Add runPrivileged/runAsUser options, for running on more restricted/s… #271
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
maartenvandenbogaard
force-pushed
the
master
branch
from
a3a419a to
3c836e4
Compare
stevesloka
requested changes
Jan 23, 2019
| @@ -160,14 +160,19 @@ func (k *K8sutil) CreateClientDeployment(baseImage string, replicas *int32, java | |||
| }, | |||
| }, | |||
| Spec: v1.PodSpec{ | |||
| SecurityContext: &v1.PodSecurityContext{ | |||
| RunAsUser: &k.RunAsUser, | |||
There was a problem hiding this comment.
What if these aren't defined how does the controller react? We should add tests around them to validate this new behavior.
There was a problem hiding this comment.
The default for RunAsUser (0) is defined in init(), so there's always a value.
…ecured K8s clusters These options make it possible to run the operator and es-clusters on a Kubernetes cluster, that has Pod Security Policies in place, that: - disallows running containers as root - (and/or) disallows running containers in privileged mode Note: the default elasticsearch image (upmcenterprises/docker-elasticsearch-kubernetes:6.1.3_0 as of writing) will not work if you don't run it as root (uid 0), as its wrapper script tries a 'ulimit -l unlimited', and eventually su-execs to elasticsearch user with uid 1000; both actions will fail. Setting ulimit should not be neccessary with IPC_LOCK/SYS_RESOURCE capabilities, however they get wiped when running a container as non-root. So running this image will require some modifications, e.g. chowning folders, setcap cap_ipc_lock=+ep on java binary + dependencies. Most (recent) information on this topic that allowed me to solve the puzzle: https://medium.com/@thejasongerard/resource-limits-mlock-and-containers-oh-my-cca1e5d1f259 Change-Id: I600e9dd4a49cab15a289fc50cc2a605c83ac3aa9
maartenvandenbogaard
force-pushed
the
master
branch
from
3c836e4 to
10734bc
Compare
|
we also want this change! |
|
The image also has to not chown and su-exec (as mentioned in the original comment). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
…ecured K8s clusters
These options make it possible to run the operator and es-clusters on a Kubernetes cluster,
that has a Pod Security Policy in place, that:
Note: the default elasticsearch image (upmcenterprises/docker-elasticsearch-kubernetes:6.1.3_0 as of writing)
will not work if you don't run it as root (uid 0), as its wrapper script tries a 'ulimit -l unlimited',
and eventually su-execs to elasticsearch user with uid 1000; both actions will fail.
Setting ulimit should not be neccessary with IPC_LOCK/SYS_RESOURCE capabilities,
however they get wiped when running a container as non-root.
So running this image will require some modifications,
e.g. chowning folders, setcap cap_ipc_lock=+ep on java binary + dependencies.
Most (recent) information on this topic that allowed me to solve the puzzle:
https://medium.com/@thejasongerard/resource-limits-mlock-and-containers-oh-my-cca1e5d1f259
Change-Id: I600e9dd4a49cab15a289fc50cc2a605c83ac3aa9