-
Notifications
You must be signed in to change notification settings - Fork 712
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot run elasticsearch with security best practice readOnlyRootFilesystem: true
#6126
Comments
The way Elasticsearch starts requires the apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
name: elasticsearch-sample
spec:
version: 8.5.0
nodeSets:
- name: default
config:
node.store.allow_mmap: false
podTemplate:
spec:
volumes:
- name: tmp-volume
emptyDir: { }
containers:
- name: elasticsearch
securityContext:
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /tmp
name: tmp-volume
count: 3
---
apiVersion: kibana.k8s.elastic.co/v1
kind: Kibana
metadata:
name: kibana-sample
spec:
version: 8.5.0
count: 1
elasticsearchRef:
name: "elasticsearch-sample"
podTemplate:
spec:
containers:
- name: kibana
securityContext:
readOnlyRootFilesystem: true |
Thanks you, The issue happens on initContainers, to copy the configuration, the directory We cant specify a volume, because the copy operation need files from (We run elastic stack with Helm charts, so we were able to create another initContainer to do the trick) |
I think we should adapt the example configuration from #6126 (comment) as the default in ECK:
|
Bug Report
What did you do?
As a good practice, we configure security context (here
readOnlyRootFilesystem: true
):What did you expect to see?
Operator create the STS, create pods, create container and init container can run fine.
What did you see instead? Under which circumstances?
The first initContainer cannot run because a folder is not writable. Diging the source code, we can see:
prepare-fs.sh script:
where the directory
/usr/share/elasticsearch/config
is not a volume, hence read-only.We cant find any workaround, except changing polaris or OPA rules.
As a clean solution, the prepare-fs.sh script should use a temporary directory, mounted as
emptyDir
.References:
The text was updated successfully, but these errors were encountered: