From 10351e23c7e253ad28201a3227ef9b122490da5d Mon Sep 17 00:00:00 2001 From: Michael Morello Date: Sun, 23 Apr 2023 17:54:55 +0200 Subject: [PATCH] Only set a SecurityContext for Elasticsearch --- .../beat/common/stackmon/stackmon_test.go | 9 ------- pkg/controller/common/stackmon/sidecar.go | 10 -------- .../elasticsearch/stackmon/sidecar.go | 25 ++++++++++++++++++- 3 files changed, 24 insertions(+), 20 deletions(-) diff --git a/pkg/controller/beat/common/stackmon/stackmon_test.go b/pkg/controller/beat/common/stackmon/stackmon_test.go index 10311bd696..969e0020d1 100644 --- a/pkg/controller/beat/common/stackmon/stackmon_test.go +++ b/pkg/controller/beat/common/stackmon/stackmon_test.go @@ -32,15 +32,6 @@ func TestMetricBeat(t *testing.T) { Name: "metricbeat", Image: "docker.elastic.co/beats/metricbeat:8.2.3", Args: []string{"-c", "/etc/metricbeat-config/metricbeat.yml", "-e"}, - SecurityContext: &corev1.SecurityContext{ - Capabilities: &corev1.Capabilities{ - Drop: []corev1.Capability{"ALL"}, - }, - Privileged: pointer.Bool(false), - RunAsNonRoot: pointer.Bool(true), - ReadOnlyRootFilesystem: pointer.Bool(true), - AllowPrivilegeEscalation: pointer.Bool(false), - }, Env: []corev1.EnvVar{ { Name: "POD_IP", diff --git a/pkg/controller/common/stackmon/sidecar.go b/pkg/controller/common/stackmon/sidecar.go index 07c3d03fc4..f83b050832 100644 --- a/pkg/controller/common/stackmon/sidecar.go +++ b/pkg/controller/common/stackmon/sidecar.go @@ -9,7 +9,6 @@ import ( "hash" corev1 "k8s.io/api/core/v1" - ptr "k8s.io/utils/pointer" commonv1 "github.com/elastic/cloud-on-k8s/v2/pkg/apis/common/v1" "github.com/elastic/cloud-on-k8s/v2/pkg/controller/common/container" @@ -106,15 +105,6 @@ func NewBeatSidecar(ctx context.Context, client k8s.Client, beatName string, ima Args: []string{"-c", config.filepath, "-e"}, Env: defaults.PodDownwardEnvVars(), VolumeMounts: volumeMounts, - SecurityContext: &corev1.SecurityContext{ - Capabilities: &corev1.Capabilities{ - Drop: []corev1.Capability{"ALL"}, - }, - Privileged: ptr.Bool(false), - RunAsNonRoot: ptr.Bool(true), - ReadOnlyRootFilesystem: ptr.Bool(true), - AllowPrivilegeEscalation: ptr.Bool(false), - }, }, ConfigHash: config.hash, ConfigSecret: config.secret, diff --git a/pkg/controller/elasticsearch/stackmon/sidecar.go b/pkg/controller/elasticsearch/stackmon/sidecar.go index 65abe350f1..71c1e8951e 100644 --- a/pkg/controller/elasticsearch/stackmon/sidecar.go +++ b/pkg/controller/elasticsearch/stackmon/sidecar.go @@ -10,6 +10,7 @@ import ( "hash/fnv" corev1 "k8s.io/api/core/v1" + "k8s.io/utils/pointer" commonv1 "github.com/elastic/cloud-on-k8s/v2/pkg/apis/common/v1" esv1 "github.com/elastic/cloud-on-k8s/v2/pkg/apis/elasticsearch/v1" @@ -49,11 +50,33 @@ func Metricbeat(ctx context.Context, client k8s.Client, es esv1.Elasticsearch) ( if err != nil { return stackmon.BeatSidecar{}, err } + metricbeat.Container.SecurityContext = &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: pointer.Bool(false), + RunAsNonRoot: pointer.Bool(true), + ReadOnlyRootFilesystem: pointer.Bool(true), + AllowPrivilegeEscalation: pointer.Bool(false), + } return metricbeat, nil } func Filebeat(ctx context.Context, client k8s.Client, es esv1.Elasticsearch) (stackmon.BeatSidecar, error) { - return stackmon.NewFileBeatSidecar(ctx, client, &es, es.Spec.Version, filebeatConfig, nil) + fileBeat, err := stackmon.NewFileBeatSidecar(ctx, client, &es, es.Spec.Version, filebeatConfig, nil) + if err != nil { + return stackmon.BeatSidecar{}, err + } + fileBeat.Container.SecurityContext = &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: pointer.Bool(false), + RunAsNonRoot: pointer.Bool(true), + ReadOnlyRootFilesystem: pointer.Bool(true), + AllowPrivilegeEscalation: pointer.Bool(false), + } + return fileBeat, nil } // WithMonitoring updates the Elasticsearch Pod template builder to deploy Metricbeat and Filebeat in sidecar containers