Skip to content

Official Dockerimage in Openshift | Permission problems when accessing served certificates #44994

New issue
New issue
Closed
Closed
Official Dockerimage in Openshift | Permission problems when accessing served certificates#44994
Labels
:Delivery/PackagingRPM and deb packaging, tar and zip archives, shell and batch scriptsTeam:DeliveryMeta label for Delivery team
@lostiniceland

Description

@lostiniceland
lostiniceland
opened on Jul 30, 2019

Elasticsearch version 6.7.2 Docker

OS version: Openshift 3.11 on Centos 7

Description of the problem including expected versus actual behavior:
Running Elasticsearch in Openshift doesnt work when specifing a Certificate which was provided by the platform. Openshift mounts a secret-volume containing its own CA and the YAML specifies a self-serving certificate which was signed by the Openshift-CA.

Those files are mapped to root:root.

Openshift runs each image with a generated UID (> 10000) and GUID 0.

It seems the Elasticsearch User is not running as root (which is good) but not with GUID 0, which is necessary to access those files.

Steps to reproduce:

Please include a minimal but complete recreation of the problem, including
(e.g.) index creation, mappings, settings, query etc. The easier you make for
us to reproduce it, the more likely that somebody will take the time to look at it.

  1. Deploy official ES image as Openshift Imagestream
  2. Use DeploymentConfig (or Deployment) YAML with SSL configuration
  3. Check logs

Openshift-Deployment-YAML

- kind: Service
    apiVersion: v1
    metadata:
      name: test
      annotations:
        service.alpha.openshift.io/serving-cert-secret-name: cert-secret-test
    spec:
      selector:
        name: test
      ports:
        - name: elasticsearch
          port: 9200
          targetPort: 9200
      type: LoadBalancer
	  
- kind: DeploymentConfig
    apiVersion: v1
    metadata:
      name: test
    spec:
      replicas: 1
      template:
        spec:
          containers:
            - name: elasticsearch
              image: docker-registry.default.svc:5000/project/elasticsearch:6.7.2
              ports:
                - containerPort: 9200
              env:
                - name: discovery.type
                  value: single-node
                - name: ELASTIC_PASSWORD
                  value: password
                - name: xpack.ssl.key
                  value: /var/run/secrets/openshift.io/project/cert-secret/tls.key
                - name: xpack.ssl.certificate
                  value: /var/run/secrets/openshift.io/project/cert-secret/tls.crt
                - name: xpack.ssl.certificate_authorities
                  value: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
                - name: xpack.security.transport.ssl.enabled
                  value: 'true'
                - name: xpack.security.http.ssl.enabled
                  value: 'true'
                - name: ES_JAVA_OPTS
                  value: '-Xms512m -Xmx512m'
              volumeMounts:
                - name: cert-vol-test
                  mountPath: /var/run/secrets/openshift.io/project/cert-secret
	volumes:
	   - name: cert-vol-test
             secret:
                secretName: cert-secret-test

Provide logs (if relevant):

Caused by: java.security.AccessControlException: access denied ("java.io.FilePermission" "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt" "read")

Metadata

Metadata

Assignees

No one assigned

    Labels

    :Delivery/PackagingRPM and deb packaging, tar and zip archives, shell and batch scriptsTeam:DeliveryMeta label for Delivery team

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions