Closed timricese closed 3 years ago
peterzhuamazon
commented
3 years ago Hi @timricese, thanks for the PR, we have a few questions hope you can address:
.Values.elasticsearch.securityContext since securityContext is preserved in Kube? (ex: use .Values.elasticsearch.securityContextCustom)Thanks.
timricese
commented
3 years ago Hi @timricese, thanks for the PR, we have a few questions hope you can address:
- Could you use another name for
.Values.elasticsearch.securityContextsincesecurityContextis preserved in Kube? (ex: use.Values.elasticsearch.securityContextCustom)- Could you attach log or screenshot of the test results? Since this is a big change.
Thanks.
1: absolutely, ill change that shortly
regarding 2:, would a console log of install via helm and then showing the pods are actually running and healthy be enough? Or do you have any unit tests for the helm package that i might not be aware of?
timricese
commented
3 years ago Incase a cconsole log of installing the helm chart + showing the pods work is enough, here it is.
~/git/opendistro-build/helm/opendistro-es ⑂main* $ helm template test . -f values-nonroot.yaml -n opendistro-unprivileged | kubectl apply -f - -n opendistro-unprivileged
serviceaccount/test-opendistro-es-es created
serviceaccount/test-opendistro-es-kibana created
secret/test-opendistro-es-es-config created
role.rbac.authorization.k8s.io/test-opendistro-es-es created
role.rbac.authorization.k8s.io/test-opendistro-es-kibana created
rolebinding.rbac.authorization.k8s.io/test-opendistro-es-elastic-rolebinding created
rolebinding.rbac.authorization.k8s.io/test-opendistro-es-kibana-rolebinding created
service/test-opendistro-es-data-svc created
service/test-opendistro-es-client-service created
service/test-opendistro-es-discovery created
service/test-opendistro-es-kibana-svc created
deployment.apps/test-opendistro-es-client created
deployment.apps/test-opendistro-es-kibana created
statefulset.apps/test-opendistro-es-data created
statefulset.apps/test-opendistro-es-master createda screenshot of the pods running immediately after, in k9s
and a screenshot of a simple query via dev tools in kibana, accessed via portforwarding to the kibana pod
Again, if there are any specific unit tests that I should be running, please let me know. I couldnt find any.
peterzhuamazon
commented
3 years ago Thanks @timricese for the test results and logs. We have approved and merged this PR. Thanks.
vijeswari
commented
2 years ago Hi, I tried creating ODFE pods running as non-root user using ODFE 1.13.2 docker image and helm chart. The pods creation fail with the following error:
[xxxx]$ kubectl logs -f test-opendistro-es-client-6bbb7dd9fd-przsc elasticsearch OpenDistro for Elasticsearch Security Demo Installer Warning: Do not use on production or public reachable systems Basedir: /usr/share/elasticsearch Elasticsearch install type: rpm/deb on CentOS Linux release 7.9.2009 (Core) Elasticsearch config dir: /usr/share/elasticsearch/config Elasticsearch config file: /usr/share/elasticsearch/config/elasticsearch.yml Elasticsearch bin dir: /usr/share/elasticsearch/bin Elasticsearch plugins dir: /usr/share/elasticsearch/plugins Elasticsearch lib dir: /usr/share/elasticsearch/lib Detected Elasticsearch Version: x-content-7.10.2 Detected Open Distro Security Version: 1.13.1.0
tee: securityadmin_demo.sh: Permission denied
Helm install command: helm install test . -f values-nonroot.yaml
Can you please help me understand what could be missing here. The same test seemed to have passed as part of this change.
Thanks.
getvasanth
commented
2 years ago Is there any update on this issue?
Issue #, if available:
555 partially
Description of changes:
Implemented helm varaibles for setting a securityContext for Elasticsearch pods, disabling fixmount initContainers and not giving SYS_CHROOT cap (both of which might not even be required anyway), in order to make it possible to run as non-root.
The "fixmount" initContainer is not required if a fsGroup is set via securityContext.
The "SYS_CHROOT" cap does not appear to be required any more.
Example parameters for this setup are given in values-nonroot.yaml
Default values will not change the previous behavior of the helm chart.
Test Results:
Tested on production grade cluster, both via gitops/flux/helm-operator and helm-cli install
Note: If this PR is related to Helm, please also update the README for related documentation changes. Thanks. https://github.com/opendistro-for-elasticsearch/opendistro-build/blob/master/helm/README.md
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on signing off your commits, please check here.