jlind23
commented
10 months ago The agents can now run as non-root when the installed integrations do not need root.
This is not completely right, for Elastic Agent @pierrehilbert and the Elastic Agent team are still working on this capability. One of the related PR can be found here
GeorgeGkinis
Describe the enhancement: Enable ECK Fleet Server to run as non-root
Describe a specific use case for the enhancement or feature: The agents can now run as non-root when the installed integrations do not need root. For the APM Server and Fleet we do not need persistence right?
In the case of K8s logs we do need persistence and root access to the logs. We are allowed to run daemonsets as root, because daemonsets are managed by another team.
Fleet server and APM server are managed by a team that are not allowed to run as root.
Since Elasticsearch, Kibana and Agents can run non-root it would be great if the full set of ECK products can run non-root. This should include on-prem package registry as well.
According to documentation root for Fleet is only needed for CA's: "The root user is required to persist state in a hostPath volume and to trust the Elasticsearch CA in Fleet mode. See Storing local state in host path volume for options to not run the Agent container as root."
What is the definition of done? Elastic Agent in k8s can run as non-root in the following modes: