From b18b182f0d819c2eaf778676682660299b299b61 Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Thu, 18 Mar 2021 11:06:37 +0100 Subject: [PATCH 1/3] Enable running OD-ES as non-root via helm By setting a securityContext for the pod, disabling initContainers and not giving SYS_CHROOT cap (both of which might not even be required anyway) it is possible to run as non-root. The "fixmount" initContainer is not required if a fsGroup is set via securityContext. The "SYS_CHROOT" cap does not appear to be required any more. Example parameters for this setup are given in values-nonroot.yaml Signed-off-by: Tim Rice --- .../elasticsearch/es-client-deploy.yaml | 6 + .../templates/elasticsearch/es-data-sts.yaml | 8 + .../elasticsearch/es-master-sts.yaml | 8 + helm/opendistro-es/values-nonroot.yaml | 558 ++++++++++++++++++ helm/opendistro-es/values.yaml | 16 + 5 files changed, 596 insertions(+) create mode 100644 helm/opendistro-es/values-nonroot.yaml diff --git a/helm/opendistro-es/templates/elasticsearch/es-client-deploy.yaml b/helm/opendistro-es/templates/elasticsearch/es-client-deploy.yaml index ac3f6ddd4..054329302 100644 --- a/helm/opendistro-es/templates/elasticsearch/es-client-deploy.yaml +++ b/helm/opendistro-es/templates/elasticsearch/es-client-deploy.yaml @@ -69,12 +69,18 @@ spec: {{- end }} {{- if .Values.elasticsearch.extraInitContainers }} {{ toYaml .Values.elasticsearch.extraInitContainers| indent 6 }} +{{- end }} +{{- with .Values.elasticsearch.securityContext }} + securityContext: +{{ toYaml . | indent 8 }} {{- end }} containers: - name: elasticsearch securityContext: +{{- if .Values.elasticsearch.sys_chroot.enabled }} capabilities: add: ["SYS_CHROOT"] +{{- end }} env: - name: cluster.name value: {{ .Values.global.clusterName }} diff --git a/helm/opendistro-es/templates/elasticsearch/es-data-sts.yaml b/helm/opendistro-es/templates/elasticsearch/es-data-sts.yaml index 0537a0e1a..9113ec4bb 100644 --- a/helm/opendistro-es/templates/elasticsearch/es-data-sts.yaml +++ b/helm/opendistro-es/templates/elasticsearch/es-data-sts.yaml @@ -65,6 +65,7 @@ spec: securityContext: privileged: true {{- end }} +{{- if .Values.elasticsearch.fixmount.enabled }} - name: fixmount command: [ 'sh', '-c', 'chown -R 1000:1000 /usr/share/elasticsearch/data' ] image: {{ .Values.global.registry }}/{{ .Values.elasticsearch.initContainer.image }}:{{ .Values.elasticsearch.initContainer.imageTag }} @@ -72,6 +73,7 @@ spec: - mountPath: /usr/share/elasticsearch/data name: data subPath: {{ .Values.elasticsearch.data.persistence.subPath }} +{{- end }} {{- if .Values.elasticsearch.extraInitContainers }} {{ toYaml .Values.elasticsearch.extraInitContainers| indent 6 }} {{- end }} @@ -80,11 +82,17 @@ spec: {{ toYaml . | indent 8 }} {{- end }} serviceAccountName: {{ template "opendistro-es.elasticsearch.serviceAccountName" . }} +{{- with .Values.elasticsearch.securityContext }} + securityContext: +{{ toYaml . | indent 8 }} +{{- end }} containers: - name: elasticsearch securityContext: +{{- if .Values.elasticsearch.sys_chroot.enabled }} capabilities: add: ["SYS_CHROOT"] +{{- end }} env: - name: cluster.name value: {{ .Values.global.clusterName }} diff --git a/helm/opendistro-es/templates/elasticsearch/es-master-sts.yaml b/helm/opendistro-es/templates/elasticsearch/es-master-sts.yaml index 3c46a7927..4eea9f3d6 100644 --- a/helm/opendistro-es/templates/elasticsearch/es-master-sts.yaml +++ b/helm/opendistro-es/templates/elasticsearch/es-master-sts.yaml @@ -70,6 +70,7 @@ spec: securityContext: privileged: true {{- end }} +{{- if .Values.elasticsearch.fixmount.enabled }} - name: fixmount command: [ 'sh', '-c', 'chown -R 1000:1000 /usr/share/elasticsearch/data' ] image: {{ .Values.global.registry }}/{{ .Values.elasticsearch.initContainer.image }}:{{ .Values.elasticsearch.initContainer.imageTag }} @@ -77,17 +78,24 @@ spec: - mountPath: /usr/share/elasticsearch/data name: data subPath: {{ .Values.elasticsearch.master.persistence.subPath }} +{{- end }} {{- if .Values.elasticsearch.extraInitContainers }} {{ toYaml .Values.elasticsearch.extraInitContainers| indent 6 }} {{- end }} {{- if .Values.elasticsearch.master.extraInitContainers }} {{ toYaml .Values.elasticsearch.master.extraInitContainers| indent 6 }} +{{- end }} +{{- with .Values.elasticsearch.securityContext }} + securityContext: +{{ toYaml . | indent 8 }} {{- end }} containers: - name: elasticsearch +{{- if .Values.elasticsearch.sys_chroot.enabled }} securityContext: capabilities: add: ["SYS_CHROOT"] +{{- end }} env: - name: cluster.name value: {{ .Values.global.clusterName }} diff --git a/helm/opendistro-es/values-nonroot.yaml b/helm/opendistro-es/values-nonroot.yaml new file mode 100644 index 000000000..e6265e6c7 --- /dev/null +++ b/helm/opendistro-es/values-nonroot.yaml @@ -0,0 +1,558 @@ +# Copyright 2019 Viasat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"). +# You may not use this file except in compliance with the License. +# A copy of the License is located at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# or in the "license" file accompanying this file. This file is distributed +# on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +# express or implied. See the License for the specific language governing +# permissions and limitations under the License. + +kibana: + enabled: true + image: amazon/opendistro-for-elasticsearch-kibana + imageTag: 1.13.1 + ## Specifies the image pull policy. Can be "Always" or "IfNotPresent" or "Never". + ## Default to "Always". + imagePullPolicy: "" + replicas: 1 + port: 5601 + externalPort: 443 + resources: {} + # limits: + # cpu: 2500m + # memory: 2Gi + # requests: + # cpu: 500m + # memory: 512Mi + readinessProbe: [] + livenessProbe: [] + startupProbe: [] + + elasticsearchAccount: + secret: "" + keyPassphrase: + enabled: false + + extraEnvs: [] + + extraVolumes: [] + # - name: extras + # emptyDir: {} + + extraVolumeMounts: [] + # - name: extras + # mountPath: /usr/share/extras + # readOnly: true + + extraInitContainers: [] + # - name: do-something + # image: busybox + # command: ['do', 'something'] + + extraContainers: [] + # - name: do-something + # image: busybox + # command: ['do', 'something'] + + ssl: + kibana: + enabled: false + existingCertSecret: + existingCertSecretCertSubPath: kibana-crt.pem + existingCertSecretKeySubPath: kibana-key.pem + existingCertSecretRootCASubPath: kibana-root-ca.pem + elasticsearch: + enabled: false + existingCertSecret: + existingCertSecretCertSubPath: elk-rest-crt.pem + existingCertSecretKeySubPath: elk-rest-key.pem + existingCertSecretRootCASubPath: elk-rest-root-ca.pem + + + + configDirectory: "/usr/share/kibana/config" + certsDirectory: "/usr/share/kibana/certs" + + ingress: + ## Set to true to enable ingress record generation + enabled: false + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + labels: {} + path: / + hosts: + - chart-example.local + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + + service: + type: ClusterIP + annotations: {} + + config: {} + ## Default Kibana configuration from kibana-docker. + # server.name: kibana + # server.host: "0" + + ## Replace with Elasticsearch DNS name picked during Service deployment + # elasticsearch.hosts: ${ELASTIC_URL} + # elasticsearch.requestTimeout: 360000 + + ## Kibana TLS Config + # server.ssl.enabled: true + # server.ssl.key: /usr/share/kibana/certs/kibana-key.pem + # server.ssl.certificate: /usr/share/kibana/certs/kibana-crt.pem + # elasticsearch.ssl.certificateAuthorities: /usr/share/kibana/certs/kibana-root-ca.pem + + # opendistro_security.cookie.secure: true + # opendistro_security.cookie.password: ${COOKIE_PASS} + + + + ## Node labels for pod assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + # + nodeSelector: {} + + ## Tolerations for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + + affinity: {} + + serviceAccount: + ## Specifies whether a ServiceAccount should be created + create: true + ## The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the fullname template + name: + + podAnnotations: {} + + +global: + clusterName: elasticsearch + + ## Do not create psp for non-root, as this is a cluster scoped resource + ## and we want this to work in namespace-scoped tenancy models + psp: + create: false + + rbac: + enabled: true + + # Optionally override the docker registry to use for images + registry: docker.io + + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + # imagePullSecrets: + # - myRegistryKeySecretName + + +elasticsearch: + ## Used when deploying hot/warm architecture. Allows second aliased deployment to find cluster. + ## Default {{ template opendistro-es.fullname }}-discovery. + discoveryOverride: "" + securityConfig: + enabled: true + path: "/usr/share/elasticsearch/plugins/opendistro_security/securityconfig" + actionGroupsSecret: + configSecret: + internalUsersSecret: + rolesSecret: + rolesMappingSecret: + tenantsSecret: + #The following option simplifies securityConfig by using a single secret and specifying the respective secrets in the corresponding files instead of creating different secrets for config,internal users, roles, roles mapping and tenants + #Note that this is an alternative to the above secrets and shouldn't be used if the above secrets are used + config: + securityConfigSecret: + data: {} + # config.yml: |- + # internal_users.yml: |- + # roles.yml: |- + # rolesMapping.yml: |- + # tenants.yml: |- + + + ## securityContext to apply to the pod. Allows for running as non-root + securityContext: + fsGroup: 1000 + runAsUser: 1000 + runAsGroup: 1000 + + extraEnvs: [] + + extraInitContainers: [] + # - name: do-something + # image: busybox + # command: ['do', 'something'] + + extraVolumes: [] + # - name: extras + # emptyDir: {} + + extraVolumeMounts: [] + # - name: extras + # mountPath: /usr/share/extras + # readOnly: true + + initContainer: + image: busybox + imageTag: 1.27.2 + + ## Set optimal sysctl's. This requires privilege. Can be disabled if + ## the system has already been preconfigured. + sysctl: + enabled: false + + ## Give SYS_CHROOT cap to ES pods. This might not be neccesary + sys_chroot: + enabled: false + + ## init container to chown the mount volume. not neccesary if setting a + ## fsGroup in the securityContext + fixmount: + enabled: false + + ssl: + ## TLS is mandatory for the transport layer and can not be disabled + transport: + existingCertSecret: + existingCertSecretCertSubPath: elk-transport-crt.pem + existingCertSecretKeySubPath: elk-transport-key.pem + existingCertSecretRootCASubPath: elk-transport-root-ca.pem + rest: + enabled: false + existingCertSecret: + existingCertSecretCertSubPath: elk-rest-crt.pem + existingCertSecretKeySubPath: elk-rest-key.pem + existingCertSecretRootCASubPath: elk-rest-root-ca.pem + admin: + enabled: false + existingCertSecret: + existingCertSecretCertSubPath: admin-crt.pem + existingCertSecretKeySubPath: admin-key.pem + existingCertSecretRootCASubPath: admin-root-ca.pem + + master: + enabled: true + replicas: 1 + updateStrategy: "RollingUpdate" + + ## Enable persistence using Persistent Volume Claims + ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + enabled: true + ## A manually managed Persistent Volume and Claim + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + ## + # existingClaim: + + ## The subdirectory of the volume to mount to, useful in dev environments + ## and one PV for multiple services. + ## + subPath: "" + + ## Open Distro master Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + accessModes: + - ReadWriteOnce + size: 8Gi + annotations: {} + + resources: {} + # limits: + # cpu: 1 + # memory: 1024Mi + # requests: + # cpu: 200m + # memory: 1024Mi + javaOpts: "-Xms512m -Xmx512m" + podDisruptionBudget: + enabled: false + minAvailable: 1 + readinessProbe: [] + livenessProbe: + tcpSocket: + port: transport + initialDelaySeconds: 60 + periodSeconds: 10 + startupProbe: [] + nodeSelector: {} + tolerations: [] + ## Anti-affinity to disallow deploying client and master nodes on the same worker node + affinity: {} + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - topologyKey: "kubernetes.io/hostname" + # labelSelector: + # matchLabels: + # role: master + podAnnotations: {} + + extraInitContainers: [] + # - name: do-something + # image: busybox + # command: ['do', 'something'] + + extraContainers: [] + # - name: do-something + # image: busybox + # command: ['do', 'something'] + + data: + enabled: true + ## Enables dedicated statefulset for data. Otherwise master nodes as data storage + dedicatedPod: + enabled: true + replicas: 1 + updateStrategy: "RollingUpdate" + + ## Enable persistence using Persistent Volume Claims + ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + enabled: true + ## A manually managed Persistent Volume and Claim + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + ## + # existingClaim: + + ## The subdirectory of the volume to mount to, useful in dev environments + ## and one PV for multiple services. + ## + subPath: "" + + ## Open Distro master Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + accessModes: + - ReadWriteOnce + size: 8Gi + annotations: {} + + resources: {} + # limits: + # cpu: 1 + # memory: 1024Mi + # requests: + # cpu: 200m + # memory: 1024Mi + javaOpts: "-Xms512m -Xmx512m" + podDisruptionBudget: + enabled: false + minAvailable: 1 + readinessProbe: [] + livenessProbe: + tcpSocket: + port: transport + initialDelaySeconds: 60 + periodSeconds: 10 + startupProbe: [] + nodeSelector: {} + tolerations: [] + ## Anti-affinity to disallow deploying client and master nodes on the same worker node + affinity: {} + # podAntiAffinity: + # preferredDuringSchedulingIgnoredDuringExecution: + # - weight: 1 + # podAffinityTerm: + # topologyKey: "kubernetes.io/hostname" + # labelSelector: + # matchLabels: + # role: data + podAnnotations: {} + + client: + enabled: true + ## Enables dedicated deployment for client/ingest. Otherwise master nodes as client/ingest + dedicatedPod: + enabled: true + service: + type: ClusterIP + annotations: {} + # # Defined ELB backend protocol as HTTPS to allow connection to Elasticsearch API + # service.beta.kubernetes.io/aws-load-balancer-backend-protocol: https + + # # ARN of ACM certificate registered to the deployed ELB for handling connections over TLS + # # ACM certificate should be issued to the DNS hostname defined earlier (elk.sec.example.com) + # service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-east-1:111222333444:certificate/c69f6022-b24f-43d9-b9c8-dfe288d9443d" + # service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https" + + # service.beta.kubernetes.io/aws-load-balancer-connection-draining-enabled: "true" + # service.beta.kubernetes.io/aws-load-balancer-connection-draining-timeout: "60" + # service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" + + # # Annotation to create internal only ELB + # service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 + replicas: 1 + javaOpts: "-Xms512m -Xmx512m" + ingress: + ## Set to true to enable ingress record generation + enabled: false + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + # # Depending on your Ingress Controller you may need to set one of the two below annotations to have NGINX call the backend using HTTPS + # nginx.org/ssl-services:"{{ template "opendistro-es.fullname" . }}-client-service" + # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + labels: {} + path: / + hosts: + - chart-example.local + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + resources: {} + # limits: + # cpu: 1 + # memory: 1024Mi + # requests: + # cpu: 200m + # memory: 1024Mi + podDisruptionBudget: + enabled: false + minAvailable: 1 + readinessProbe: [] + livenessProbe: + tcpSocket: + port: transport + initialDelaySeconds: 60 + periodSeconds: 10 + startupProbe: [] + nodeSelector: {} + tolerations: [] + ## Weighted anti-affinity to disallow deploying client node to the same worker node as master node + affinity: {} + # podAntiAffinity: + # preferredDuringSchedulingIgnoredDuringExecution: + # - weight: 1 + # podAffinityTerm: + # topologyKey: "kubernetes.io/hostname" + # labelSelector: + # matchLabels: + # role: client + podAnnotations: {} + + config: {} + ## Example Config + # opendistro_security.allow_unsafe_democertificates: false + # opendistro_security.allow_default_init_securityindex: true + # opendistro_security.audit.type: internal_elasticsearch + # opendistro_security.enable_snapshot_restore_privilege: true + # opendistro_security.check_snapshot_restore_write_privileges: true + # cluster.routing.allocation.disk.threshold_enabled: false + # opendistro_security.audit.config.disabled_rest_categories: NONE + # opendistro_security.audit.config.disabled_transport_categories: NONE + # cluster: + # name: ${CLUSTER_NAME} + # node: + # master: ${NODE_MASTER} + # data: ${NODE_DATA} + # name: ${NODE_NAME} + # ingest: ${NODE_INGEST} + # max_local_storage_nodes: 1 + # attr.box_type: hot + + # processors: ${PROCESSORS:1} + + # network.host: ${NETWORK_HOST} + + # thread_pool.bulk.queue_size: 800 + + # path: + # data: /usr/share/elasticsearch/data + # logs: /usr/share/elasticsearch/logs + + # http: + # enabled: ${HTTP_ENABLE} + # compression: true + + # discovery: + # zen: + # ping.unicast.hosts: ${DISCOVERY_SERVICE} + # minimum_master_nodes: ${NUMBER_OF_MASTERS} + + # # TLS Configuration Transport Layer + # opendistro_security.ssl.transport.pemcert_filepath: elk-transport-crt.pem + # opendistro_security.ssl.transport.pemkey_filepath: elk-transport-key.pem + # opendistro_security.ssl.transport.pemtrustedcas_filepath: elk-transport-root-ca.pem + # opendistro_security.ssl.transport.enforce_hostname_verification: false + + # # TLS Configuration REST Layer + # opendistro_security.ssl.http.enabled: true + # opendistro_security.ssl.http.pemcert_filepath: elk-rest-crt.pem + # opendistro_security.ssl.http.pemkey_filepath: elk-rest-key.pem + # opendistro_security.ssl.http.pemtrustedcas_filepath: elk-rest-root-ca.pem + + log4jConfig: "" + + loggingConfig: + ## Default config + ## you can override this using by setting a system property, for example -Des.logger.level=DEBUG + es.logger.level: INFO + rootLogger: ${es.logger.level}, console + logger: + ## log action execution errors for easier debugging + action: DEBUG + ## reduce the logging for aws, too much is logged under the default INFO + com.amazonaws: WARN + appender: + console: + type: console + layout: + type: consolePattern + conversionPattern: "[%d{ISO8601}][%-5p][%-25c] %m%n" + + transportKeyPassphrase: + enabled: false + passPhrase: + + sslKeyPassphrase: + enabled: false + passPhrase: + + maxMapCount: 262144 + + image: amazon/opendistro-for-elasticsearch + imageTag: 1.13.1 + ## Specifies the image pull policy. Can be "Always" or "IfNotPresent" or "Never". + ## Default to "Always". + imagePullPolicy: "" + + configDirectory: /usr/share/elasticsearch/config + + serviceAccount: + ## Specifies whether a ServiceAccount should be created + create: true + ## The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the fullname template + name: + + +nameOverride: "" +fullnameOverride: "" diff --git a/helm/opendistro-es/values.yaml b/helm/opendistro-es/values.yaml index 2b1276c6e..c98753396 100644 --- a/helm/opendistro-es/values.yaml +++ b/helm/opendistro-es/values.yaml @@ -180,6 +180,13 @@ elasticsearch: # rolesMapping.yml: |- # tenants.yml: |- + + ## securityContext to apply to the pod. Allows for running as non-root + securityContext: {} + # fsGroup: 1000 + # runAsUser: 1000 + # runAsGroup: 1000 + extraEnvs: [] extraInitContainers: [] @@ -205,6 +212,15 @@ elasticsearch: sysctl: enabled: true + ## Give SYS_CHROOT cap to ES pods. This might not be neccesary + sys_chroot: + enabled: true + + ## init container to chown the mount volume. not neccesary if setting a + ## fsGroup in the securityContext + fixmount: + enabled: true + ssl: ## TLS is mandatory for the transport layer and can not be disabled transport: From 80ffe0abf1396decad226a898158acda183fe3ac Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Thu, 18 Mar 2021 11:33:33 +0100 Subject: [PATCH 2/3] document new parameters Signed-off-by: Tim Rice --- helm/README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/helm/README.md b/helm/README.md index c957c227e..f4d5c0919 100644 --- a/helm/README.md +++ b/helm/README.md @@ -513,6 +513,9 @@ The following table lists the configurable parameters of the opendistro elastics | `kibana.livenessProbe` | Configuration for the [livenessProbe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/) | `[]` | | `kibana.startupProbe` | Configuration for the [startupProbe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) | `[]` | | `elasticsearch.discoveryOverride` | For hot/warm architectures. Allows second aliased deployment to find cluster. | `""` | +| `elasticsearch.fixmount.enabled` | Enable initContainer to fix mount permissions. Not required if setting a fsGroup via securityContext | `true` | +| `elasticsearch.sys_chroot.enabled` | Enable giving Elasticsearch containers the "SYS_CHROOT" capability. | `true` | +| `elasticsearch.sysctl.enabled` | Enable initContainer to set sysctl "vm.max_map_count" | `true` | | `elasticsearch.securityConfig.enabled` | Use custom [security configs](https://github.com/opendistro-for-elasticsearch/security/tree/master/securityconfig) | `"true"` | | `elasticsearch.securityConfig.path` | Path to security config files | `"/usr/share/elasticsearch/plugins/opendistro_security/securityconfig"` | | `elasticsearch.securityConfig.actionGroupsSecret` | Name of secret with [action_groups.yml](https://github.com/opendistro-for-elasticsearch/security/blob/master/securityconfig/action_groups.yml) defined | `""` | @@ -521,6 +524,7 @@ The following table lists the configurable parameters of the opendistro elastics | `elasticsearch.securityConfig.rolesSecret` | Name of secret with [roles.yml](https://github.com/opendistro-for-elasticsearch/security/blob/master/securityconfig/roles.yml) defined | `""` | | `elasticsearch.securityConfig.rolesMappingSecret` | Name of secret with [roles_mapping.yml](https://github.com/opendistro-for-elasticsearch/security/blob/master/securityconfig/roles_mapping.yml) defined | `""` | | `elasticsearch.securityConfig.tenantsSecret` | Name of secret with [tenants.yml](https://github.com/opendistro-for-elasticsearch/security/blob/master/securityconfig/tenants.yml) defined | `""` | +| `elasticsearch.securityContext` | securityContext for the ElasticSearch pods | `{}` | | `elasticsearch.ssl.transport.existingCertSecret` | Name of secret that contains the transport certs | `""` | | `elasticsearch.ssl.transport.existingCertSecretCertSubPath` | Subpath of elastic transport cert secret | `"elk-transport-crt.pem"` | | `elasticsearch.ssl.transport.existingCertSecretKeySubPath` | Subpath of elastic transport key secret | `"elk-transport-key.pem"` | From bf5866418ab3a60bce47271b9778793767c7608b Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Fri, 19 Mar 2021 21:00:43 +0100 Subject: [PATCH 3/3] rename helm variable 'elasticsearch.securityContext' to 'elasticsearch.securityContextCustom' Signed-off-by: Tim Rice --- helm/README.md | 2 +- .../opendistro-es/templates/elasticsearch/es-client-deploy.yaml | 2 +- helm/opendistro-es/templates/elasticsearch/es-data-sts.yaml | 2 +- helm/opendistro-es/templates/elasticsearch/es-master-sts.yaml | 2 +- helm/opendistro-es/values-nonroot.yaml | 2 +- helm/opendistro-es/values.yaml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/helm/README.md b/helm/README.md index f4d5c0919..ac985bc2a 100644 --- a/helm/README.md +++ b/helm/README.md @@ -524,7 +524,7 @@ The following table lists the configurable parameters of the opendistro elastics | `elasticsearch.securityConfig.rolesSecret` | Name of secret with [roles.yml](https://github.com/opendistro-for-elasticsearch/security/blob/master/securityconfig/roles.yml) defined | `""` | | `elasticsearch.securityConfig.rolesMappingSecret` | Name of secret with [roles_mapping.yml](https://github.com/opendistro-for-elasticsearch/security/blob/master/securityconfig/roles_mapping.yml) defined | `""` | | `elasticsearch.securityConfig.tenantsSecret` | Name of secret with [tenants.yml](https://github.com/opendistro-for-elasticsearch/security/blob/master/securityconfig/tenants.yml) defined | `""` | -| `elasticsearch.securityContext` | securityContext for the ElasticSearch pods | `{}` | +| `elasticsearch.securityContextCustom` | securityContext for the ElasticSearch pods | `{}` | | `elasticsearch.ssl.transport.existingCertSecret` | Name of secret that contains the transport certs | `""` | | `elasticsearch.ssl.transport.existingCertSecretCertSubPath` | Subpath of elastic transport cert secret | `"elk-transport-crt.pem"` | | `elasticsearch.ssl.transport.existingCertSecretKeySubPath` | Subpath of elastic transport key secret | `"elk-transport-key.pem"` | diff --git a/helm/opendistro-es/templates/elasticsearch/es-client-deploy.yaml b/helm/opendistro-es/templates/elasticsearch/es-client-deploy.yaml index 054329302..394c206cb 100644 --- a/helm/opendistro-es/templates/elasticsearch/es-client-deploy.yaml +++ b/helm/opendistro-es/templates/elasticsearch/es-client-deploy.yaml @@ -70,7 +70,7 @@ spec: {{- if .Values.elasticsearch.extraInitContainers }} {{ toYaml .Values.elasticsearch.extraInitContainers| indent 6 }} {{- end }} -{{- with .Values.elasticsearch.securityContext }} +{{- with .Values.elasticsearch.securityContextCustom }} securityContext: {{ toYaml . | indent 8 }} {{- end }} diff --git a/helm/opendistro-es/templates/elasticsearch/es-data-sts.yaml b/helm/opendistro-es/templates/elasticsearch/es-data-sts.yaml index 9113ec4bb..cf3c2dd63 100644 --- a/helm/opendistro-es/templates/elasticsearch/es-data-sts.yaml +++ b/helm/opendistro-es/templates/elasticsearch/es-data-sts.yaml @@ -82,7 +82,7 @@ spec: {{ toYaml . | indent 8 }} {{- end }} serviceAccountName: {{ template "opendistro-es.elasticsearch.serviceAccountName" . }} -{{- with .Values.elasticsearch.securityContext }} +{{- with .Values.elasticsearch.securityContextCustom }} securityContext: {{ toYaml . | indent 8 }} {{- end }} diff --git a/helm/opendistro-es/templates/elasticsearch/es-master-sts.yaml b/helm/opendistro-es/templates/elasticsearch/es-master-sts.yaml index 4eea9f3d6..cc29cf5fb 100644 --- a/helm/opendistro-es/templates/elasticsearch/es-master-sts.yaml +++ b/helm/opendistro-es/templates/elasticsearch/es-master-sts.yaml @@ -85,7 +85,7 @@ spec: {{- if .Values.elasticsearch.master.extraInitContainers }} {{ toYaml .Values.elasticsearch.master.extraInitContainers| indent 6 }} {{- end }} -{{- with .Values.elasticsearch.securityContext }} +{{- with .Values.elasticsearch.securityContextCustom }} securityContext: {{ toYaml . | indent 8 }} {{- end }} diff --git a/helm/opendistro-es/values-nonroot.yaml b/helm/opendistro-es/values-nonroot.yaml index e6265e6c7..3c4ebb3ea 100644 --- a/helm/opendistro-es/values-nonroot.yaml +++ b/helm/opendistro-es/values-nonroot.yaml @@ -184,7 +184,7 @@ elasticsearch: ## securityContext to apply to the pod. Allows for running as non-root - securityContext: + securityContextCustom: fsGroup: 1000 runAsUser: 1000 runAsGroup: 1000 diff --git a/helm/opendistro-es/values.yaml b/helm/opendistro-es/values.yaml index c98753396..4b80b4e06 100644 --- a/helm/opendistro-es/values.yaml +++ b/helm/opendistro-es/values.yaml @@ -182,7 +182,7 @@ elasticsearch: ## securityContext to apply to the pod. Allows for running as non-root - securityContext: {} + securityContextCustom: {} # fsGroup: 1000 # runAsUser: 1000 # runAsGroup: 1000