Add runPrivileged/runAsUser options, for running on more restricted/s…#271
Closed
maartenvandenbogaard wants to merge 2 commits intoupmc-enterprises:masterfrom
maartenvandenbogaard:master
Closed
Add runPrivileged/runAsUser options, for running on more restricted/s…#271maartenvandenbogaard wants to merge 2 commits intoupmc-enterprises:masterfrom maartenvandenbogaard:master
maartenvandenbogaard wants to merge 2 commits intoupmc-enterprises:masterfrom
maartenvandenbogaard:master
Conversation
stevesloka
suggested changes
Jan 23, 2019
| }, | ||
| Spec: v1.PodSpec{ | ||
| SecurityContext: &v1.PodSecurityContext{ | ||
| RunAsUser: &k.RunAsUser, |
Contributor
There was a problem hiding this comment.
What if these aren't defined how does the controller react? We should add tests around them to validate this new behavior.
Author
There was a problem hiding this comment.
The default for RunAsUser (0) is defined in init(), so there's always a value.
…ecured K8s clusters These options make it possible to run the operator and es-clusters on a Kubernetes cluster, that has Pod Security Policies in place, that: - disallows running containers as root - (and/or) disallows running containers in privileged mode Note: the default elasticsearch image (upmcenterprises/docker-elasticsearch-kubernetes:6.1.3_0 as of writing) will not work if you don't run it as root (uid 0), as its wrapper script tries a 'ulimit -l unlimited', and eventually su-execs to elasticsearch user with uid 1000; both actions will fail. Setting ulimit should not be neccessary with IPC_LOCK/SYS_RESOURCE capabilities, however they get wiped when running a container as non-root. So running this image will require some modifications, e.g. chowning folders, setcap cap_ipc_lock=+ep on java binary + dependencies. Most (recent) information on this topic that allowed me to solve the puzzle: https://medium.com/@thejasongerard/resource-limits-mlock-and-containers-oh-my-cca1e5d1f259 Change-Id: I600e9dd4a49cab15a289fc50cc2a605c83ac3aa9
|
we also want this change! |
|
The image also has to not chown and su-exec (as mentioned in the original comment). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
…ecured K8s clusters
These options make it possible to run the operator and es-clusters on a Kubernetes cluster,
that has a Pod Security Policy in place, that:
Note: the default elasticsearch image (upmcenterprises/docker-elasticsearch-kubernetes:6.1.3_0 as of writing)
will not work if you don't run it as root (uid 0), as its wrapper script tries a 'ulimit -l unlimited',
and eventually su-execs to elasticsearch user with uid 1000; both actions will fail.
Setting ulimit should not be neccessary with IPC_LOCK/SYS_RESOURCE capabilities,
however they get wiped when running a container as non-root.
So running this image will require some modifications,
e.g. chowning folders, setcap cap_ipc_lock=+ep on java binary + dependencies.
Most (recent) information on this topic that allowed me to solve the puzzle:
https://medium.com/@thejasongerard/resource-limits-mlock-and-containers-oh-my-cca1e5d1f259
Change-Id: I600e9dd4a49cab15a289fc50cc2a605c83ac3aa9