Skip to content
This repository has been archived by the owner on May 16, 2023. It is now read-only.

Commit

Permalink
[metricbeat] split security context for daemonset and deployment
Browse files Browse the repository at this point in the history
  • Loading branch information
jmlrt committed Apr 15, 2020
1 parent 7914ffb commit 07877a6
Show file tree
Hide file tree
Showing 5 changed files with 132 additions and 22 deletions.
6 changes: 4 additions & 2 deletions metricbeat/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -70,11 +70,13 @@ helm install --name metricbeat elastic/metricbeat --set imageTag=7.6.2
| `daemonset.affinity` | Configurable [affinity][] for Metricbeat `DaemonSet`. | `{}` |
| `daemonset.metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for Metricbeat `DaemonSet`. | see [values.yaml][] |
| `daemonset.nodeSelector` | Configurable [nodeSelector][] for Metricbeat `DaemonSet`. | `{}` |
| `daemonset.securityContext` | Configurable [securityContext][] for Metricbeat `DaemonSet` pod execution environment. | `runAsUser: 0`<br>`privileged: false` |
| `daemonset.resources` | Allows you to set the [resources][] for Metricbeat `DaemonSet`. | `requests.cpu: 100m`<br>`requests.memory: 100Mi`<br>`limits.cpu: 1000m`<br>`limits.memory: 200Mi` |
| `daemonset.tolerations` | Configurable [tolerations][] for Metricbeat `DaemonSet`. | `[]` |
| `deployment.affinity` | Configurable [affinity][] for Metricbeat `Deployment`. | `{}` |
| `deployment.metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for Metricbeat `Deployment`. | see [values.yaml][] |
| `deployment.nodeSelector` | Configurable [nodeSelector][] for Metricbeat `Deployment`. | `{}` |
| `deployment.securityContext` | Configurable [securityContext][] for Metricbeat `Deployment` pod execution environment. | `runAsUser: 0`<br>`privileged: false` |
| `deployment.resources` | Allows you to set the [resources][] for Metricbeat `Deployment`. | `requests.cpu: 100m`<br>`requests.memory: 100Mi`<br>`limits.cpu: 1000m`<br>`limits.memory: 200Mi` |
| `deployment.tolerations` | Configurable [tolerations][] for Metricbeat `Deployment`. | `[]` |
| `extraContainers` | Templatable string of additional containers to be passed to the `tpl` function | `""` |
Expand All @@ -92,7 +94,6 @@ helm install --name metricbeat elastic/metricbeat --set imageTag=7.6.2
| `managedServiceAccount` | Whether the `serviceAccount` should be managed by this helm chart. Set this to `false` in order to manage your own service account and related roles. | `true` |
| `clusterRoleRules` | Configurable [cluster role rules][] that Metricbeat uses to access Kubernetes resources. | see [values.yaml][] |
| `podAnnotations` | Configurable [annotations][] applied to all Metricbeat pods | `{}` |
| `podSecurityContext` | Configurable [podSecurityContext][] for Metricbeat pod execution environment | `runAsUser: 0`<br>`privileged: false` |
| `livenessProbe` | Parameters to pass to [liveness probe][] checks for values such as timeouts and thresholds. | `failureThreshold: 3`<br>`initialDelaySeconds: 10`<br>`periodSeconds: 10`<br>`successThreshold: 3`<br>`timeoutSeconds: 5` |
| `readinessProbe` | Parameters to pass to [readiness probe][] checks for values such as timeouts and thresholds. | `failureThreshold: 3`<br>`initialDelaySeconds: 10`<br>`periodSeconds: 10`<br>`successThreshold: 3`<br>`timeoutSeconds: 5` |
| `serviceAccount` | Custom [serviceAccount][] that Metricbeat will use during execution. By default will use the service account created by this chart. | `""` |
Expand All @@ -109,6 +110,7 @@ helm install --name metricbeat elastic/metricbeat --set imageTag=7.6.2
| `affinity` | Configurable [affinity][] for Metricbeat `DaemonSet`. | `{}` |
| `metricbeatConfig` | Allows you to add any config files in `/usr/share/metricbeat` such as `metricbeat.yml` for both Metricbeat `DaemonSet` and `Deployment`. | see [values.yaml][] |
| `nodeSelector` | Configurable [nodeSelector][] for Metricbeat `DaemonSet`. | `{}` |
| `podSecurityContext` | Configurable [securityContext][] for Metricbeat `DaemonSet` and `Deployment` pod execution environment. | `runAsUser: 0`<br>`privileged: false` |
| `resources` | Allows you to set the [resources][] for both Metricbeat `DaemonSet` and `Deployment`. | `requests.cpu: 100m`<br>`requests.memory: 100Mi`<br>`limits.cpu: 1000m`<br>`limits.memory: 200Mi` |
| `tolerations` | Configurable [tolerations][] for both Metricbeat `DaemonSet` and `Deployment`. | `[]` |

Expand Down Expand Up @@ -173,7 +175,7 @@ make goss
[liveness probe]: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
[name of the PriorityClass]: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
[nodeSelector]: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
[podSecurityContext]: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
[securityContext]: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
[readiness probe]: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
[resources]: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
[serviceAccount]: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
Expand Down
5 changes: 1 addition & 4 deletions metricbeat/templates/daemonset.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -117,10 +117,7 @@ spec:
envFrom:
{{ toYaml .Values.envFrom | indent 10 }}
{{- end }}
{{- if .Values.podSecurityContext }}
securityContext:
{{ toYaml .Values.podSecurityContext | indent 10 }}
{{- end }}
securityContext: {{ toYaml ( .Values.podSecurityContext | default .Values.daemonset.securityContext ) | nindent 10 }}
volumeMounts:
{{- range .Values.secretMounts }}
- name: {{ .name }}
Expand Down
5 changes: 1 addition & 4 deletions metricbeat/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -95,10 +95,7 @@ spec:
envFrom:
{{ toYaml .Values.envFrom | indent 10 }}
{{- end }}
{{- if .Values.podSecurityContext }}
securityContext:
{{ toYaml .Values.podSecurityContext | indent 10 }}
{{- end }}
securityContext: {{ toYaml ( .Values.podSecurityContext | default .Values.deployment.securityContext ) | nindent 10 }}
volumeMounts:
{{- range .Values.secretMounts }}
- name: {{ .name }}
Expand Down
118 changes: 115 additions & 3 deletions metricbeat/tests/metricbeat_test.py
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,31 @@ def test_defaults():
== []
)

assert (
r["daemonset"][name]["spec"]["template"]["spec"]["containers"][0][
"securityContext"
]["runAsUser"]
== 0
)
assert (
r["daemonset"][name]["spec"]["template"]["spec"]["containers"][0][
"securityContext"
]["privileged"]
== False
)
assert (
r["deployment"][name + "-metrics"]["spec"]["template"]["spec"]["containers"][0][
"securityContext"
]["runAsUser"]
== 0
)
assert (
r["deployment"][name + "-metrics"]["spec"]["template"]["spec"]["containers"][0][
"securityContext"
]["privileged"]
== False
)

# Empty customizable defaults
assert "imagePullSecrets" not in r["daemonset"][name]["spec"]["template"]["spec"]

Expand Down Expand Up @@ -283,14 +308,101 @@ def test_self_managing_rbac_resources():

def test_setting_pod_security_context():
config = """
daemonset:
securityContext:
runAsUser: 1001
privileged: false
"""
r = helm_template(config)
assert (
r["daemonset"][name]["spec"]["template"]["spec"]["containers"][0][
"securityContext"
]["runAsUser"]
== 1001
)
assert (
r["daemonset"][name]["spec"]["template"]["spec"]["containers"][0][
"securityContext"
]["privileged"]
== False
)
assert (
r["deployment"][name + "-metrics"]["spec"]["template"]["spec"]["containers"][0][
"securityContext"
]["runAsUser"]
== 0
)
assert (
r["deployment"][name + "-metrics"]["spec"]["template"]["spec"]["containers"][0][
"securityContext"
]["privileged"]
== False
)

config = """
deployment:
securityContext:
runAsUser: 1001
privileged: false
"""
r = helm_template(config)
assert (
r["deployment"][name + "-metrics"]["spec"]["template"]["spec"]["containers"][0][
"securityContext"
]["runAsUser"]
== 1001
)
assert (
r["deployment"][name + "-metrics"]["spec"]["template"]["spec"]["containers"][0][
"securityContext"
]["privileged"]
== False
)
assert (
r["daemonset"][name]["spec"]["template"]["spec"]["containers"][0][
"securityContext"
]["runAsUser"]
== False
)
assert (
r["daemonset"][name]["spec"]["template"]["spec"]["containers"][0][
"securityContext"
]["privileged"]
== False
)


def test_setting_deprecated_pod_security_context():
config = """
podSecurityContext:
runAsUser: 1001
privileged: false
"""
r = helm_template(config)
c = r["daemonset"][name]["spec"]["template"]["spec"]["containers"][0]
assert c["securityContext"]["runAsUser"] == 1001
assert c["securityContext"]["privileged"] == False
assert (
r["daemonset"][name]["spec"]["template"]["spec"]["containers"][0][
"securityContext"
]["runAsUser"]
== 1001
)
assert (
r["daemonset"][name]["spec"]["template"]["spec"]["containers"][0][
"securityContext"
]["privileged"]
== False
)
assert (
r["deployment"][name + "-metrics"]["spec"]["template"]["spec"]["containers"][0][
"securityContext"
]["runAsUser"]
== 1001
)
assert (
r["deployment"][name + "-metrics"]["spec"]["template"]["spec"]["containers"][0][
"securityContext"
]["privileged"]
== False
)


def test_adding_in_metricbeat_config():
Expand Down
20 changes: 11 additions & 9 deletions metricbeat/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,13 @@ daemonset:
output.elasticsearch:
hosts: '${ELASTICSEARCH_HOSTS:elasticsearch-master:9200}'
nodeSelector: {}
# Various pod security context settings. Bear in mind that many of these have an impact on metricbeat functioning properly.
# - Filesystem group for the metricbeat user. The official elastic docker images always have an id of 1000.
# - User that the container will execute as. Typically necessary to run as root (0) in order to properly collect host container logs.
# - Whether to execute the metricbeat containers as privileged containers. Typically not necessarily unless running within environments such as OpenShift.
securityContext:
runAsUser: 0
privileged: false
resources:
requests:
cpu: "100m"
Expand Down Expand Up @@ -82,6 +89,9 @@ deployment:
output.elasticsearch:
hosts: '${ELASTICSEARCH_HOSTS:elasticsearch-master:9200}'
nodeSelector: {}
securityContext:
runAsUser: 0
privileged: false
resources:
requests:
cpu: "100m"
Expand Down Expand Up @@ -190,15 +200,6 @@ clusterRoleRules:
podAnnotations: {}
# iam.amazonaws.com/role: es-cluster

# Various pod security context settings. Bear in mind that many of these have an impact on metricbeat functioning properly.
#
# - Filesystem group for the metricbeat user. The official elastic docker images always have an id of 1000.
# - User that the container will execute as. Typically necessary to run as root (0) in order to properly collect host container logs.
# - Whether to execute the metricbeat containers as privileged containers. Typically not necessarily unless running within environments such as OpenShift.
podSecurityContext:
runAsUser: 0
privileged: false

# Custom service account override that the pod will use
serviceAccount: ""

Expand Down Expand Up @@ -229,5 +230,6 @@ affinity: {}
# such as metricbeat.yml for both daemonset and deployment
metricbeatConfig: {}
nodeSelector: {}
podSecurityContext: {}
resources: {}
tolerations: []

0 comments on commit 07877a6

Please sign in to comment.