Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support running Agent as a non-root #6700

Merged
merged 74 commits into from
Aug 7, 2023

Conversation

naemono
Copy link
Contributor

@naemono naemono commented Apr 18, 2023

relates #6599

This adds documentation to allow a user to run a DaemonSet to automatically adjust Agent hostPath permissions and allow the user to not run the Agent as runAsUser: 0.

This also only updates the CA store in Agent if version is < 7.14.0, which also removes the need to run Agent+fleet as root, which was verified locally. The minimum version of Agent+Fleet we allow is 7.14.0.

Changes

  • We only set the Elasticsearch CA to be trusted by the pod's CA store when the pod is set to run as root. The documentation discusses and gives examples on how to run Agent+Fleet as non-root and the Kibana changes required for the Elasticsearch CA to be trusted.

TODO

  • Test the update-ca-trust requirement for running with Fleet.
  • Update the Agent+Fleet documentation
  • End-to-End test using Daemonset + Agent + Fleet running as non-root

…rmissions.

Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
@naemono naemono added the >docs Documentation label Apr 18, 2023
naemono added 5 commits April 18, 2023 15:00
Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
…naging hostpath permissions.

Adding e2e test for running Agent+Fleet as non-root with Daemonset.

Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
@naemono naemono changed the title Docs: Daemonset to manage Agent hostpath Permissions Daemonset to manage Agent hostpath Permissions Apr 19, 2023
@naemono naemono added the >enhancement Enhancement of existing functionality label Apr 19, 2023
Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
@naemono
Copy link
Contributor Author

naemono commented Apr 19, 2023

buildkite test this -f p=gke,t=TestFleetKubernetesNonRootIntegrationRecipe -m s=8.7.0,s=7.17.8

Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
@naemono
Copy link
Contributor Author

naemono commented Apr 19, 2023

buildkite test this -f p=gke,t=TestFleetKubernetesNonRootIntegrationRecipe -m s=8.7.0,s=7.17.8

Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
@naemono
Copy link
Contributor Author

naemono commented Apr 19, 2023

buildkite test this -f p=gke,t=TestFleetKubernetesNonRootIntegrationRecipe -m s=8.7.0,s=7.17.8

naemono added 4 commits April 20, 2023 10:09
Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
naemono added 4 commits May 24, 2023 11:09
Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
Use tweakConfigLiterals to properly adjust output map.

Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
naemono added 5 commits June 13, 2023 10:44
Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
Check type assertions properly.

Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
Copy link
Contributor

@barkbay barkbay left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Almost LGTM. Overall it feels complicated and hacky (especially runningAsRoot) but I'm not sure there is a good alternative.

naemono added 2 commits August 1, 2023 08:21
…t's only functional from 2.10.0+.

Remove is_default and is_default_fleet_server from fleet-kubernetes-integration-noroot.yaml as they're deprecated.
Reword the sentence about certificate_authorities.ssl in xpack.fleet.outputs within the Kibana resource.
Modify the note about the daemonset needing to run as root.

Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
@naemono
Copy link
Contributor Author

naemono commented Aug 1, 2023

Almost LGTM. Overall it feels complicated and hacky (especially runningAsRoot) but I'm not sure there is a good alternative.

I don't disagree here. This has been a complicated issue since it's inception. We initially tried to "just make it work" within the eck controller, but thought that the permissions needed were a bit too much from a security standpoint, so decided to try and document how this could be done. Unfortunately this was the only solution found when working with the Fleet team. Honestly I'm not sure at this point if leaving the root requirement in place is a simpler solution than documenting the complexities of this non-root solution, but I'd love others input into this question.

@naemono
Copy link
Contributor Author

naemono commented Aug 1, 2023

buildkite test this -f p=gke,t=TestFleetKubernetesNonRootIntegrationRecipe -m s=8.9.0,s=7.17.8

Testing a final time after removing is_default* and adding PolicyID to ensure completeness.

Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
@naemono
Copy link
Contributor Author

naemono commented Aug 1, 2023

buildkite test this -f p=gke,t=TestFleetKubernetesNonRootIntegrationRecipe -m s=8.9.0,s=7.17.8

Hopefully last one after reverting the addition of a # comment to the yaml.

@naemono
Copy link
Contributor Author

naemono commented Aug 1, 2023

Somehow the last change to remove is_default and adding PolicyID broke the e2e tests.

The es output isn't being propagated agent => metricbeat

elasticsearch url: http://localhost:9200

Something to do with this:

    xpack.fleet.outputs:
    - id: eck-fleet-agent-output-elasticsearch
      name: eck-elasticsearch
      type: elasticsearch
      hosts: ["https://elasticsearch-es-http.default.svc:9200"]
      ssl:
        certificate_authorities: ["/mnt/elastic-internal/elasticsearch-association/default/elasticsearch/certs/ca.crt"]

I'll investigate and resolve and update.

Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
@naemono
Copy link
Contributor Author

naemono commented Aug 2, 2023

buildkite test this -f p=gke,t=TestFleetKubernetesNonRootIntegrationRecipe -m s=8.9.0,s=7.17.8

@naemono
Copy link
Contributor Author

naemono commented Aug 2, 2023

Ok, is_default: true is required on the xpack.fleet.outputs, which was causing the error. The e2e tests appear to be passing now.

@pebrc @thbkrkr @barkbay This is ready for the next set of eyes when you all have the time. Thanks.

Copy link
Collaborator

@pebrc pebrc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM just a few more nits.

naemono added 2 commits August 2, 2023 11:36
Remove bold font.
Use full wording for SCC.
Sets up, not maintains.

Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
@naemono naemono requested review from pebrc and barkbay August 3, 2023 13:14
@thbkrkr thbkrkr added the v2.10.0 label Aug 3, 2023
Copy link
Contributor

@barkbay barkbay left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@naemono naemono merged commit 57902df into elastic:main Aug 7, 2023
@naemono naemono deleted the 6239-agent-hostpath-docs branch August 7, 2023 12:41
@pebrc pebrc changed the title Daemonset to manage Agent hostpath Permissions Document how to run Agent as a non-root Sep 27, 2023
@pebrc pebrc changed the title Document how to run Agent as a non-root Document and support running running Agent as a non-root Sep 27, 2023
@rhr323 rhr323 changed the title Document and support running running Agent as a non-root Support running Agent as a non-root Oct 25, 2023
@dbalijapalli0264
Copy link

Hello Elastic team,
Is this change backward compatible too? meaning can we run it on ECK operator 2.9? or should we have ECK operator 2.10?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
>docs Documentation >enhancement Enhancement of existing functionality v2.10.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants