search

opensearch-project / helm-charts

:wheel_of_dharma: A community repository for Helm Charts of OpenSearch Project.
https://opensearch.org/docs/latest/opensearch/install/helm/
Apache License 2.0
170 stars 228 forks source link

[BUG][helm chart of opensearch] init container for fsgroup-volume requires root #480

Open patrickdung opened 12 months ago

patrickdung commented 12 months ago

Describe the bug A clear and concise description of what the bug is.

The helm chart requires root, after the helm chart is deployed:

      initContainers:
      - args:
        - chown -R 1000:1000 /usr/share/opensearch/data
        command:
        - sh
        - -c
        image: busybox:latest
        imagePullPolicy: IfNotPresent
        name: fsgroup-volume
        resources: {}
        securityContext:
          runAsUser: 0
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /usr/share/opensearch/data
          name: opensearch-cluster-master

runAsUser: 0 is in securityContext. This cause problem with some kubernetes environment which does not allow to run as root. Like OpenShift platform. On openshift, the workaronud could be: oc adm policy add-scc-to-user privileged -z default But it requires cluster admin level privilege and may not be possible to run it as tenants.

To Reproduce Steps to reproduce the behavior: Deploy the default helm chart.

Expected behavior Provide a method for users that cannot run the initcontainer as root (user 0).

Chart Name Specify the Chart which is affected? opensearch-2.15.0

Screenshots If applicable, add screenshots to help explain your problem.

Similar to level=error msg="container_linux.go:367: starting container process caused: exec: \"./opensearch-docker-entrypoint.sh\": stat ./opensearch-docker-entrypoint.sh: permission denied" https://github.com/opensearch-project/opensearch-devops/issues/97

Host/Environment (please complete the following information):

Additional context Add any other context about the problem here.

https://forum.opensearch.org/t/opensearch-failing-on-openshift-environment/13052/3 https://github.com/opensearch-project/helm-charts/issues/384 https://github.com/opensearch-project/opensearch-build/issues/3625

felix185 commented 10 months ago

is there a workaround for k8s, too? On the cluster I am working with there are policies that containers are not allowed to run with root users. Another policy is existing which forbids containers to be run as privileged.

patrickdung commented 2 weeks ago

On a newer version of the helm chart (e.g. 2.21)

The default value should be like

podSecurityContext:
  fsGroup: 1000
  runAsUser: 1000

securityContext:
  capabilities:
    drop:
      - ALL
  # readOnlyRootFilesystem: true
  runAsNonRoot: true
  runAsUser: 1000

I think this should make the Opensearch helm chart to be able to run as non-root by default. I had already installed it on a K3S, it should run as non-root.

For Openshift, I think the users need to update the UID to the values that their namespace should use.