Only set a SecurityContext for Elasticsearch

elastic · Apr 23, 2023 · 10351e2 · 10351e2
1 parent 148cb2f
commit 10351e2
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 20 deletions.
diff --git a/pkg/controller/beat/common/stackmon/stackmon_test.go b/pkg/controller/beat/common/stackmon/stackmon_test.go
@@ -32,15 +32,6 @@ func TestMetricBeat(t *testing.T) {
 		Name:  "metricbeat",
 		Image: "docker.elastic.co/beats/metricbeat:8.2.3",
 		Args:  []string{"-c", "/etc/metricbeat-config/metricbeat.yml", "-e"},
-		SecurityContext: &corev1.SecurityContext{
-			Capabilities: &corev1.Capabilities{
-				Drop: []corev1.Capability{"ALL"},
-			},
-			Privileged:               pointer.Bool(false),
-			RunAsNonRoot:             pointer.Bool(true),
-			ReadOnlyRootFilesystem:   pointer.Bool(true),
-			AllowPrivilegeEscalation: pointer.Bool(false),
-		},
 		Env: []corev1.EnvVar{
 			{
 				Name: "POD_IP",

diff --git a/pkg/controller/common/stackmon/sidecar.go b/pkg/controller/common/stackmon/sidecar.go
@@ -9,7 +9,6 @@ import (
 	"hash"
 
 	corev1 "k8s.io/api/core/v1"
-	ptr "k8s.io/utils/pointer"
 
 	commonv1 "github.com/elastic/cloud-on-k8s/v2/pkg/apis/common/v1"
 	"github.com/elastic/cloud-on-k8s/v2/pkg/controller/common/container"
@@ -106,15 +105,6 @@ func NewBeatSidecar(ctx context.Context, client k8s.Client, beatName string, ima
 			Args:         []string{"-c", config.filepath, "-e"},
 			Env:          defaults.PodDownwardEnvVars(),
 			VolumeMounts: volumeMounts,
-			SecurityContext: &corev1.SecurityContext{
-				Capabilities: &corev1.Capabilities{
-					Drop: []corev1.Capability{"ALL"},
-				},
-				Privileged:               ptr.Bool(false),
-				RunAsNonRoot:             ptr.Bool(true),
-				ReadOnlyRootFilesystem:   ptr.Bool(true),
-				AllowPrivilegeEscalation: ptr.Bool(false),
-			},
 		},
 		ConfigHash:   config.hash,
 		ConfigSecret: config.secret,

diff --git a/pkg/controller/elasticsearch/stackmon/sidecar.go b/pkg/controller/elasticsearch/stackmon/sidecar.go
@@ -10,6 +10,7 @@ import (
 	"hash/fnv"
 
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/utils/pointer"
 
 	commonv1 "github.com/elastic/cloud-on-k8s/v2/pkg/apis/common/v1"
 	esv1 "github.com/elastic/cloud-on-k8s/v2/pkg/apis/elasticsearch/v1"
@@ -49,11 +50,33 @@ func Metricbeat(ctx context.Context, client k8s.Client, es esv1.Elasticsearch) (
 	if err != nil {
 		return stackmon.BeatSidecar{}, err
 	}
+	metricbeat.Container.SecurityContext = &corev1.SecurityContext{
+		Capabilities: &corev1.Capabilities{
+			Drop: []corev1.Capability{"ALL"},
+		},
+		Privileged:               pointer.Bool(false),
+		RunAsNonRoot:             pointer.Bool(true),
+		ReadOnlyRootFilesystem:   pointer.Bool(true),
+		AllowPrivilegeEscalation: pointer.Bool(false),
+	}
 	return metricbeat, nil
 }
 
 func Filebeat(ctx context.Context, client k8s.Client, es esv1.Elasticsearch) (stackmon.BeatSidecar, error) {
-	return stackmon.NewFileBeatSidecar(ctx, client, &es, es.Spec.Version, filebeatConfig, nil)
+	fileBeat, err := stackmon.NewFileBeatSidecar(ctx, client, &es, es.Spec.Version, filebeatConfig, nil)
+	if err != nil {
+		return stackmon.BeatSidecar{}, err
+	}
+	fileBeat.Container.SecurityContext = &corev1.SecurityContext{
+		Capabilities: &corev1.Capabilities{
+			Drop: []corev1.Capability{"ALL"},
+		},
+		Privileged:               pointer.Bool(false),
+		RunAsNonRoot:             pointer.Bool(true),
+		ReadOnlyRootFilesystem:   pointer.Bool(true),
+		AllowPrivilegeEscalation: pointer.Bool(false),
+	}
+	return fileBeat, nil
 }
 
 // WithMonitoring updates the Elasticsearch Pod template builder to deploy Metricbeat and Filebeat in sidecar containers