Skip to content
This repository has been archived by the owner on May 16, 2023. It is now read-only.

[kibana] Run as 1000 #172

Merged
merged 1 commit into from
Jun 24, 2019
Merged

[kibana] Run as 1000 #172

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion kibana/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,8 @@ helm install --name kibana elastic/kibana --version 7.1.1 --set imageTag=7.1.1
| `protocol` | The protocol that will be used for the readinessProbe. Change this to `https` if you have `server.ssl.enabled: true` set | `http` |
| `healthCheckPath` | The path used for the readinessProbe to check that Kibana is ready | `/app/kibana` |
| `kibanaConfig` | Allows you to add any config files in `/usr/share/kibana/config/` such as `kibana.yml`. See [values.yaml](./values.yaml) for an example of the formatting. | `{}` |
| `podSecurityContext` | Allows you to set the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) for the pod | `{}` |
| `podSecurityContext` | Allows you to set the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) for the pod | `fsGroup: 1000` |
| `securityContext` | Allows you to set the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) for the container | `capabilities.drop:[ALL]`<br>`runAsNonRoot: true`<br>`runAsUser: 1000` |
| `serviceAccount` | Allows you to overwrite the "default" [serviceAccount](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) for the pod | `[]` |
| `priorityClassName` | The [name of the PriorityClass](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass). No default is supplied as the PriorityClass must be created first. | `` |
| `antiAffinityTopologyKey` | The [anti-affinity topology key](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). By default this will prevent multiple Kibana instances from running on the same Kubernetes node | `kubernetes.io/hostname` |
Expand Down
8 changes: 4 additions & 4 deletions kibana/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,10 +27,8 @@ spec:
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
{{- if .Values.podSecurityContext }}
securityContext:
{{ toYaml .Values.podSecurityContext | indent 8 }}
{{- end }}
{{- if .Values.serviceAccount }}
serviceAccount: {{ .Values.serviceAccount }}
{{- end }}
Expand Down Expand Up @@ -63,6 +61,8 @@ spec:
{{- end }}
containers:
- name: kibana
securityContext:
naseemkullah marked this conversation as resolved.
Show resolved Hide resolved
{{ toYaml .Values.securityContext | indent 10 }}
image: "{{ .Values.image }}:{{ .Values.imageTag }}"
env:
{{- if .Values.elasticsearchURL }}
Expand All @@ -78,7 +78,7 @@ spec:
readinessProbe:
{{ toYaml .Values.readinessProbe | indent 10 }}
exec:
command:
command:
- sh
- -c
- |
Expand All @@ -93,7 +93,7 @@ spec:

curl -k "$@" "{{ .Values.protocol }}://localhost:{{ .Values.httpPort }}${path}"
}

http "{{ .Values.healthCheckPath }}"
ports:
- containerPort: {{ .Values.httpPort }}
Expand Down
13 changes: 11 additions & 2 deletions kibana/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,8 +44,17 @@ kibanaConfig: {}
# nestedkey: value

# If Pod Security Policy in use it may be required to specify security context as well as service account
podSecurityContext: {}
#runAsUser: "place the user id here"

podSecurityContext:
fsGroup: 1000

securityContext:
capabilities:
drop:
- ALL
# readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000

serviceAccount: ""

Expand Down