Skip to content
This repository has been archived by the owner on May 16, 2023. It is now read-only.

Commit

Permalink
Merge pull request #171 from naseemkullah/elasticsearch-runasnonroot
Browse files Browse the repository at this point in the history
[elasticsearch] Run as 1000
  • Loading branch information
Crazybus authored Jul 5, 2019
2 parents 1ff71b1 + 42c88fa commit 51d3afd
Show file tree
Hide file tree
Showing 3 changed files with 23 additions and 4 deletions.
4 changes: 3 additions & 1 deletion elasticsearch/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,9 @@ helm install --name elasticsearch elastic/elasticsearch --version 7.2.0 --set im
| `service.annotations` | Annotations that Kubernetes will use for the service. This will configure load balancer if `service.type` is `LoadBalancer` [Annotations](https://kubernetes.io/docs/concepts/services-networking/service/#ssl-support-on-aws) | `{}` |
| `updateStrategy` | The [updateStrategy](https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets) for the statefulset. By default Kubernetes will wait for the cluster to be green after upgrading each pod. Setting this to `OnDelete` will allow you to manually delete each pod during upgrades | `RollingUpdate` |
| `maxUnavailable` | The [maxUnavailable](https://kubernetes.io/docs/tasks/run-application/configure-pdb/#specifying-a-poddisruptionbudget) value for the pod disruption budget. By default this will prevent Kubernetes from having more than 1 unhealthy pod in the node group | `1` |
| `fsGroup` | The Group ID (GID) for [securityContext.fsGroup](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) so that the Elasticsearch user can read from the persistent volume | `1000` |
| `fsGroup (DEPRECATED)` | The Group ID (GID) for [securityContext.fsGroup](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) so that the Elasticsearch user can read from the persistent volume | `` |
| `podSecurityContext` | Allows you to set the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) for the pod | `fsGroup: 1000` |
| `securityContext` | Allows you to set the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) for the container | `capabilities.drop:[ALL]`<br>`runAsNonRoot: true`<br>`runAsUser: 1000` |
| `terminationGracePeriod` | The [terminationGracePeriod](https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods) in seconds used when trying to stop the pod | `120` |
| `sysctlVmMaxMapCount` | Sets the [sysctl vm.max_map_count](https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html#vm-max-map-count) needed for Elasticsearch | `262144` |
| `readinessProbe` | Configuration fields for the [readinessProbe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/) | `failureThreshold: 3`<br>`initialDelaySeconds: 10`<br>`periodSeconds: 10`<br>`successThreshold: 3`<br>`timeoutSeconds: 5` |
Expand Down
7 changes: 6 additions & 1 deletion elasticsearch/templates/statefulset.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,10 @@ spec:
schedulerName: "{{ .Values.schedulerName }}"
{{- end }}
securityContext:
fsGroup: {{ .Values.fsGroup }}
{{ toYaml .Values.podSecurityContext | indent 8 }}
{{- if .Values.fsGroup }}
fsGroup: {{ .Values.fsGroup }} # Deprecated value, please use .Values.podSecurityContext.fsGroup
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{ toYaml . | indent 6 }}
Expand Down Expand Up @@ -124,6 +127,8 @@ spec:
{{- end }}
containers:
- name: "{{ template "name" . }}"
securityContext:
{{ toYaml .Values.securityContext | indent 10 }}
image: "{{ .Values.image }}:{{ .Values.imageTag }}"
imagePullPolicy: "{{ .Values.imagePullPolicy }}"
readinessProbe:
Expand Down
16 changes: 14 additions & 2 deletions elasticsearch/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -137,8 +137,20 @@ updateStrategy: RollingUpdate
# of your pods to be unavailable during maintenance
maxUnavailable: 1

# GroupID for the elasticsearch user. The official elastic docker images always have the id of 1000
fsGroup: 1000
podSecurityContext:
fsGroup: 1000

# The following value is deprecated,
# please use the above podSecurityContext.fsGroup instead
fsGroup: ""

securityContext:
capabilities:
drop:
- ALL
# readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000

# How long to wait for elasticsearch to stop gracefully
terminationGracePeriod: 120
Expand Down

0 comments on commit 51d3afd

Please sign in to comment.