Skip to content
This repository has been archived by the owner on Aug 2, 2022. It is now read-only.

Commit

Permalink
Enable Elasticsearch running as non-root without any extra capabiliti…
Browse files Browse the repository at this point in the history 
…es or privileges (#703)

* Enable running OD-ES as non-root via helm

By setting a securityContext for the pod, disabling initContainers and not
giving SYS_CHROOT cap (both of which might not even be required anyway) it
is possible to run as non-root.

The "fixmount" initContainer is not required if a fsGroup is set via
securityContext.

The "SYS_CHROOT" cap does not appear to be required any more.

Example parameters for this setup are given in values-nonroot.yaml

Signed-off-by: Tim Rice <[email protected]>

* document new parameters

Signed-off-by: Tim Rice <[email protected]>

* rename helm variable 'elasticsearch.securityContext' to 'elasticsearch.securityContextCustom'

Signed-off-by: Tim Rice <[email protected]>

Co-authored-by: Tim Rice <[email protected]>
  • Loading branch information
@timricese
timricese and Tim Rice authored Mar 26, 2021
1 parent 9eed712 commit 260edbd
Show file tree
Hide file tree
Showing 6 changed files with 600 additions and 0 deletions.
4 changes: 4 additions & 0 deletions helm/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -513,6 +513,9 @@ The following table lists the configurable parameters of the opendistro elastics
| `kibana.livenessProbe` | Configuration for the [livenessProbe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/) | `[]` |
| `kibana.startupProbe` | Configuration for the [startupProbe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) | `[]` |
| `elasticsearch.discoveryOverride` | For hot/warm architectures. Allows second aliased deployment to find cluster. | `""` |
| `elasticsearch.fixmount.enabled` | Enable initContainer to fix mount permissions. Not required if setting a fsGroup via securityContext | `true` |
| `elasticsearch.sys_chroot.enabled` | Enable giving Elasticsearch containers the "SYS_CHROOT" capability. | `true` |
| `elasticsearch.sysctl.enabled` | Enable initContainer to set sysctl "vm.max_map_count" | `true` |
| `elasticsearch.securityConfig.enabled` | Use custom [security configs](https://github.com/opendistro-for-elasticsearch/security/tree/master/securityconfig) | `"true"` |
| `elasticsearch.securityConfig.path` | Path to security config files | `"/usr/share/elasticsearch/plugins/opendistro_security/securityconfig"` |
| `elasticsearch.securityConfig.actionGroupsSecret` | Name of secret with [action_groups.yml](https://github.com/opendistro-for-elasticsearch/security/blob/master/securityconfig/action_groups.yml) defined | `""` |
Expand All @@ -521,6 +524,7 @@ The following table lists the configurable parameters of the opendistro elastics
| `elasticsearch.securityConfig.rolesSecret` | Name of secret with [roles.yml](https://github.com/opendistro-for-elasticsearch/security/blob/master/securityconfig/roles.yml) defined | `""` |
| `elasticsearch.securityConfig.rolesMappingSecret` | Name of secret with [roles_mapping.yml](https://github.com/opendistro-for-elasticsearch/security/blob/master/securityconfig/roles_mapping.yml) defined | `""` |
| `elasticsearch.securityConfig.tenantsSecret` | Name of secret with [tenants.yml](https://github.com/opendistro-for-elasticsearch/security/blob/master/securityconfig/tenants.yml) defined | `""` |
| `elasticsearch.securityContextCustom` | securityContext for the ElasticSearch pods | `{}` |
| `elasticsearch.ssl.transport.existingCertSecret` | Name of secret that contains the transport certs | `""` |
| `elasticsearch.ssl.transport.existingCertSecretCertSubPath` | Subpath of elastic transport cert secret | `"elk-transport-crt.pem"` |
| `elasticsearch.ssl.transport.existingCertSecretKeySubPath` | Subpath of elastic transport key secret | `"elk-transport-key.pem"` |
Expand Down
6 changes: 6 additions & 0 deletions helm/opendistro-es/templates/elasticsearch/es-client-deploy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,12 +69,18 @@ spec:
{{- end }}
{{- if .Values.elasticsearch.extraInitContainers }}
{{ toYaml .Values.elasticsearch.extraInitContainers| indent 6 }}
{{- end }}
{{- with .Values.elasticsearch.securityContextCustom }}
securityContext:
{{ toYaml . | indent 8 }}
{{- end }}
containers:
- name: elasticsearch
securityContext:
{{- if .Values.elasticsearch.sys_chroot.enabled }}
capabilities:
add: ["SYS_CHROOT"]
{{- end }}
env:
- name: cluster.name
value: {{ .Values.global.clusterName }}
Expand Down
8 changes: 8 additions & 0 deletions helm/opendistro-es/templates/elasticsearch/es-data-sts.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,13 +65,15 @@ spec:
securityContext:
privileged: true
{{- end }}
{{- if .Values.elasticsearch.fixmount.enabled }}
- name: fixmount
command: [ 'sh', '-c', 'chown -R 1000:1000 /usr/share/elasticsearch/data' ]
image: {{ .Values.global.imageRegistry }}/{{ .Values.elasticsearch.initContainer.image }}:{{ .Values.elasticsearch.initContainer.imageTag }}
volumeMounts:
- mountPath: /usr/share/elasticsearch/data
name: data
subPath: {{ .Values.elasticsearch.data.persistence.subPath }}
{{- end }}
{{- if .Values.elasticsearch.extraInitContainers }}
{{ toYaml .Values.elasticsearch.extraInitContainers| indent 6 }}
{{- end }}
Expand All @@ -80,11 +82,17 @@ spec:
{{ toYaml . | indent 8 }}
{{- end }}
serviceAccountName: {{ template "opendistro-es.elasticsearch.serviceAccountName" . }}
{{- with .Values.elasticsearch.securityContextCustom }}
securityContext:
{{ toYaml . | indent 8 }}
{{- end }}
containers:
- name: elasticsearch
securityContext:
{{- if .Values.elasticsearch.sys_chroot.enabled }}
capabilities:
add: ["SYS_CHROOT"]
{{- end }}
env:
- name: cluster.name
value: {{ .Values.global.clusterName }}
Expand Down
8 changes: 8 additions & 0 deletions helm/opendistro-es/templates/elasticsearch/es-master-sts.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,24 +70,32 @@ spec:
securityContext:
privileged: true
{{- end }}
{{- if .Values.elasticsearch.fixmount.enabled }}
- name: fixmount
command: [ 'sh', '-c', 'chown -R 1000:1000 /usr/share/elasticsearch/data' ]
image: {{ .Values.global.imageRegistry }}/{{ .Values.elasticsearch.initContainer.image }}:{{ .Values.elasticsearch.initContainer.imageTag }}
volumeMounts:
- mountPath: /usr/share/elasticsearch/data
name: data
subPath: {{ .Values.elasticsearch.master.persistence.subPath }}
{{- end }}
{{- if .Values.elasticsearch.extraInitContainers }}
{{ toYaml .Values.elasticsearch.extraInitContainers| indent 6 }}
{{- end }}
{{- if .Values.elasticsearch.master.extraInitContainers }}
{{ toYaml .Values.elasticsearch.master.extraInitContainers| indent 6 }}
{{- end }}
{{- with .Values.elasticsearch.securityContextCustom }}
securityContext:
{{ toYaml . | indent 8 }}
{{- end }}
containers:
- name: elasticsearch
{{- if .Values.elasticsearch.sys_chroot.enabled }}
securityContext:
capabilities:
add: ["SYS_CHROOT"]
{{- end }}
env:
- name: cluster.name
value: {{ .Values.global.clusterName }}
Expand Down
Loading

0 comments on commit 260edbd

Please sign in to comment.