Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make busybox securityContext configurable #649

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

janhoy
Copy link
Contributor

@janhoy janhoy commented Oct 27, 2023

Draft PR, only code, not docs, no helm support.

The busybox official image runs as root in cp-solr-xml init-container, and there is no way to configure it otherwise, other than point to a different image that has been manipulated as non-root.

By adding a SecurityContext for the init container defaulting to the nobody user and setting runAsNonRoot: true, we have a good default. By also making the securityContext configurable, we allow for people to switch to a different image with other UID etc. Example:

spec:
  busyBoxImage:
    tag: 1.36.1-glibc
  busyBoxSecurityContext:
    runAsUser: 123

Fixes #582

@janhoy janhoy requested a review from HoustonPutman October 27, 2023 19:03
@janhoy janhoy marked this pull request as draft October 27, 2023 19:04
@janhoy janhoy changed the title WIP: Make busybox securityContext configurable Make busybox securityContext configurable Oct 27, 2023
@janhoy
Copy link
Contributor Author

janhoy commented Oct 28, 2023

Alternatively, should perhaps the spec for cp-solr-xml init container be configurable as one yaml dict instead of two? Still defaults in code, but end users could perhaps override more properties of the container in a more familiar and transparent way. Example:

spec:
  cpSolrXmlInitContainer:
    image:
      registry: public.ecr.aws
      repository: my-company/busybox
      tag: 1.37.0-custom
      imagePullSecret: foo
    securityContext:
      runAsUser: 1000
      runAsGroup: 1000

PS: By splitting image into registy, repository and tag, it is easier for downstream users to customize just the registry part.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Run init container cp-solr-xml as nonRoot
1 participant