Pods created by Elasticsearch chart require privileged container access
See original GitHub issueChart version: 7.7.0 Kubernetes version: 1.17.6 Kubernetes provider: E.g. GKE (Google Kubernetes Engine) On Premises Helm Version: 3.2.1 Describe the bug: When deploying the Elasticsearch Helm Chart pods fail to start as they don’t adhere to our default Pod Security Policy of not having privileged container access to the hosts. I don’t think that a pod of this nature should require privileged access as they shouldn’t be using the hosts capabilities to run the elasticsearch appication. Steps to reproduce:
- Have a Pod Security policy that requires non-privileged pods deployed on the cluster, such as the recommended baseline policy in the kubernetes documentation
- Deploy the elasticsearch helm chart,
helm upgrade --install elasticsearch elastic/elasticsearch -f values.yaml --version 7.7.0
- Describe one of the stateful sets created by the chart, e.g.
kubectl describe statefulset/<elasticsearch-cluster-name>-master
- See the following error:
create Pod <elasticsearch-cluster-name>-master-0 in StatefulSet <elasticsearch-cluster-name>-master failed error: pods "<elasticsearch-cluster-name>-master-0" is forbidden: unable to validate against any pod security policy: [spec.initContainers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed]
Expected behavior: Pods created by this helm chart not to require privileged container access.
Issue Analytics
- State:
- Created 3 years ago
- Reactions:4
- Comments:5 (1 by maintainers)
Top Results From Across the Web
Kubernetes Privileged Pod Created | Elastic Security Solution ...
This rule detects when a user creates a pod/container running in privileged mode. A highly privileged container has access to the node's resources...
Read more >Manage compute resources | Elastic Cloud on Kubernetes [2.5]
The available memory is defined by the value of resources.limits.memory set on the elasticsearch container in the Pod template, or the available memory...
Read more >Security Context | Elastic Cloud on Kubernetes [master]
In Kubernetes, a securityContext defines privilege and access control settings for a Pod or Container. You can set up it through the podTemplate...
Read more >Virtual memory | Elastic Cloud on Kubernetes [2.5]
Note that this requires the ability to run privileged containers, which is likely not the case on many secure clusters. For more information,...
Read more >Grant privileged permissions to Beats - Elastic
Deploying Beats on Openshift may require some privileged permissions. ... runAsUser: 0 privileged: true # This is required to access other containers logs ......
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Ah I see. I should’ve known it was just trying to stop me from shooting myself in the foot. Thanks for the clarification and solution.
@ol-metaswitch Thank you for opening an issue.
Looking at the error you included, this appears to be coming from one of the
initContainers
, specifically theconfigure-sysctl
container: https://github.com/elastic/helm-charts/blob/fa72b483f8b2476877a8490b32dcbcc5fc384b94/elasticsearch/templates/statefulset.yaml#L151-L161As per the chart README, this container can be disabled if you are setting the correct
vm.max_map_count
sysctl value via another method:Adding the following to your
values.yaml
should get things working for you:Let us know if that doesn’t work for you.