Skip to content
This repository has been archived by the owner on Aug 2, 2022. It is now read-only.

Enable Elasticsearch running as non-root without any extra capabilities or privileges #703

Merged
merged 3 commits into from
Mar 26, 2021
Merged

Enable Elasticsearch running as non-root without any extra capabilities or privileges #703

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b18b182
Enable running OD-ES as non-root via helm
Mar 18, 2021
80ffe0a
document new parameters
Mar 18, 2021
bf58664
rename helm variable 'elasticsearch.securityContext' to 'elasticsearc…
Mar 19, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions helm/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -513,6 +513,9 @@ The following table lists the configurable parameters of the opendistro elastics
| `kibana.livenessProbe` | Configuration for the [livenessProbe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/) | `[]` |
| `kibana.startupProbe` | Configuration for the [startupProbe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) | `[]` |
| `elasticsearch.discoveryOverride` | For hot/warm architectures. Allows second aliased deployment to find cluster. | `""` |
| `elasticsearch.fixmount.enabled` | Enable initContainer to fix mount permissions. Not required if setting a fsGroup via securityContext | `true` |
| `elasticsearch.sys_chroot.enabled` | Enable giving Elasticsearch containers the "SYS_CHROOT" capability. | `true` |
| `elasticsearch.sysctl.enabled` | Enable initContainer to set sysctl "vm.max_map_count" | `true` |
| `elasticsearch.securityConfig.enabled` | Use custom [security configs](https://github.com/opendistro-for-elasticsearch/security/tree/master/securityconfig) | `"true"` |
| `elasticsearch.securityConfig.path` | Path to security config files | `"/usr/share/elasticsearch/plugins/opendistro_security/securityconfig"` |
| `elasticsearch.securityConfig.actionGroupsSecret` | Name of secret with [action_groups.yml](https://github.com/opendistro-for-elasticsearch/security/blob/master/securityconfig/action_groups.yml) defined | `""` |
Expand All @@ -521,6 +524,7 @@ The following table lists the configurable parameters of the opendistro elastics
| `elasticsearch.securityConfig.rolesSecret` | Name of secret with [roles.yml](https://github.com/opendistro-for-elasticsearch/security/blob/master/securityconfig/roles.yml) defined | `""` |
| `elasticsearch.securityConfig.rolesMappingSecret` | Name of secret with [roles_mapping.yml](https://github.com/opendistro-for-elasticsearch/security/blob/master/securityconfig/roles_mapping.yml) defined | `""` |
| `elasticsearch.securityConfig.tenantsSecret` | Name of secret with [tenants.yml](https://github.com/opendistro-for-elasticsearch/security/blob/master/securityconfig/tenants.yml) defined | `""` |
| `elasticsearch.securityContextCustom` | securityContext for the ElasticSearch pods | `{}` |
| `elasticsearch.ssl.transport.existingCertSecret` | Name of secret that contains the transport certs | `""` |
| `elasticsearch.ssl.transport.existingCertSecretCertSubPath` | Subpath of elastic transport cert secret | `"elk-transport-crt.pem"` |
| `elasticsearch.ssl.transport.existingCertSecretKeySubPath` | Subpath of elastic transport key secret | `"elk-transport-key.pem"` |
Expand Down
6 changes: 6 additions & 0 deletions helm/opendistro-es/templates/elasticsearch/es-client-deploy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,12 +69,18 @@ spec:
{{- end }}
{{- if .Values.elasticsearch.extraInitContainers }}
{{ toYaml .Values.elasticsearch.extraInitContainers| indent 6 }}
{{- end }}
{{- with .Values.elasticsearch.securityContextCustom }}
securityContext:
{{ toYaml . | indent 8 }}
{{- end }}
containers:
- name: elasticsearch
securityContext:
{{- if .Values.elasticsearch.sys_chroot.enabled }}
capabilities:
add: ["SYS_CHROOT"]
{{- end }}
env:
- name: cluster.name
value: {{ .Values.global.clusterName }}
Expand Down
8 changes: 8 additions & 0 deletions helm/opendistro-es/templates/elasticsearch/es-data-sts.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,13 +65,15 @@ spec:
securityContext:
privileged: true
{{- end }}
{{- if .Values.elasticsearch.fixmount.enabled }}
- name: fixmount
command: [ 'sh', '-c', 'chown -R 1000:1000 /usr/share/elasticsearch/data' ]
image: {{ .Values.global.registry }}/{{ .Values.elasticsearch.initContainer.image }}:{{ .Values.elasticsearch.initContainer.imageTag }}
volumeMounts:
- mountPath: /usr/share/elasticsearch/data
name: data
subPath: {{ .Values.elasticsearch.data.persistence.subPath }}
{{- end }}
{{- if .Values.elasticsearch.extraInitContainers }}
{{ toYaml .Values.elasticsearch.extraInitContainers| indent 6 }}
{{- end }}
Expand All @@ -80,11 +82,17 @@ spec:
{{ toYaml . | indent 8 }}
{{- end }}
serviceAccountName: {{ template "opendistro-es.elasticsearch.serviceAccountName" . }}
{{- with .Values.elasticsearch.securityContextCustom }}
securityContext:
{{ toYaml . | indent 8 }}
{{- end }}
containers:
- name: elasticsearch
securityContext:
{{- if .Values.elasticsearch.sys_chroot.enabled }}
capabilities:
add: ["SYS_CHROOT"]
{{- end }}
env:
- name: cluster.name
value: {{ .Values.global.clusterName }}
Expand Down
8 changes: 8 additions & 0 deletions helm/opendistro-es/templates/elasticsearch/es-master-sts.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,24 +70,32 @@ spec:
securityContext:
privileged: true
{{- end }}
{{- if .Values.elasticsearch.fixmount.enabled }}
- name: fixmount
command: [ 'sh', '-c', 'chown -R 1000:1000 /usr/share/elasticsearch/data' ]
image: {{ .Values.global.registry }}/{{ .Values.elasticsearch.initContainer.image }}:{{ .Values.elasticsearch.initContainer.imageTag }}
volumeMounts:
- mountPath: /usr/share/elasticsearch/data
name: data
subPath: {{ .Values.elasticsearch.master.persistence.subPath }}
{{- end }}
{{- if .Values.elasticsearch.extraInitContainers }}
{{ toYaml .Values.elasticsearch.extraInitContainers| indent 6 }}
{{- end }}
{{- if .Values.elasticsearch.master.extraInitContainers }}
{{ toYaml .Values.elasticsearch.master.extraInitContainers| indent 6 }}
{{- end }}
{{- with .Values.elasticsearch.securityContextCustom }}
securityContext:
{{ toYaml . | indent 8 }}
{{- end }}
containers:
- name: elasticsearch
{{- if .Values.elasticsearch.sys_chroot.enabled }}
securityContext:
capabilities:
add: ["SYS_CHROOT"]
{{- end }}
env:
- name: cluster.name
value: {{ .Values.global.clusterName }}
Expand Down
Loading