Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support arbitrary user IDs in secured Kubernetes environments #18871

Closed
jsoriano opened this issue May 31, 2020 · 2 comments · Fixed by #18873
Closed

Support arbitrary user IDs in secured Kubernetes environments #18871

jsoriano opened this issue May 31, 2020 · 2 comments · Fixed by #18873
Assignees
@jsoriano
Labels
discuss Issue needs further discussion. Team:Platforms Label for the Integrations - Platforms team

Comments

@jsoriano
Copy link
Member

jsoriano commented May 31, 2020
edited by andresrc
Loading

Add support for arbitrary user IDs in secured Kubernetes environments without needing to disable permission checks.

#12905 added support for arbitrary user IDs, but it changed the permissions of the files in a way that require Beats docker images to be run with BEAT_STRICT_PERMS=false, what is not recommended so far.

We should find a way to support arbitrary user IDs, without changing the current behaviour for the rest of cases.

Related issues:
@jsoriano jsoriano added discuss Issue needs further discussion. Team:Platforms Label for the Integrations - Platforms team labels May 31, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/integrations-platforms (Team:Platforms)

@jsoriano jsoriano mentioned this issue May 31, 2020
Merged
@jsoriano
Copy link
Member Author

From OpenShift recommendations: "For an image to support running as an arbitrary user, directories and files that may be written to by processes in the image should be owned by the root group and be read/writable by that group. Files to be executed should also have group execute permissions."

As the files that conflict with BEAT_STRICT_PERMS don't need to be written by the beat, maybe it is enough with changing the group owner to root, and leave the permissions as they were before #12905.

@jsoriano jsoriano mentioned this issue May 31, 2020
Merged
@jsoriano jsoriano self-assigned this May 31, 2020
@jsoriano jsoriano mentioned this issue Jun 2, 2020
Merged
@zube zube bot added [zube]: Done and removed [zube]: Ready labels Jul 1, 2020
@jsoriano jsoriano mentioned this issue Jul 1, 2020
Merged
@pebrc pebrc mentioned this issue Jan 23, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jsoriano jsoriano

Labels
discuss Issue needs further discussion. Team:Platforms Label for the Integrations - Platforms team
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow the Docker image to be run with a random user id (#12905) jsoriano/beats
3 participants
@jsoriano @andresrc @elasticmachine