Add support to set capabilities on Solr cloud container's security context

[pareekdevanshu]

Hi Team,
Currently It is possible to set capabilities for initContainers and sidecarContainers, Eg:

securityContext:
  capabilities:
    drop:
      - ALL

But, there is no way to set capabilities on Solr cloud container's security context, can you please help in adding support for it?

[ollixy]

@HoustonPutman is support for setting capabilities on customSolrKubeOptions.podOptions.podSecurityContext confirmed to be added eventually (and if it is, is there already an indication on when)? Or is this only under consideration and might be not added at all?

[mmoscher]

@ollixy you cannot set capabilities on the podSecurityContext, cf. https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#podsecuritycontext-v1-core. What we need is a separate option to specify the securityContext of each container in the pod.

@HoustonPutman +1 for this issue, since solr is incompatible when using sokme restricted PSS and enforcing these with keyverno (for example).

I'll try to file an PR, but my knowledge about operators is quite limited.

[HoustonPutman]

Sounds good, I'm very happy to help once you get a start 🙂

[ollixy]

@mmoscher @HoustonPutman any news on this one?

[aaronsuns]

Any news on this one?

[HoustonPutman]

No news from me. I'm not running openshift, so I don't really know what needs to be done. If someone wants to start a PR, then I'm very happy to help usher it through.

[AyzekTime]

Hi all! a new version was recently released (April 12, 2024, Apache Solr Operator™ v0.8.1 available, there is no solution to our problem) is there any news on our problem?

[janhoy]

Hi all! a new version was recently released (April 12, 2024, Apache Solr Operator™ v0.8.1 available, there is no solution to our problem) is there any news on our problem?

@ollixy , @pareekdevanshu, @mmoscher, @aaronsuns , @AyzekTime
This is an open source project, and we rely on contributions. If your day-job has a need for this and are willing to sponsor such a feature, then the best way forward is to arrange so that you can contribute a PR directly, and we'll help get it in to the next version.

[bentastic27]

I'm running into this issue on EKS.

@janhoy / @HoustonPutman Are these extra capabilties/privs ever actually needed? If not, we can likely hardcode in the changes made in this comment:
#671 (comment)

Here is an example of a values.yaml I'm trying to use for a Solr Cluster:

securityContext: &securityContext
  allowPrivilegeEscalation: false
  capabilities:
    drop: ["ALL"]
  runAsNonRoot: true
  seccompProfile:
    type: RuntimeDefault
  allowPrivilegeEscalation: false

podOptions:
  labels:
    sidecar.istio.io/inject: 'false'
  podSecurityContext:
    <<: *securityContext
zk:
  provided:
    zookeeperPodPolicy:
      securityContext:
        <<: *securityContext
      labels:
        sidecar.istio.io/inject: 'false'