diff --git a/bundle/manifests/enterprise.splunk.com_indexerclusters.yaml b/bundle/manifests/enterprise.splunk.com_indexerclusters.yaml index e6d930c62..5bba88ea2 100644 --- a/bundle/manifests/enterprise.splunk.com_indexerclusters.yaml +++ b/bundle/manifests/enterprise.splunk.com_indexerclusters.yaml @@ -1354,6 +1354,42 @@ spec: More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object + securityContext: + description: Security configuration on the pod level. + properties: + runAsUser: + anyOf: + - type: integer + - type: string + description: |- + User ID for all processes in any containers in the pod. + x-kubernetes-int-or-string: true + runAsGroup: + anyOf: + - type: integer + - type: string + description: |- + Primary Group ID for all processes within any containers of the pod. + Root by default. + x-kubernetes-int-or-string: true + fsGroup: + anyOf: + - type: integer + - type: string + description: |- + Supplementary Group ID for all processes within any containers of the pod. + x-kubernetes-int-or-string: true + fsGroupChangePolicy: + description: |- + Behavior for changing ownership and permissions of the volume. + Applies only to volume types that support fsGroup controlled ownership and permissions. + Can be either OnRootMismatch or Always (default). + default: Always + enum: + - OnRootMismatch + - Always + type: string + type: object schedulerName: description: Name of Scheduler to use for pod placement (defaults to “default-scheduler”) diff --git a/config/crd/bases/enterprise.splunk.com_indexerclusters.yaml b/config/crd/bases/enterprise.splunk.com_indexerclusters.yaml index 571efa7a1..b17acc43c 100644 --- a/config/crd/bases/enterprise.splunk.com_indexerclusters.yaml +++ b/config/crd/bases/enterprise.splunk.com_indexerclusters.yaml @@ -1352,6 +1352,42 @@ spec: More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object + securityContext: + description: Security configuration on the pod level. + properties: + runAsUser: + anyOf: + - type: integer + - type: string + description: |- + User ID for all processes in any containers in the pod. + x-kubernetes-int-or-string: true + runAsGroup: + anyOf: + - type: integer + - type: string + description: |- + Primary Group ID for all processes within any containers of the pod. + Root by default. + x-kubernetes-int-or-string: true + fsGroup: + anyOf: + - type: integer + - type: string + description: |- + Supplementary Group ID for all processes within any containers of the pod. + x-kubernetes-int-or-string: true + fsGroupChangePolicy: + description: |- + Behavior for changing ownership and permissions of the volume. + Applies only to volume types that support fsGroup controlled ownership and permissions. + Can be either OnRootMismatch or Always (default). + default: Always + enum: + - OnRootMismatch + - Always + type: string + type: object schedulerName: description: Name of Scheduler to use for pod placement (defaults to “default-scheduler”) diff --git a/helm-chart/splunk-enterprise/templates/enterprise_v4_indexercluster.yaml b/helm-chart/splunk-enterprise/templates/enterprise_v4_indexercluster.yaml index 09e90481e..b06f9aefd 100644 --- a/helm-chart/splunk-enterprise/templates/enterprise_v4_indexercluster.yaml +++ b/helm-chart/splunk-enterprise/templates/enterprise_v4_indexercluster.yaml @@ -131,6 +131,10 @@ items: {{- end }} {{- with $.Values.indexerCluster.resources }} resources: +{{ toYaml . | indent 6 }} + {{- end }} + {{- with $.Values.indexerCluster.securityContext }} + securityContext: {{ toYaml . | indent 6 }} {{- end }} {{- with $.Values.indexerCluster.serviceTemplate }} diff --git a/helm-chart/splunk-enterprise/values.yaml b/helm-chart/splunk-enterprise/values.yaml index 027f8fb78..c7ad0ac8f 100644 --- a/helm-chart/splunk-enterprise/values.yaml +++ b/helm-chart/splunk-enterprise/values.yaml @@ -329,6 +329,10 @@ indexerCluster: # memory: "12Gi" # cpu: "24" + # Set security context for Indexer Cluster pods + # Reference: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods + securityContext: {} + serviceAccount: "" # ServiceTemplate is a template used to create Kubernetes services diff --git a/helm-chart/splunk-operator/crds/enterprise.splunk.com_indexerclusters.yaml b/helm-chart/splunk-operator/crds/enterprise.splunk.com_indexerclusters.yaml index e6d930c62..5bba88ea2 100644 --- a/helm-chart/splunk-operator/crds/enterprise.splunk.com_indexerclusters.yaml +++ b/helm-chart/splunk-operator/crds/enterprise.splunk.com_indexerclusters.yaml @@ -1354,6 +1354,42 @@ spec: More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object + securityContext: + description: Security configuration on the pod level. + properties: + runAsUser: + anyOf: + - type: integer + - type: string + description: |- + User ID for all processes in any containers in the pod. + x-kubernetes-int-or-string: true + runAsGroup: + anyOf: + - type: integer + - type: string + description: |- + Primary Group ID for all processes within any containers of the pod. + Root by default. + x-kubernetes-int-or-string: true + fsGroup: + anyOf: + - type: integer + - type: string + description: |- + Supplementary Group ID for all processes within any containers of the pod. + x-kubernetes-int-or-string: true + fsGroupChangePolicy: + description: |- + Behavior for changing ownership and permissions of the volume. + Applies only to volume types that support fsGroup controlled ownership and permissions. + Can be either OnRootMismatch or Always (default). + default: Always + enum: + - OnRootMismatch + - Always + type: string + type: object schedulerName: description: Name of Scheduler to use for pod placement (defaults to “default-scheduler”)