diff --git a/elasticsearch/templates/deployment-client.yaml b/elasticsearch/templates/deployment-client.yaml index 9bb22193a..df82fee0b 100644 --- a/elasticsearch/templates/deployment-client.yaml +++ b/elasticsearch/templates/deployment-client.yaml @@ -83,6 +83,7 @@ spec: configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} {{ dict "envAll" $envAll "podName" "elasticsearch-client" "containerNames" (list "elasticsearch-client") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: +{{ dict "envAll" $envAll "application" "client" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "elasticsearch" "client" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} @@ -94,9 +95,7 @@ spec: - name: memory-map-increase {{ tuple $envAll "memory_init" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.client | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: - privileged: true - runAsUser: 0 +{{ dict "envAll" $envAll "application" "client" "container" "memory_map_increase" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - sysctl - -w @@ -105,6 +104,7 @@ spec: - name: apache-proxy {{ tuple $envAll "apache_proxy" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.apache_proxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "client" "container" "apache_proxy" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/apache.sh - start @@ -141,12 +141,7 @@ spec: - name: elasticsearch-client {{ tuple $envAll "elasticsearch" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.client | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: - privileged: true - capabilities: - add: - - IPC_LOCK - - SYS_RESOURCE +{{ dict "envAll" $envAll "application" "client" "container" "elasticsearch_client" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/elasticsearch.sh - start diff --git a/elasticsearch/templates/deployment-master.yaml b/elasticsearch/templates/deployment-master.yaml index 485cdce65..3b72732d0 100644 --- a/elasticsearch/templates/deployment-master.yaml +++ b/elasticsearch/templates/deployment-master.yaml @@ -81,6 +81,7 @@ spec: configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} {{ dict "envAll" $envAll "podName" "elasticsearch-master" "containerNames" (list "elasticsearch-master") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: +{{ dict "envAll" $envAll "application" "master" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "elasticsearch" "master" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} @@ -92,21 +93,14 @@ spec: - name: memory-map-increase {{ tuple $envAll "memory_init" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.master | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: - privileged: true - runAsUser: 0 +{{ dict "envAll" $envAll "application" "master" "container" "memory_map_increase" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - sysctl - -w - vm.max_map_count={{ .Values.conf.init.max_map_count }} containers: - name: elasticsearch-master - securityContext: - privileged: true - capabilities: - add: - - IPC_LOCK - - SYS_RESOURCE +{{ dict "envAll" $envAll "application" "master" "container" "elasticsearch_master" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} {{ tuple $envAll "elasticsearch" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.master | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} command: diff --git a/elasticsearch/templates/job-es-cluster-wait.yaml b/elasticsearch/templates/job-es-cluster-wait.yaml index aeb30a20e..ae4e7e369 100644 --- a/elasticsearch/templates/job-es-cluster-wait.yaml +++ b/elasticsearch/templates/job-es-cluster-wait.yaml @@ -34,6 +34,7 @@ spec: labels: {{ tuple $envAll "elasticsearch" "es_cluster_wait" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: +{{ dict "envAll" $envAll "application" "es_cluster_wait" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: @@ -44,6 +45,7 @@ spec: - name: elasticsearch-cluster-wait {{ tuple $envAll "es_cluster_wait" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.es_cluster_wait | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "es_cluster_wait" "container" "elasticsearch_cluster_wait" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} env: - name: ELASTICSEARCH_USERNAME valueFrom: diff --git a/elasticsearch/templates/job-register-snapshot-repository.yaml b/elasticsearch/templates/job-register-snapshot-repository.yaml index 7bcddfe91..272c83f3d 100644 --- a/elasticsearch/templates/job-register-snapshot-repository.yaml +++ b/elasticsearch/templates/job-register-snapshot-repository.yaml @@ -35,6 +35,7 @@ spec: labels: {{ tuple $envAll "elasticsearch" "snapshot-repository" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: +{{ dict "envAll" $envAll "application" "snapshot_repository" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: @@ -45,6 +46,7 @@ spec: - name: register-snapshot-repository {{ tuple $envAll "snapshot_repository" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.snapshot_repository | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "snapshot_repository" "container" "register_snapshot_repository" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} env: - name: ELASTICSEARCH_USERNAME valueFrom: diff --git a/elasticsearch/templates/monitoring/prometheus/exporter-deployment.yaml b/elasticsearch/templates/monitoring/prometheus/exporter-deployment.yaml index 84a1dfe44..df33178c1 100644 --- a/elasticsearch/templates/monitoring/prometheus/exporter-deployment.yaml +++ b/elasticsearch/templates/monitoring/prometheus/exporter-deployment.yaml @@ -41,7 +41,7 @@ spec: annotations: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} spec: -{{ dict "envAll" $envAll "application" "elasticsearch_exporter" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} +{{ dict "envAll" $envAll "application" "exporter" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} nodeSelector: {{ .Values.labels.elasticsearch.node_selector_key }}: {{ .Values.labels.elasticsearch.node_selector_value | quote }} @@ -52,7 +52,7 @@ spec: - name: elasticsearch-exporter {{ tuple $envAll "prometheus_elasticsearch_exporter" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.exporter | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} -{{ dict "envAll" $envAll "application" "elasticsearch_exporter" "container" "elasticsearch_exporter" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} +{{ dict "envAll" $envAll "application" "exporter" "container" "elasticsearch_exporter" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/elasticsearch-exporter.sh - start diff --git a/elasticsearch/templates/pod-helm-tests.yaml b/elasticsearch/templates/pod-helm-tests.yaml index bee2b8c91..1d08557c6 100644 --- a/elasticsearch/templates/pod-helm-tests.yaml +++ b/elasticsearch/templates/pod-helm-tests.yaml @@ -31,6 +31,7 @@ metadata: "helm.sh/hook": test-success {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} spec: +{{ dict "envAll" $envAll "application" "test" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }} serviceAccountName: {{ $serviceAccountName }} nodeSelector: {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }} @@ -41,6 +42,7 @@ spec: - name: {{.Release.Name}}-helm-tests {{ tuple $envAll "helm_tests" | include "helm-toolkit.snippets.image" | indent 6 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} +{{ dict "envAll" $envAll "application" "test" "container" "helm_tests" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }} command: - /tmp/helm-tests.sh env: diff --git a/elasticsearch/templates/statefulset-data.yaml b/elasticsearch/templates/statefulset-data.yaml index 95ee2ea10..dff7aa09f 100644 --- a/elasticsearch/templates/statefulset-data.yaml +++ b/elasticsearch/templates/statefulset-data.yaml @@ -81,6 +81,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: +{{ dict "envAll" $envAll "application" "data" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "elasticsearch" "data" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} @@ -92,9 +93,7 @@ spec: - name: memory-map-increase {{ tuple $envAll "memory_init" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.data | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: - privileged: true - runAsUser: 0 +{{ dict "envAll" $envAll "application" "data" "container" "memory_map_increase" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - sysctl - -w @@ -103,12 +102,7 @@ spec: - name: elasticsearch-data {{ tuple $envAll "elasticsearch" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.data | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: - privileged: true - capabilities: - add: - - IPC_LOCK - - SYS_RESOURCE +{{ dict "envAll" $envAll "application" "data" "container" "elasticsearch_data" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/elasticsearch.sh - start diff --git a/elasticsearch/values.yaml b/elasticsearch/values.yaml index fa74c74e7..2a0e9586b 100644 --- a/elasticsearch/values.yaml +++ b/elasticsearch/values.yaml @@ -117,13 +117,75 @@ pod: elasticsearch-client: elasticsearch-client: localhost/docker-default security_context: - elasticsearch_exporter: + exporter: pod: runAsUser: 99 container: elasticsearch_exporter: allowPrivilegeEscalation: false readOnlyRootFilesystem: true + client: + pod: + runAsUser: 0 + container: + memory_map_increase: + privileged: true + readOnlyRootFilesystem: false + apache_proxy: + readOnlyRootFilesystem: false + elasticsearch_client: + privileged: true + capabilities: + add: + - IPC_LOCK + - SYS_RESOURCE + readOnlyRootFilesystem: false + master: + pod: + runAsUser: 0 + container: + memory_map_increase: + privileged: true + readOnlyRootFilesystem: false + elasticsearch_master: + privileged: true + capabilities: + add: + - IPC_LOCK + - SYS_RESOURCE + readOnlyRootFilesystem: false + es_cluster_wait: + pod: + runAsUser: 0 + container: + elasticsearch_cluster_wait: + readOnlyRootFilesystem: false + snapshot_repository: + pod: + runAsUser: 0 + container: + register_snapshot_repository: + readOnlyRootFilesystem: false + test: + pod: + runAsUser: 0 + container: + helm_test: + readOnlyRootFilesystem: false + data: + pod: + runAsUser: 0 + container: + memory_map_increase: + privileged: true + readOnlyRootFilesystem: false + elasticsearch_data: + privileged: true + capabilities: + add: + - IPC_LOCK + - SYS_RESOURCE + readOnlyRootFilesystem: false affinity: anti: type: