Elastic search: running with the root UID is forbidden

I am trying to install elasticsearch in my aks cluster and it is failing.

I have followed the below steps:

root@developer1:~/elasticsearch# git clone https://github.com/elastic/helm-charts.git
Cloning into 'helm-charts'...
remote: Enumerating objects: 23913, done.
remote: Counting objects: 100% (494/494), done.
remote: Compressing objects: 100% (230/230), done.
remote: Total 23913 (delta 270), reused 426 (delta 233), pack-reused 23419
Receiving objects: 100% (23913/23913), 4.68 MiB | 24.59 MiB/s, done.
Resolving deltas: 100% (15805/15805), done.
root@developer1:~/elasticsearch/helm-charts(main)# cd elasticsearch/
root@developer1:~/elasticsearch/helm-charts/elasticsearch(main)# ls
Chart.yaml  Makefile  README.md  examples  templates  tests  values.yaml
root@developer1:~/elasticsearch/helm-charts/elasticsearch(main)# helm install   elasticsearch --set imageTag=8.5.1 ./
NAME: elasticsearch
LAST DEPLOYED: Fri Dec 30 14:08:33 2022
NAMESPACE: test-sugarcrm
STATUS: deployed
1. Watch all cluster members come up.
  $ kubectl get pods --namespace=test-sugarcrm -l app=elasticsearch-master -w
2. Retrieve elastic user's password.
  $ kubectl get secrets --namespace=test-sugarcrm elasticsearch-master-credentials -ojsonpath='{.data.password}' | base64 -d
3. Test cluster health using Helm test.
  $ helm --namespace=test-sugarcrm test elasticsearch

After this, pod was not coming up and I checked the events which gave below errors:

0s Warning FailedCreate statefulset/elasticsearch-master create Pod elasticsearch-master-0 in StatefulSet elasticsearch-master failed error: pods "elasticsearch-master-0" is forbidden: PodSecurityPolicy: unable to admit pod: [spec.initContainers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed spec.initContainers[0].securityContext.runAsUser: Invalid value: 0: running with the root UID is forbidden spec.initContainers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed]

Some security policies are not allowing me to run the default helm configuration. So I changed the templates/statefulset.yaml as below and upgrade the helm chart:

          runAsUser: 1000
          privileged: false

Now the pods started showing up but not Ready at all.

NAME                        READY   STATUS    RESTARTS      AGE
elasticsearch-master-0      0/1     Pending   0             3s
elasticsearch-master-1      0/1     Pending   0             3s
elasticsearch-master-2      0/1     Pending   0             3s

From the events, it is clear that the readiness probe fails continuously after the change in statefulset.yaml and pod never get to the Ready state.

0s Warning Unhealthy pod/elasticsearch-master-1 Readiness probe failed: Waiting for elasticsearch cluster to become ready (request params: "wait_for_status=green&timeout=1s" )...

Can someone guide me how to proceed? I need to ensure that without any compromise to the security, I should be able to get the ES Cluster up and running.

I have resolved the issue.

1 Like

Hi @gopublog Welcome to the community and thanks for posting your solution, very helpful!

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.