Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

adding automountServiceAccountToken #701

Open
jojay opened this issue Apr 24, 2024 · 1 comment
Open

adding automountServiceAccountToken #701

jojay opened this issue Apr 24, 2024 · 1 comment

Comments

@jojay
Copy link

jojay commented Apr 24, 2024

Hi, is there an option to set in kind: SolrCloud somehow
automountServiceAccountToken = false ?
This will solve a security recommendation in AKS.
So in STS (below the SolrCloud installed with solr-operator 8.0.0 but enriched post install with mentioned attribute. The same I would like to accomplish for zookeeper too. I would like to avoid some post processing with kustomize or forking the helm charts by myself)
you would finally have:
Excerpt:

apiVersion: apps/v1
kind: StatefulSet
metadata:
  annotations:
    solr.apache.org/zkConnectionString: test-platformdev-solrcloud-zookeeper-0.test-platformdev-solrcloud-zookeeper-headless.test-platformdev.svc.cluster.local:2181,test-platformdev-solrcloud-zookeeper-1.test-platformdev-solrcloud-zookeeper-headless.test-platformdev.svc.cluster.local:2181,test-platformdev-solrcloud-zookeeper-2.test-platformdev-solrcloud-zookeeper-headless.test-platformdev.svc.cluster.local:2181/test-platformdev
  creationTimestamp: "2024-04-12T12:36:20Z"
  generation: 3
  labels:
    solr-cloud: test-platformdev
    technology: solr-cloud
  name: test-platformdev-solrcloud
  namespace: test-platformdev
  ownerReferences:
  - apiVersion: solr.apache.org/v1beta1
    blockOwnerDeletion: true
    controller: true
    kind: SolrCloud
    name: test-platformdev
    uid: 9ef08181-2d5e-401a-904d-6c6cd8f6e87b
  resourceVersion: "666711970"
  uid: 8f9393c1-0692-40dd-816a-8292ce2e63db
spec:
  persistentVolumeClaimRetentionPolicy:
    whenDeleted: Retain
    whenScaled: Retain
  podManagementPolicy: Parallel
  replicas: 2
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      solr-cloud: test-platformdev
      technology: solr-cloud
  serviceName: test-platformdev-solrcloud-headless
  template:
    metadata:
      annotations:
        solr.apache.org/solrXmlMd5: 843652bc6b529b66f46bcdae6764ab4e
      creationTimestamp: null
      labels:
        solr-cloud: test-platformdev
        technology: solr-cloud
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: agentpool
                operator: In
                values:
                - agentpool
      **automountServiceAccountToken: false**
      containers:
      - env:
        - name: SOLR_JAVA_MEM

Thank you very much in advance!
@jojay
Copy link
Author

jojay commented Apr 24, 2024
edited

BTW: This is the finding in Azure Defender: "Kubernetes clusters should disable automounting API credentials
There are multiple ways to opt out of automounting API credentials for a service account. To opt out of automounting API credentials for a single pod, set automountServiceAccountToken: false in PodSpec.[...]"
My tests were succeful so far with my other deployments but like described I am struggeling with this property in kind: SolrCloud file that applied is managing the installation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jojay