime.
+ Note that this field cannot be set when
spec.os.name is windows.
+ properties:
+ add:
+ description: Added capabilities
+ items:
+ description: Capability represent POSIX
capabilities
+ type
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ drop:
+ description: Removed capabilities
+ items:
+ description: Capability represent POSIX
capabilities
+ type
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ privileged:
+ description: |-
+ Run container in privileged mode.
+ Processes in privileged containers are
essentially equivalent to root on the host.
+ Defaults to false.
+ Note that this field cannot be set when
spec.os.name is windows.
+ type: boolean
+ procMount:
+ description: |-
+ procMount denotes the type of proc mount to use
for the containers.
+ The default value is Default which uses the
container runtime defaults for
+ readonly paths and masked paths.
+ This requires the ProcMountType feature flag to
be enabled.
+ Note that this field cannot be set when
spec.os.name is windows.
+ type: string
+ readOnlyRootFilesystem:
+ description: |-
+ Whether this container has a read-only root
filesystem.
+ Default is false.
+ Note that this field cannot be set when
spec.os.name is windows.
+ type: boolean
+ runAsGroup:
+ description: |-
+ The GID to run the entrypoint of the container
process.
+ Uses runtime default if unset.
+ May also be set in PodSecurityContext. If set
in both SecurityContext and
+ PodSecurityContext, the value specified in
SecurityContext takes precedence.
+ Note that this field cannot be set when
spec.os.name is windows.
+ format: int64
+ type: integer
+ runAsNonRoot:
+ description: |-
+ Indicates that the container must run as a
non-root user.
+ If true, the Kubelet will validate the image at
runtime to ensure that it
+ does not run as UID 0 (root) and fail to start
the container if it does.
+ If unset or false, no such validation will be
performed.
+ May also be set in PodSecurityContext. If set
in both SecurityContext and
+ PodSecurityContext, the value specified in
SecurityContext takes precedence.
+ type: boolean
+ runAsUser:
+ description: |-
+ The UID to run the entrypoint of the container
process.
+ Defaults to user specified in image metadata if
unspecified.
+ May also be set in PodSecurityContext. If set
in both SecurityContext and
+ PodSecurityContext, the value specified in
SecurityContext takes precedence.
+ Note that this field cannot be set when
spec.os.name is windows.
+ format: int64
+ type: integer
+ seLinuxOptions:
+ description: |-
+ The SELinux context to be applied to the
container.
+ If unspecified, the container runtime will
allocate a random SELinux context for each
+ container. May also be set in
PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in
SecurityContext takes precedence.
+ Note that this field cannot be set when
spec.os.name is windows.
+ properties:
+ level:
+ description: Level is SELinux level label that
applies
+ to the container.
+ type: string
+ role:
+ description: Role is a SELinux role label that
applies
+ to the container.
+ type: string
+ type:
+ description: Type is a SELinux type label that
applies
+ to the container.
+ type: string
+ user:
+ description: User is a SELinux user label that
applies
+ to the container.
+ type: string
+ type: object
+ seccompProfile:
+ description: |-
+ The seccomp options to use by this container. If
seccomp options are
+ provided at both the pod & container level, the
container options
+ override the pod options.
+ Note that this field cannot be set when
spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile defined
in a file on the node should be used.
+ The profile must be preconfigured on the
node to work.
+ Must be a descending path, relative to the
kubelet's configured seccomp profile location.
+ Must be set if type is "Localhost". Must NOT
be set for any other type.
+ type: string
+ type:
+ description: |-
+ type indicates which kind of seccomp profile
will be applied.
+ Valid options are:
+
+ Localhost - a profile defined in a file on
the node should be used.
+ RuntimeDefault - the container runtime
default profile should be used.
+ Unconfined - no profile should be applied.
+ type: string
+ required:
+ - type
+ type: object
+ windowsOptions:
+ description: |-
+ The Windows specific settings applied to all
containers.
+ If unspecified, the options from the
PodSecurityContext will be used.
+ If set in both SecurityContext and
PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when
spec.os.name is linux.
+ properties:
+ gmsaCredentialSpec:
+ description: |-
+ GMSACredentialSpec is where the GMSA
admission webhook
+
(https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+ GMSA credential spec named by the
GMSACredentialSpecName field.
+ type: string
+ gmsaCredentialSpecName:
+ description: GMSACredentialSpecName is the
name of
+ the GMSA credential spec to use.
+ type: string
+ hostProcess:
+ description: |-
+ HostProcess determines if a container should
be run as a 'Host Process' container.
+ All of a Pod's containers must have the same
effective HostProcess value
+ (it is not allowed to have a mix of
HostProcess containers and non-HostProcess containers).
+ In addition, if HostProcess is true then
HostNetwork must also be set to true.
+ type: boolean
+ runAsUserName:
+ description: |-
+ The UserName in Windows to run the
entrypoint of the container process.
+ Defaults to the user specified in image
metadata if unspecified.
+ May also be set in PodSecurityContext. If
set in both SecurityContext and
+ PodSecurityContext, the value specified in
SecurityContext takes precedence.
+ type: string
+ type: object
+ type: object
enableServiceLinks:
description: Should service environment variables be
created
on containers
diff --git a/controllers/solrcloud_controller_test.go
b/controllers/solrcloud_controller_test.go
index 78a0725..090fe92 100644
--- a/controllers/solrcloud_controller_test.go
+++ b/controllers/solrcloud_controller_test.go
@@ -220,7 +220,13 @@ var _ = FDescribe("SolrCloud controller - General", func()
{
ServiceAccountName:
testServiceAccountName,
TopologySpreadConstraints:
testTopologySpreadConstraints,
DefaultInitContainerResources:
testResources2,
- InitContainers:
extraContainers1,
+
DefaultInitContainerSecurityContext: &corev1.SecurityContext{
+ RunAsNonRoot:
newBoolPtr(true),
+ Capabilities:
&corev1.Capabilities{
+ Add:
[]corev1.Capability{"CHOWN", "DAC_OVERRIDE"},
+ },
+ },
+ InitContainers:
extraContainers1,
ContainerSecurityContext:
&corev1.SecurityContext{
RunAsNonRoot:
newBoolPtr(true),
ReadOnlyRootFilesystem:
newBoolPtr(true),
@@ -301,6 +307,15 @@ var _ = FDescribe("SolrCloud controller - General", func()
{
Expect(statefulSet.Spec.Template.Spec.InitContainers[0].Resources).To(Equal(testResources2),
"Incorrect initContainer[0] resources")
Expect(statefulSet.Spec.Template.Spec.InitContainers[1].Resources).To(Equal(testResources2),
"Incorrect initContainer[1] resources")
Expect(statefulSet.Spec.Template.Spec.InitContainers[2].Resources).ToNot(Equal(testResources2),
"Incorrect initContainer[2] resources, should not use the default override")
+
Expect(statefulSet.Spec.Template.Spec.InitContainers[0].SecurityContext).To(Not(BeNil()),
"InitContainer[0] should have security context")
+
Expect(statefulSet.Spec.Template.Spec.InitContainers[0].SecurityContext.RunAsNonRoot).To(PointTo(BeTrue()),
"Incorrect initContainer[0] security context runAsNonRoot")
+
Expect(statefulSet.Spec.Template.Spec.InitContainers[0].SecurityContext.Capabilities.Add).To(HaveLen(2),
"Incorrect number of capabilities in initContainer[0]")
+
Expect(statefulSet.Spec.Template.Spec.InitContainers[0].SecurityContext.Capabilities.Add).To(ContainElements(corev1.Capability("CHOWN"),
corev1.Capability("DAC_OVERRIDE")), "Incorrect capabilities in
initContainer[0]")
+
Expect(statefulSet.Spec.Template.Spec.InitContainers[1].SecurityContext).To(Not(BeNil()),
"InitContainer[1] should have security context")
+
Expect(statefulSet.Spec.Template.Spec.InitContainers[1].SecurityContext.RunAsNonRoot).To(PointTo(BeTrue()),
"Incorrect initContainer[1] security context runAsNonRoot")
+
Expect(statefulSet.Spec.Template.Spec.InitContainers[1].SecurityContext.Capabilities.Add).To(HaveLen(2),
"Incorrect number of capabilities in initContainer[1]")
+
Expect(statefulSet.Spec.Template.Spec.InitContainers[1].SecurityContext.Capabilities.Add).To(ContainElements(corev1.Capability("CHOWN"),
corev1.Capability("DAC_OVERRIDE")), "Incorrect capabilities in
initContainer[1]")
+
Expect(statefulSet.Spec.Template.Spec.InitContainers[2].SecurityContext).To(BeNil(),
"InitContainer[2] should not have custom security context since it's
user-provided")
Expect(statefulSet.Spec.Template.Spec.Tolerations).To(Equal(testTolerations),
"Incorrect Tolerations for Pod")
Expect(statefulSet.Spec.Template.Spec.PriorityClassName).To(Equal(testPriorityClass),
"Incorrect Priority class name for Pod Spec")
Expect(statefulSet.Spec.Template.Spec.ImagePullSecrets).To(ConsistOf(append(testAdditionalImagePullSecrets,
corev1.LocalObjectReference{Name: testImagePullSecretName})), "Incorrect
imagePullSecrets")
diff --git a/controllers/util/solr_util.go b/controllers/util/solr_util.go
index 7f90b76..f4a7747 100644
--- a/controllers/util/solr_util.go
+++ b/controllers/util/solr_util.go
@@ -809,13 +809,19 @@ func generateSolrSetupInitContainers(solrCloud
*solr.SolrCloud, solrCloudStatus
containers = append(containers, zkSetupContainer)
}
- // If the user has provided custom resources for the default init
containers, use them
+ // If the user has provided custom resources or security context for
the default init containers, use them
customPodOptions := solrCloud.Spec.CustomSolrKubeOptions.PodOptions
if nil != customPodOptions {
resources := customPodOptions.DefaultInitContainerResources
- if resources.Limits != nil || resources.Requests != nil {
+ securityContext :=
customPodOptions.DefaultInitContainerSecurityContext
+ if resources.Limits != nil || resources.Requests != nil ||
securityContext != nil {
for i := range containers {
- containers[i].Resources = resources
+ if resources.Limits != nil ||
resources.Requests != nil {
+ containers[i].Resources = resources
+ }
+ if securityContext != nil {
+ containers[i].SecurityContext =
securityContext
+ }
}
}
}
diff --git a/helm/solr-operator/Chart.yaml b/helm/solr-operator/Chart.yaml
index 9bd1f26..e445ad6 100644
--- a/helm/solr-operator/Chart.yaml
+++ b/helm/solr-operator/Chart.yaml
@@ -110,6 +110,13 @@ annotations:
links:
- name: Github PR
url: https://github.com/apache/solr-operator/pull/782
+ - kind: added
+ description: Ability to set a securityContext for the default
initContainers
+ links:
+ - name: Github Issue
+ url: https://github.com/apache/solr-operator/issues/797
+ - name: Github PR
+ url: https://github.com/apache/solr-operator/pull/796
artifacthub.io/images: |
- name: solr-operator
image: apache/solr-operator:v0.10.0-prerelease
diff --git a/helm/solr-operator/crds/crds.yaml
b/helm/solr-operator/crds/crds.yaml
index 674b257..d852145 100644
--- a/helm/solr-operator/crds/crds.yaml
+++ b/helm/solr-operator/crds/crds.yaml
@@ -3661,6 +3661,200 @@ spec:
More info:
https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
type: object
+ defaultInitContainerSecurityContext:
+ description: DefaultInitContainerSecurityContext is
the security
+ context for the default init container(s) created by
the
+ Solr Operator, if any are created.
+ properties:
+ allowPrivilegeEscalation:
+ description: |-
+ AllowPrivilegeEscalation controls whether a
process can gain more
+ privileges than its parent process. This bool
directly controls if
+ the no_new_privs flag will be set on the
container process.
+ AllowPrivilegeEscalation is true always when the
container is:
+ 1) run as Privileged
+ 2) has CAP_SYS_ADMIN
+ Note that this field cannot be set when
spec.os.name is windows.
+ type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use
by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when
spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded
on the node that should be used.
+ The profile must be preconfigured on the
node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is
"Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor
profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the
node.
+ RuntimeDefault - the container runtime's
default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
+ capabilities:
+ description: |-
+ The capabilities to add/drop when running
containers.
+ Defaults to the default set of capabilities
granted by the container runtime.
+ Note that this field cannot be set when
spec.os.name is windows.
+ properties:
+ add:
+ description: Added capabilities
+ items:
+ description: Capability represent POSIX
capabilities
+ type
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ drop:
+ description: Removed capabilities
+ items:
+ description: Capability represent POSIX
capabilities
+ type
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ privileged:
+ description: |-
+ Run container in privileged mode.
+ Processes in privileged containers are
essentially equivalent to root on the host.
+ Defaults to false.
+ Note that this field cannot be set when
spec.os.name is windows.
+ type: boolean
+ procMount:
+ description: |-
+ procMount denotes the type of proc mount to use
for the containers.
+ The default value is Default which uses the
container runtime defaults for
+ readonly paths and masked paths.
+ This requires the ProcMountType feature flag to
be enabled.
+ Note that this field cannot be set when
spec.os.name is windows.
+ type: string
+ readOnlyRootFilesystem:
+ description: |-
+ Whether this container has a read-only root
filesystem.
+ Default is false.
+ Note that this field cannot be set when
spec.os.name is windows.
+ type: boolean
+ runAsGroup:
+ description: |-
+ The GID to run the entrypoint of the container
process.
+ Uses runtime default if unset.
+ May also be set in PodSecurityContext. If set
in both SecurityContext and
+ PodSecurityContext, the value specified in
SecurityContext takes precedence.
+ Note that this field cannot be set when
spec.os.name is windows.
+ format: int64
+ type: integer
+ runAsNonRoot:
+ description: |-
+ Indicates that the container must run as a
non-root user.
+ If true, the Kubelet will validate the image at
runtime to ensure that it
+ does not run as UID 0 (root) and fail to start
the container if it does.
+ If unset or false, no such validation will be
performed.
+ May also be set in PodSecurityContext. If set
in both SecurityContext and
+ PodSecurityContext, the value specified in
SecurityContext takes precedence.
+ type: boolean
+ runAsUser:
+ description: |-
+ The UID to run the entrypoint of the container
process.
+ Defaults to user specified in image metadata if
unspecified.
+ May also be set in PodSecurityContext. If set
in both SecurityContext and
+ PodSecurityContext, the value specified in
SecurityContext takes precedence.
+ Note that this field cannot be set when
spec.os.name is windows.
+ format: int64
+ type: integer
+ seLinuxOptions:
+ description: |-
+ The SELinux context to be applied to the
container.
+ If unspecified, the container runtime will
allocate a random SELinux context for each
+ container. May also be set in
PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in
SecurityContext takes precedence.
+ Note that this field cannot be set when
spec.os.name is windows.
+ properties:
+ level:
+ description: Level is SELinux level label that
applies
+ to the container.
+ type: string
+ role:
+ description: Role is a SELinux role label that
applies
+ to the container.
+ type: string
+ type:
+ description: Type is a SELinux type label that
applies
+ to the container.
+ type: string
+ user:
+ description: User is a SELinux user label that
applies
+ to the container.
+ type: string
+ type: object
+ seccompProfile:
+ description: |-
+ The seccomp options to use by this container. If
seccomp options are
+ provided at both the pod & container level, the
container options
+ override the pod options.
+ Note that this field cannot be set when
spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile defined
in a file on the node should be used.
+ The profile must be preconfigured on the
node to work.
+ Must be a descending path, relative to the
kubelet's configured seccomp profile location.
+ Must be set if type is "Localhost". Must NOT
be set for any other type.
+ type: string
+ type:
+ description: |-
+ type indicates which kind of seccomp profile
will be applied.
+ Valid options are:
+
+ Localhost - a profile defined in a file on
the node should be used.
+ RuntimeDefault - the container runtime
default profile should be used.
+ Unconfined - no profile should be applied.
+ type: string
+ required:
+ - type
+ type: object
+ windowsOptions:
+ description: |-
+ The Windows specific settings applied to all
containers.
+ If unspecified, the options from the
PodSecurityContext will be used.
+ If set in both SecurityContext and
PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when
spec.os.name is linux.
+ properties:
+ gmsaCredentialSpec:
+ description: |-
+ GMSACredentialSpec is where the GMSA
admission webhook
+
(https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+ GMSA credential spec named by the
GMSACredentialSpecName field.
+ type: string
+ gmsaCredentialSpecName:
+ description: GMSACredentialSpecName is the
name of
+ the GMSA credential spec to use.
+ type: string
+ hostProcess:
+ description: |-
+ HostProcess determines if a container should
be run as a 'Host Process' container.
+ All of a Pod's containers must have the same
effective HostProcess value
+ (it is not allowed to have a mix of
HostProcess containers and non-HostProcess containers).
+ In addition, if HostProcess is true then
HostNetwork must also be set to true.
+ type: boolean
+ runAsUserName:
+ description: |-
+ The UserName in Windows to run the
entrypoint of the container process.
+ Defaults to the user specified in image
metadata if unspecified.
+ May also be set in PodSecurityContext. If
set in both SecurityContext and
+ PodSecurityContext, the value specified in
SecurityContext takes precedence.
+ type: string
+ type: object
+ type: object
enableServiceLinks:
description: Should service environment variables be
created
on containers
@@ -19177,6 +19371,200 @@ spec:
More info:
https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
type: object
+ defaultInitContainerSecurityContext:
+ description: DefaultInitContainerSecurityContext is
the security
+ context for the default init container(s) created by
the
+ Solr Operator, if any are created.
+ properties:
+ allowPrivilegeEscalation:
+ description: |-
+ AllowPrivilegeEscalation controls whether a
process can gain more
+ privileges than its parent process. This bool
directly controls if
+ the no_new_privs flag will be set on the
container process.
+ AllowPrivilegeEscalation is true always when the
container is:
+ 1) run as Privileged
+ 2) has CAP_SYS_ADMIN
+ Note that this field cannot be set when
spec.os.name is windows.
+ type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use
by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when
spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded
on the node that should be used.
+ The profile must be preconfigured on the
node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is
"Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor
profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the
node.
+ RuntimeDefault - the container runtime's
default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
+ capabilities:
+ description: |-
+ The capabilities to add/drop when running
containers.
+ Defaults to the default set of capabilities
granted by the container runtime.
+ Note that this field cannot be set when
spec.os.name is windows.
+ properties:
+ add:
+ description: Added capabilities
+ items:
+ description: Capability represent POSIX
capabilities
+ type
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ drop:
+ description: Removed capabilities
+ items:
+ description: Capability represent POSIX
capabilities
+ type
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ privileged:
+ description: |-
+ Run container in privileged mode.
+ Processes in privileged containers are
essentially equivalent to root on the host.
+ Defaults to false.
+ Note that this field cannot be set when
spec.os.name is windows.
+ type: boolean
+ procMount:
+ description: |-
+ procMount denotes the type of proc mount to use
for the containers.
+ The default value is Default which uses the
container runtime defaults for
+ readonly paths and masked paths.
+ This requires the ProcMountType feature flag to
be enabled.
+ Note that this field cannot be set when
spec.os.name is windows.
+ type: string
+ readOnlyRootFilesystem:
+ description: |-
+ Whether this container has a read-only root
filesystem.
+ Default is false.
+ Note that this field cannot be set when
spec.os.name is windows.
+ type: boolean
+ runAsGroup:
+ description: |-
+ The GID to run the entrypoint of the container
process.
+ Uses runtime default if unset.
+ May also be set in PodSecurityContext. If set
in both SecurityContext and
+ PodSecurityContext, the value specified in
SecurityContext takes precedence.
+ Note that this field cannot be set when
spec.os.name is windows.
+ format: int64
+ type: integer
+ runAsNonRoot:
+ description: |-
+ Indicates that the container must run as a
non-root user.
+ If true, the Kubelet will validate the image at
runtime to ensure that it
+ does not run as UID 0 (root) and fail to start
the container if it does.
+ If unset or false, no such validation will be
performed.
+ May also be set in PodSecurityContext. If set
in both SecurityContext and
+ PodSecurityContext, the value specified in
SecurityContext takes precedence.
+ type: boolean
+ runAsUser:
+ description: |-
+ The UID to run the entrypoint of the container
process.
+ Defaults to user specified in image metadata if
unspecified.
+ May also be set in PodSecurityContext. If set
in both SecurityContext and
+ PodSecurityContext, the value specified in
SecurityContext takes precedence.
+ Note that this field cannot be set when
spec.os.name is windows.
+ format: int64
+ type: integer
+ seLinuxOptions:
+ description: |-
+ The SELinux context to be applied to the
container.
+ If unspecified, the container runtime will
allocate a random SELinux context for each
+ container. May also be set in
PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in
SecurityContext takes precedence.
+ Note that this field cannot be set when
spec.os.name is windows.
+ properties:
+ level:
+ description: Level is SELinux level label that
applies
+ to the container.
+ type: string
+ role:
+ description: Role is a SELinux role label that
applies
+ to the container.
+ type: string
+ type:
+ description: Type is a SELinux type label that
applies
+ to the container.
+ type: string
+ user:
+ description: User is a SELinux user label that
applies
+ to the container.
+ type: string
+ type: object
+ seccompProfile:
+ description: |-
+ The seccomp options to use by this container. If
seccomp options are
+ provided at both the pod & container level, the
container options
+ override the pod options.
+ Note that this field cannot be set when
spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile defined
in a file on the node should be used.
+ The profile must be preconfigured on the
node to work.
+ Must be a descending path, relative to the
kubelet's configured seccomp profile location.
+ Must be set if type is "Localhost". Must NOT
be set for any other type.
+ type: string
+ type:
+ description: |-
+ type indicates which kind of seccomp profile
will be applied.
+ Valid options are:
+
+ Localhost - a profile defined in a file on
the node should be used.
+ RuntimeDefault - the container runtime
default profile should be used.
+ Unconfined - no profile should be applied.
+ type: string
+ required:
+ - type
+ type: object
+ windowsOptions:
+ description: |-
+ The Windows specific settings applied to all
containers.
+ If unspecified, the options from the
PodSecurityContext will be used.
+ If set in both SecurityContext and
PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when
spec.os.name is linux.
+ properties:
+ gmsaCredentialSpec:
+ description: |-
+ GMSACredentialSpec is where the GMSA
admission webhook
+
(https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+ GMSA credential spec named by the
GMSACredentialSpecName field.
+ type: string
+ gmsaCredentialSpecName:
+ description: GMSACredentialSpecName is the
name of
+ the GMSA credential spec to use.
+ type: string
+ hostProcess:
+ description: |-
+ HostProcess determines if a container should
be run as a 'Host Process' container.
+ All of a Pod's containers must have the same
effective HostProcess value
+ (it is not allowed to have a mix of
HostProcess containers and non-HostProcess containers).
+ In addition, if HostProcess is true then
HostNetwork must also be set to true.
+ type: boolean
+ runAsUserName:
+ description: |-
+ The UserName in Windows to run the
entrypoint of the container process.
+ Defaults to the user specified in image
metadata if unspecified.
+ May also be set in PodSecurityContext. If
set in both SecurityContext and
+ PodSecurityContext, the value specified in
SecurityContext takes precedence.
+ type: string
+ type: object
+ type: object
enableServiceLinks:
description: Should service environment variables be
created
on containers
diff --git a/helm/solr/README.md b/helm/solr/README.md
index e1de157..2d95171 100644
--- a/helm/solr/README.md
+++ b/helm/solr/README.md
@@ -281,6 +281,7 @@ When using the helm chart, omit `customSolrKubeOptions.`
| podOptions.resources.requests | map[string]string | | Provide Resource
requests for the Solr container |
| podOptions.defaultInitContainerResources.limits | map[string]string | |
Provide Resource limits for Solr's default initContainer(s) |
| podOptions.defaultInitContainerResources.requests | map[string]string | |
Provide Resource requests for Solr's default initContainer(s) |
+| podOptions.defaultInitContainerSecurityContext | object | | Provide
SecurityContext for Solr's default initContainer(s) |
| podOptions.nodeSelector | map[string]string | | Add a node selector for the
Solr pod, to specify where it can be scheduled |
| podOptions.affinity | object | | Add Kubernetes affinity information for
the Solr pod |
| podOptions.tolerations | []object | | Specify a list of Kubernetes
tolerations for the Solr pod |
diff --git a/helm/solr/templates/_custom_option_helpers.tpl
b/helm/solr/templates/_custom_option_helpers.tpl
index b7f3d1c..4082e6c 100644
--- a/helm/solr/templates/_custom_option_helpers.tpl
+++ b/helm/solr/templates/_custom_option_helpers.tpl
@@ -112,6 +112,10 @@ topologySpreadConstraints:
defaultInitContainerResources:
{{- toYaml .Values.podOptions.defaultInitContainerResources | nindent 2 }}
{{ end }}
+{{- if .Values.podOptions.defaultInitContainerSecurityContext -}}
+defaultInitContainerSecurityContext:
+ {{- toYaml .Values.podOptions.defaultInitContainerSecurityContext | nindent
2 }}
+{{ end }}
{{- end -}}
{{/*
diff --git a/helm/solr/values.yaml b/helm/solr/values.yaml
index f72bdd4..595fd85 100644
--- a/helm/solr/values.yaml
+++ b/helm/solr/values.yaml
@@ -338,6 +338,9 @@ podOptions:
# Resources for the init containers created by the Solr Operator
defaultInitContainerResources: {}
+ # Security context for the init containers created by the Solr Operator
+ defaultInitContainerSecurityContext: {}
+
volumes: []
# - name:
# defaultContainerMount: {}
