Skip to content
This repository has been archived by the owner on May 16, 2023. It is now read-only.

Commit

Permalink
[elasticsearch] Set default runAsUser for pod security context
Browse files Browse the repository at this point in the history 
Related: #15
  • Loading branch information
@Crazybus
Crazybus committed Sep 19, 2019
1 parent 573f2f3 commit 1f94ad2
Show file tree
Hide file tree
Showing 3 changed files with 6 additions and 2 deletions.
2 changes: 1 addition & 1 deletion elasticsearch/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ helm install --name elasticsearch elastic/elasticsearch --set imageTag=7.3.0
| `updateStrategy` | The [updateStrategy](https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets) for the statefulset. By default Kubernetes will wait for the cluster to be green after upgrading each pod. Setting this to `OnDelete` will allow you to manually delete each pod during upgrades | `RollingUpdate` |
| `maxUnavailable` | The [maxUnavailable](https://kubernetes.io/docs/tasks/run-application/configure-pdb/#specifying-a-poddisruptionbudget) value for the pod disruption budget. By default this will prevent Kubernetes from having more than 1 unhealthy pod in the node group | `1` |
| `fsGroup (DEPRECATED)` | The Group ID (GID) for [securityContext.fsGroup](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) so that the Elasticsearch user can read from the persistent volume | `` |
| `podSecurityContext` | Allows you to set the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) for the pod | `fsGroup: 1000` |
| `podSecurityContext` | Allows you to set the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) for the pod | `fsGroup: 1000`<br>`runAsUser: 1000` |
| `securityContext` | Allows you to set the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) for the container | `capabilities.drop:[ALL]`<br>`runAsNonRoot: true`<br>`runAsUser: 1000` |
| `terminationGracePeriod` | The [terminationGracePeriod](https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods) in seconds used when trying to stop the pod | `120` |
| `sysctlInitContainer.enabled` | Allows you to disable the sysctlInitContainer if you are setting vm.max_map_count with another method | `true` |
Expand Down
5 changes: 4 additions & 1 deletion elasticsearch/tests/elasticsearch_test.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -142,7 +142,9 @@ def test_defaults():

# Other
assert r['statefulset'][uname]['spec']['template']['spec']['securityContext'] == {
'fsGroup': 1000}
'fsGroup': 1000,
'runAsUser': 1000
}
assert r['statefulset'][uname]['spec']['template']['spec']['terminationGracePeriodSeconds'] == 120

# Pod disruption budget
Expand Down Expand Up @@ -743,6 +745,7 @@ def test_set_pod_security_context():
config = ''
r = helm_template(config)
assert r['statefulset'][uname]['spec']['template']['spec']['securityContext']['fsGroup'] == 1000
assert r['statefulset'][uname]['spec']['template']['spec']['securityContext']['runAsUser'] == 1000

config = '''
podSecurityContext:
Expand Down
1 change: 1 addition & 0 deletions elasticsearch/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,7 @@ maxUnavailable: 1

podSecurityContext:
fsGroup: 1000
runAsUser: 1000

# The following value is deprecated,
# please use the above podSecurityContext.fsGroup instead
Expand Down

0 comments on commit 1f94ad2

Please sign in to comment.