From 2c057507c49c612e4f9c33a39727643ce233e045 Mon Sep 17 00:00:00 2001 From: Naseem Date: Mon, 17 Jun 2019 18:07:55 -0400 Subject: [PATCH] Run as 1000 Signed-off-by: Naseem --- elasticsearch/README.md | 4 +++- elasticsearch/templates/statefulset.yaml | 7 ++++++- elasticsearch/values.yaml | 16 ++++++++++++++-- 3 files changed, 23 insertions(+), 4 deletions(-) diff --git a/elasticsearch/README.md b/elasticsearch/README.md index 295e4ad64..4af4d50b4 100644 --- a/elasticsearch/README.md +++ b/elasticsearch/README.md @@ -94,7 +94,9 @@ helm install --name elasticsearch elastic/elasticsearch --version 7.1.1 --set im | `service.annotations` | Annotations that Kubernetes will use for the service. This will configure load balancer if `service.type` is `LoadBalancer` [Annotations](https://kubernetes.io/docs/concepts/services-networking/service/#ssl-support-on-aws) | `{}` | | `updateStrategy` | The [updateStrategy](https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets) for the statefulset. By default Kubernetes will wait for the cluster to be green after upgrading each pod. Setting this to `OnDelete` will allow you to manually delete each pod during upgrades | `RollingUpdate` | | `maxUnavailable` | The [maxUnavailable](https://kubernetes.io/docs/tasks/run-application/configure-pdb/#specifying-a-poddisruptionbudget) value for the pod disruption budget. By default this will prevent Kubernetes from having more than 1 unhealthy pod in the node group | `1` | -| `fsGroup` | The Group ID (GID) for [securityContext.fsGroup](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) so that the Elasticsearch user can read from the persistent volume | `1000` | +| `fsGroup (DEPRECATED)` | The Group ID (GID) for [securityContext.fsGroup](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) so that the Elasticsearch user can read from the persistent volume | `{}` | +| `podSecurityContext` | Allows you to set the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) for the pod | `fsGroup: 1000` | +| `securityContext` | Allows you to set the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) for the container | `capabilities.drop:[ALL]`
`runAsNonRoot: true`
`runAsUser: 1000` | | `terminationGracePeriod` | The [terminationGracePeriod](https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods) in seconds used when trying to stop the pod | `120` | | `sysctlVmMaxMapCount` | Sets the [sysctl vm.max_map_count](https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html#vm-max-map-count) needed for Elasticsearch | `262144` | | `readinessProbe` | Configuration fields for the [readinessProbe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/) | `failureThreshold: 3`
`initialDelaySeconds: 10`
`periodSeconds: 10`
`successThreshold: 3`
`timeoutSeconds: 5` | diff --git a/elasticsearch/templates/statefulset.yaml b/elasticsearch/templates/statefulset.yaml index 0c5444094..815e68516 100644 --- a/elasticsearch/templates/statefulset.yaml +++ b/elasticsearch/templates/statefulset.yaml @@ -49,7 +49,10 @@ spec: schedulerName: "{{ .Values.schedulerName }}" {{- end }} securityContext: - fsGroup: {{ .Values.fsGroup }} +{{ toYaml .Values.podSecurityContext | indent 8 }} + {{- if .Values.fsGroup }} + fsGroup: {{ .Values.fsGroup }} # Deprecated value, please use .Values.podSecurityContext.fsGroup + {{- end }} {{- with .Values.tolerations }} tolerations: {{ toYaml . | indent 6 }} @@ -124,6 +127,8 @@ spec: {{- end }} containers: - name: "{{ template "name" . }}" + securityContext: +{{ toYaml .Values.securityContext | indent 10 }} image: "{{ .Values.image }}:{{ .Values.imageTag }}" imagePullPolicy: "{{ .Values.imagePullPolicy }}" readinessProbe: diff --git a/elasticsearch/values.yaml b/elasticsearch/values.yaml index 14d28f71a..100543994 100755 --- a/elasticsearch/values.yaml +++ b/elasticsearch/values.yaml @@ -129,8 +129,20 @@ updateStrategy: RollingUpdate # of your pods to be unavailable during maintenance maxUnavailable: 1 - # GroupID for the elasticsearch user. The official elastic docker images always have the id of 1000 -fsGroup: 1000 +podSecurityContext: + fsGroup: 1000 + +# The following value is deprecated, +# please use the above podSecurityContext.fsGroup instead +fsGroup: null + +securityContext: + capabilities: + drop: + - ALL + # readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 # How long to wait for elasticsearch to stop gracefully terminationGracePeriod: 120