Run meilisearch as non-root user with readOnlyRootFilesystem

[legal90]

Pull Request

Related issue

• https://github.com/meilisearch/meilisearch/issues/2051 (it's just a relevant issue raised on the meilisearch image level)

This PR was created in the continuation to our discussion here: https://github.com/meilisearch/meilisearch-kubernetes/pull/176#discussion_r1222197366

What does this PR do?

That PR changes the default behaviour of the chart so it runs meilisearch under a non-root user, following the principal of least permissions and improve the security posture:

• Enable securityContext.readOnlyRootFilesystem: true by default and mount required writable points:

  • /tmp as emptyDir: {} [1]
  • /meili_data as emptyDir: {} by default, or as a PVC if persistence.enabled: true

• Default values fsGroup: 1000 and fsGroupChangePolicy: OnRootMismatch allow to keep backward compatibility with existing installations. If the data volume already has files previously created and owned by root (e.q. persistence.enabled: true), then k8s will automatically change the group ownership of these files to 1000, so they will still be writable by the non-privileged user in this new chart version. That happens automatically - no user action is needed. [2]

• Small chance of backward incompatibility for some users: those users who already have /tmp mount configured via volumes and volumeMounts values, might get a failure in upgrade to this new version, because this volume is now declared in the template by default. The fix is simple - just remove the definition of /tmp from your custom values.

Due to that I'm bumping the minor version of the chart to 0.2.0. Please let me know if you think we should update it differently.

Links

[1] https://kubernetes.io/docs/concepts/storage/volumes/#emptydir [2] https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods

PR checklist

Please check if your PR fulfills the following requirements:

• [x] Does this PR fix an existing issue, or have you listed the changes applied in the PR description (and why they are needed)?
• [x] Have you read the contributing guidelines?
• [x] Have you made sure that the title is accurate and descriptive of the changes?

[alallema]

Hi @legal90, Thanks a lot for this PR, it looks very nice and exciting. I'll try to have a look at it as soon as possible.

Due to that I'm bumping the minor version of the chart to 0.2.0.

You're absolutely right, as you can see, we haven't always used versioning as it should have been... That is perfect to go to the 0.2

[alallema]

bors merge

[meili-bors[bot]]

Build succeeded:

• check-chart-manifest-in-sync
• helm-tests
• linter

[meili-bot]

This message is sent automatically

Thank you very much for submitting your PR! Did you know that throughout the month of June we’re holding a rafle? If you share the link to your merged PR in our #giveaway Discord channel, you’ll automatically join a lottery for a chance at winning some Meiliswag. 🙂 Don’t hesitate to join us: https://discord.com/channels/1006923006964154428/1111273670657200198