[elasticsearch] Create or allow setting a serviceAccount to be used

[rwittrick]

Hopefully most clusters have something along the lines of restricted for the default service account in a namespace. By default, with no serviceAccount specified, the default serviceAccount is used.

Two values are required, one for the initContainer, which is already requiring privileged permissions and root access, and one for the es container, which doesn't require the same level.

[jordansissel]

I'm not following, though there are gaps in my kubernetes knowledge. Do you mean PodSecurityPolicy, instead of service account?

[rwittrick]

A pod security policy is a cluster level resource. They can be assigned to pods via (cluster) roles and bindings. One way to add a role to a pod is through service accounts. Hopefully most cluster admins have implemented the restriced psp linked above and applied it through a CRB to the default service account (like a default least privilege thing)

Every namespace has a default service account that is, by default, applied to every pod if a service account is not supplied in the manifest .

Services that use the default namespace service account, like the elasticsearch chart, will auto-inherit the psp assigned to the default service account.

Allowing this chart to set its own service account allows for granular control of security policies throughout a cluster.

[Crazybus]

It isn't currently possible to specify serviceAccounts on a container level kubernetes/kubernetes#66020 is the issue tracking adding this in to Kubernetes.

#38 is the pull request where this was added for Kibana. The only difference being that we will also want to allow the securityContext to be set on a pod level (like in the Kibana PR) and for both of the containers.

@jordansissel https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container might clear it up for you a bit.

[jmlrt]

This was implemented in #265, so I'm closing this issue.