Support for ECK with a PSP

NerdSec · September 22, 2020, 1:11pm

So, I have not created a cluster role as such, I simply allowed the default serviceaccount the use permission for my z-privileged PSP. The deployment happened and I can see the pods use the privileged PSP.

The PSP you shared, is similar to the restricted PSP available on my cluster. Using that PSP, the pod is not allowed to load.

Labels:       common.k8s.elastic.co/type=elasticsearch
              controller-revision-hash=brb-es-default-fffd7cb5b
              elasticsearch.k8s.elastic.co/cluster-name=brb
              elasticsearch.k8s.elastic.co/config-hash=1841883488
              elasticsearch.k8s.elastic.co/http-scheme=https
              elasticsearch.k8s.elastic.co/node-data=true
              elasticsearch.k8s.elastic.co/node-ingest=true
              elasticsearch.k8s.elastic.co/node-master=true
              elasticsearch.k8s.elastic.co/node-ml=true
              elasticsearch.k8s.elastic.co/statefulset-name=brb-es-default
              elasticsearch.k8s.elastic.co/version=7.9.1
              statefulset.kubernetes.io/pod-name=brb-es-default-0
Annotations:  cni.projectcalico.org/podIP: 192.168.193.59/32
              cni.projectcalico.org/podIPs: 192.168.193.59/32
              co.elastic.logs/module: elasticsearch
              container.apparmor.security.beta.kubernetes.io/elastic-internal-init-filesystem: runtime/default
              container.apparmor.security.beta.kubernetes.io/elasticsearch: runtime/default
              kubernetes.io/psp: elastic.restricted
              seccomp.security.alpha.kubernetes.io/pod: runtime/default

Events:

Events:
  Type     Reason     Age                            From                    Message
  ----     ------     ----                           ----                    -------
  Normal   Scheduled  30s                            default-scheduler       Successfully assigned elastic/cdc-es-default-0 to sidcirmkube02
  Normal   Pulled     <invalid>                      kubelet, sidcirmkube02  Successfully pulled image "docker.elastic.co/elasticsearch/elasticsearch:7.9.1" in 4.951464499s
  Normal   Pulled     <invalid>                      kubelet, sidcirmkube02  Successfully pulled image "docker.elastic.co/elasticsearch/elasticsearch:7.9.1" in 3.733738989s
  Normal   Pulling    <invalid> (x3 over <invalid>)  kubelet, sidcirmkube02  Pulling image "docker.elastic.co/elasticsearch/elasticsearch:7.9.1"
  Warning  Failed     <invalid> (x3 over <invalid>)  kubelet, sidcirmkube02  Error: container has runAsNonRoot and image will run as root
  Normal   Pulled     <invalid>                      kubelet, sidcirmkube02  Successfully pulled image "docker.elastic.co/elasticsearch/elasticsearch:7.9.1" in 3.52929003s

Is there a different image being used over here in the E2E environment?

Topic		Replies	Views
ECK - can we run ECK operator in privileged mode Elastic Cloud on Kubernetes (ECK)	3	580	November 4, 2022
Quickstart ECK SecurityContext.RunAsUser is forbidden Elasticsearch	1	634	December 3, 2019
PodSecurityPolicy issue with ECK Operator 2.6.1 Elastic Cloud on Kubernetes (ECK)	1	385	March 6, 2023
Cannot deploy ECK 2.7.0 with PSP Elastic Cloud on Kubernetes (ECK)	4	359	May 25, 2023
ECK 1.0.0-beta1 doesn't start pod Elastic Cloud on Kubernetes (ECK)	3	1416	November 4, 2022

Support for ECK with a PSP

Related topics