Make ES work with ECK 2.16.0 by setting the appropriate security cont…

…exts. Starting with the new version, ECK will apply security contexts if unset. These contexts prevent our (customized) init containers from starting.
tigera · Dec 28, 2024 · 44ead30 · 44ead30
1 parent 9856e42
commit 44ead30
Show file tree

Hide file tree

Showing 3 changed files with 101 additions and 75 deletions.
diff --git a/pkg/render/logstorage.go b/pkg/render/logstorage.go
@@ -406,44 +406,46 @@ func (es *elasticsearchComponent) podTemplate() corev1.PodTemplateSpec {
 		SecurityContext: securitycontext.NewRootContext(true),
 	}
 
-	initContainers := []corev1.Container{initOSSettingsContainer}
-	annotations := es.cfg.TrustedBundle.HashAnnotations()
-	annotations[ElasticsearchTLSHashAnnotation] = rmeta.SecretsAnnotationHash(es.cfg.ElasticsearchUserSecret)
-	annotations[es.cfg.ElasticsearchKeyPair.HashAnnotationKey()] = es.cfg.ElasticsearchKeyPair.HashAnnotationValue()
+	initFSContainer := corev1.Container{
+		Name:            "elastic-internal-init-filesystem",
+		Image:           es.esImage,
+		ImagePullPolicy: ImagePullPolicy(),
+		Resources: corev1.ResourceRequirements{
+			Limits: corev1.ResourceList{
+				"cpu":    resource.MustParse("100m"),
+				"memory": resource.MustParse("50Mi"),
+			},
+			Requests: corev1.ResourceList{
+				"cpu":    resource.MustParse("100m"),
+				"memory": resource.MustParse("50Mi"),
+			},
+		},
+		// Without a root context, it is not able to ln and chown.
+		SecurityContext: securitycontext.NewRootContext(true),
+	}
 
-	var volumes []corev1.Volume
+	suspendContainer := corev1.Container{
+		Name:            "elastic-internal-suspend",
+		Image:           es.esImage,
+		ImagePullPolicy: ImagePullPolicy(),
+		// Without a root context, it is not able to start.
+		SecurityContext: securitycontext.NewRootContext(true),
+	}
+	initContainers := []corev1.Container{initOSSettingsContainer, initFSContainer, suspendContainer}
 
+	var volumes []corev1.Volume
 	var autoMountToken bool
+	// If certificate management is used, we need to override a mounting options for this init container.
 	if es.cfg.Installation.CertificateManagement != nil {
-		// If certificate management is used, we need to override a mounting options for this init container.
-		initFSName := "elastic-internal-init-filesystem"
-		initFSContainer := corev1.Container{
-			Name:            initFSName,
-			Image:           es.esImage,
-			ImagePullPolicy: ImagePullPolicy(),
-			Command:         []string{"bash", "-c", "mkdir /mnt/elastic-internal/transport-certificates/ && touch /mnt/elastic-internal/transport-certificates/$HOSTNAME.tls.key && /mnt/elastic-internal/scripts/prepare-fs.sh"},
-			Resources: corev1.ResourceRequirements{
-				Limits: corev1.ResourceList{
-					"cpu":    resource.MustParse("100m"),
-					"memory": resource.MustParse("50Mi"),
-				},
-				Requests: corev1.ResourceList{
-					"cpu":    resource.MustParse("100m"),
-					"memory": resource.MustParse("50Mi"),
-				},
-			},
-			// Without a root context, it is not able to ln and chown.
-			SecurityContext: securitycontext.NewRootContext(true),
-			VolumeMounts: []corev1.VolumeMount{
-				// Create transport mount, such that ECK will not auto-fill this with a secret volume.
-				{
-					Name:      CSRVolumeNameTransport,
-					MountPath: "/csr",
-					ReadOnly:  false,
-				},
+		initFSContainer.Command = []string{"bash", "-c", "mkdir /mnt/elastic-internal/transport-certificates/ && touch /mnt/elastic-internal/transport-certificates/$HOSTNAME.tls.key && /mnt/elastic-internal/scripts/prepare-fs.sh"}
+		initFSContainer.VolumeMounts = []corev1.VolumeMount{
+			// Create transport mount, such that ECK will not auto-fill this with a secret volume.
+			{
+				Name:      CSRVolumeNameTransport,
+				MountPath: "/csr",
+				ReadOnly:  false,
 			},
 		}
-
 		csrInitContainerHTTP := es.cfg.ElasticsearchKeyPair.InitContainer(ElasticsearchNamespace)
 		csrInitContainerHTTP.Name = "key-cert-elastic"
 		csrInitContainerHTTP.VolumeMounts[0].Name = CSRVolumeNameHTTP
@@ -465,7 +467,6 @@ func (es *elasticsearchComponent) podTemplate() corev1.PodTemplateSpec {
 
 		initContainers = append(
 			initContainers,
-			initFSContainer,
 			csrInitContainerHTTP,
 			csrInitContainerTransport)
 
@@ -512,6 +513,10 @@ func (es *elasticsearchComponent) podTemplate() corev1.PodTemplateSpec {
 		tolerations = append(tolerations, rmeta.TolerateGKEARM64NoSchedule)
 	}
 
+	annotations := es.cfg.TrustedBundle.HashAnnotations()
+	annotations[ElasticsearchTLSHashAnnotation] = rmeta.SecretsAnnotationHash(es.cfg.ElasticsearchUserSecret)
+	annotations[es.cfg.ElasticsearchKeyPair.HashAnnotationKey()] = es.cfg.ElasticsearchKeyPair.HashAnnotationValue()
+
 	podTemplate := corev1.PodTemplateSpec{
 		ObjectMeta: metav1.ObjectMeta{
 			Annotations: annotations,

diff --git a/pkg/render/logstorage/eck/eck.go b/pkg/render/logstorage/eck/eck.go
@@ -147,17 +147,17 @@ func (e *eck) operatorClusterRole() *rbacv1.ClusterRole {
 		},
 		{
 			APIGroups: []string{""},
-			Resources: []string{"pods", "endpoints", "events", "persistentvolumeclaims", "secrets", "services", "configmaps", "serviceaccounts"},
-			Verbs:     []string{"get", "list", "watch", "create", "update", "patch", "delete"},
+			Resources: []string{"endpoints"},
+			Verbs:     []string{"get", "list", "watch"},
 		},
 		{
-			APIGroups: []string{"apps"},
-			Resources: []string{"deployments", "statefulsets", "daemonsets"},
+			APIGroups: []string{""},
+			Resources: []string{"pods", "events", "persistentvolumeclaims", "secrets", "services", "configmaps"},
 			Verbs:     []string{"get", "list", "watch", "create", "update", "patch", "delete"},
 		},
 		{
-			APIGroups: []string{"batch"},
-			Resources: []string{"cronjobs"},
+			APIGroups: []string{"apps"},
+			Resources: []string{"deployments", "statefulsets", "daemonsets"},
 			Verbs:     []string{"get", "list", "watch", "create", "update", "patch", "delete"},
 		},
 		{
@@ -167,59 +167,69 @@ func (e *eck) operatorClusterRole() *rbacv1.ClusterRole {
 		},
 		{
 			APIGroups: []string{"elasticsearch.k8s.elastic.co"},
-			Resources: []string{"elasticsearches", "elasticsearches/status", "elasticsearches/finalizers", "enterpriselicenses", "enterpriselicenses/status"},
-			Verbs:     []string{"get", "list", "watch", "create", "update", "patch", "delete"},
+			Resources: []string{"elasticsearches", "elasticsearches/status", "elasticsearches/finalizers"},
+			Verbs:     []string{"get", "list", "watch", "create", "update", "patch"},
 		},
 		{
 			APIGroups: []string{"autoscaling.k8s.elastic.co"},
 			Resources: []string{"elasticsearchautoscalers", "elasticsearchautoscalers/status", "elasticsearchautoscalers/finalizers"},
-			Verbs:     []string{"get", "list", "watch", "create", "update", "patch", "delete"},
+			Verbs:     []string{"get", "list", "watch", "create", "update", "patch"},
 		},
 		{
 			APIGroups: []string{"kibana.k8s.elastic.co"},
 			Resources: []string{"kibanas", "kibanas/status", "kibanas/finalizers"},
-			Verbs:     []string{"get", "list", "watch", "create", "update", "patch", "delete"},
+			Verbs:     []string{"get", "list", "watch", "create", "update", "patch"},
 		},
 		{
 			APIGroups: []string{"apm.k8s.elastic.co"},
 			Resources: []string{"apmservers", "apmservers/status", "apmservers/finalizers"},
-			Verbs:     []string{"get", "list", "watch", "create", "update", "patch", "delete"},
+			Verbs:     []string{"get", "list", "watch", "create", "update", "patch"},
 		},
 		{
 			APIGroups: []string{"enterprisesearch.k8s.elastic.co"},
 			Resources: []string{"enterprisesearches", "enterprisesearches/status", "enterprisesearches/finalizers"},
-			Verbs:     []string{"get", "list", "watch", "create", "update", "patch", "delete"},
+			Verbs:     []string{"get", "list", "watch", "create", "update", "patch"},
 		},
 		{
 			APIGroups: []string{"beat.k8s.elastic.co"},
 			Resources: []string{"beats", "beats/status", "beats/finalizers"},
-			Verbs:     []string{"get", "list", "watch", "create", "update", "patch", "delete"},
+			Verbs:     []string{"get", "list", "watch", "create", "update", "patch"},
 		},
 		{
 			APIGroups: []string{"agent.k8s.elastic.co"},
 			Resources: []string{"agents", "agents/status", "agents/finalizers"},
-			Verbs:     []string{"get", "list", "watch", "create", "update", "patch", "delete"},
+			Verbs:     []string{"get", "list", "watch", "create", "update", "patch"},
 		},
 		{
 			APIGroups: []string{"maps.k8s.elastic.co"},
 			Resources: []string{"elasticmapsservers", "elasticmapsservers/status", "elasticmapsservers/finalizers"},
-			Verbs:     []string{"get", "list", "watch", "create", "update", "patch", "delete"},
+			Verbs:     []string{"get", "list", "watch", "create", "update", "patch"},
 		},
 		{
 			APIGroups: []string{"stackconfigpolicy.k8s.elastic.co"},
 			Resources: []string{"stackconfigpolicies", "stackconfigpolicies/status", "stackconfigpolicies/finalizers"},
-			Verbs:     []string{"get", "list", "watch", "create", "update", "patch", "delete"},
+			Verbs:     []string{"get", "list", "watch", "create", "update", "patch"},
 		},
 		{
-			APIGroups: []string{"associations.k8s.elastic.co"},
-			Resources: []string{"apmserverelasticsearchassociations", "apmserverelasticsearchassociations/status"},
-			Verbs:     []string{"get", "list", "watch", "create", "update", "patch", "delete"},
+			APIGroups: []string{"logstash.k8s.elastic.co"},
+			Resources: []string{"logstashes", "logstashes/status", "logstashes/finalizers"},
+			Verbs:     []string{"get", "list", "watch", "create", "update", "patch"},
 		},
 		{
-			APIGroups: []string{"autoscaling.k8s.elastic.co"},
-			Resources: []string{"elasticsearchautoscalers", "elasticsearchautoscalers/status", "elasticsearchautoscalers/finalizers"},
+			APIGroups: []string{"storage.k8s.io"},
+			Resources: []string{"storageclasses"},
+			Verbs:     []string{"get", "list", "watch"},
+		},
+		{
+			APIGroups: []string{"admissionregistration.k8s.io"},
+			Resources: []string{"validatingwebhookconfigurations"},
 			Verbs:     []string{"get", "list", "watch", "create", "update", "patch", "delete"},
 		},
+		{
+			APIGroups: []string{""},
+			Resources: []string{"nodes"},
+			Verbs:     []string{"get", "list", "watch"},
+		},
 	}
 
 	if e.cfg.Installation.KubernetesProvider.IsOpenShift() {

diff --git a/pkg/render/logstorage/eck/eck_test.go b/pkg/render/logstorage/eck/eck_test.go
@@ -28,6 +28,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	v3 "github.com/tigera/api/pkg/apis/projectcalico/v3"
+
 	operatorv1 "github.com/tigera/operator/api/v1"
 	"github.com/tigera/operator/pkg/render"
 	rtest "github.com/tigera/operator/pkg/render/common/test"
@@ -148,17 +149,17 @@ var _ = Describe("ECK rendering tests", func() {
 				},
 				{
 					APIGroups: []string{""},
-					Resources: []string{"pods", "endpoints", "events", "persistentvolumeclaims", "secrets", "services", "configmaps", "serviceaccounts"},
-					Verbs:     []string{"get", "list", "watch", "create", "update", "patch", "delete"},
+					Resources: []string{"endpoints"},
+					Verbs:     []string{"get", "list", "watch"},
 				},
 				{
-					APIGroups: []string{"apps"},
-					Resources: []string{"deployments", "statefulsets", "daemonsets"},
+					APIGroups: []string{""},
+					Resources: []string{"pods", "events", "persistentvolumeclaims", "secrets", "services", "configmaps"},
 					Verbs:     []string{"get", "list", "watch", "create", "update", "patch", "delete"},
 				},
 				{
-					APIGroups: []string{"batch"},
-					Resources: []string{"cronjobs"},
+					APIGroups: []string{"apps"},
+					Resources: []string{"deployments", "statefulsets", "daemonsets"},
 					Verbs:     []string{"get", "list", "watch", "create", "update", "patch", "delete"},
 				},
 				{
@@ -168,59 +169,69 @@ var _ = Describe("ECK rendering tests", func() {
 				},
 				{
 					APIGroups: []string{"elasticsearch.k8s.elastic.co"},
-					Resources: []string{"elasticsearches", "elasticsearches/status", "elasticsearches/finalizers", "enterpriselicenses", "enterpriselicenses/status"},
-					Verbs:     []string{"get", "list", "watch", "create", "update", "patch", "delete"},
+					Resources: []string{"elasticsearches", "elasticsearches/status", "elasticsearches/finalizers"},
+					Verbs:     []string{"get", "list", "watch", "create", "update", "patch"},
 				},
 				{
 					APIGroups: []string{"autoscaling.k8s.elastic.co"},
 					Resources: []string{"elasticsearchautoscalers", "elasticsearchautoscalers/status", "elasticsearchautoscalers/finalizers"},
-					Verbs:     []string{"get", "list", "watch", "create", "update", "patch", "delete"},
+					Verbs:     []string{"get", "list", "watch", "create", "update", "patch"},
 				},
 				{
 					APIGroups: []string{"kibana.k8s.elastic.co"},
 					Resources: []string{"kibanas", "kibanas/status", "kibanas/finalizers"},
-					Verbs:     []string{"get", "list", "watch", "create", "update", "patch", "delete"},
+					Verbs:     []string{"get", "list", "watch", "create", "update", "patch"},
 				},
 				{
 					APIGroups: []string{"apm.k8s.elastic.co"},
 					Resources: []string{"apmservers", "apmservers/status", "apmservers/finalizers"},
-					Verbs:     []string{"get", "list", "watch", "create", "update", "patch", "delete"},
+					Verbs:     []string{"get", "list", "watch", "create", "update", "patch"},
 				},
 				{
 					APIGroups: []string{"enterprisesearch.k8s.elastic.co"},
 					Resources: []string{"enterprisesearches", "enterprisesearches/status", "enterprisesearches/finalizers"},
-					Verbs:     []string{"get", "list", "watch", "create", "update", "patch", "delete"},
+					Verbs:     []string{"get", "list", "watch", "create", "update", "patch"},
 				},
 				{
 					APIGroups: []string{"beat.k8s.elastic.co"},
 					Resources: []string{"beats", "beats/status", "beats/finalizers"},
-					Verbs:     []string{"get", "list", "watch", "create", "update", "patch", "delete"},
+					Verbs:     []string{"get", "list", "watch", "create", "update", "patch"},
 				},
 				{
 					APIGroups: []string{"agent.k8s.elastic.co"},
 					Resources: []string{"agents", "agents/status", "agents/finalizers"},
-					Verbs:     []string{"get", "list", "watch", "create", "update", "patch", "delete"},
+					Verbs:     []string{"get", "list", "watch", "create", "update", "patch"},
 				},
 				{
 					APIGroups: []string{"maps.k8s.elastic.co"},
 					Resources: []string{"elasticmapsservers", "elasticmapsservers/status", "elasticmapsservers/finalizers"},
-					Verbs:     []string{"get", "list", "watch", "create", "update", "patch", "delete"},
+					Verbs:     []string{"get", "list", "watch", "create", "update", "patch"},
 				},
 				{
 					APIGroups: []string{"stackconfigpolicy.k8s.elastic.co"},
 					Resources: []string{"stackconfigpolicies", "stackconfigpolicies/status", "stackconfigpolicies/finalizers"},
-					Verbs:     []string{"get", "list", "watch", "create", "update", "patch", "delete"},
+					Verbs:     []string{"get", "list", "watch", "create", "update", "patch"},
 				},
 				{
-					APIGroups: []string{"associations.k8s.elastic.co"},
-					Resources: []string{"apmserverelasticsearchassociations", "apmserverelasticsearchassociations/status"},
-					Verbs:     []string{"get", "list", "watch", "create", "update", "patch", "delete"},
+					APIGroups: []string{"logstash.k8s.elastic.co"},
+					Resources: []string{"logstashes", "logstashes/status", "logstashes/finalizers"},
+					Verbs:     []string{"get", "list", "watch", "create", "update", "patch"},
 				},
 				{
-					APIGroups: []string{"autoscaling.k8s.elastic.co"},
-					Resources: []string{"elasticsearchautoscalers", "elasticsearchautoscalers/status", "elasticsearchautoscalers/finalizers"},
+					APIGroups: []string{"storage.k8s.io"},
+					Resources: []string{"storageclasses"},
+					Verbs:     []string{"get", "list", "watch"},
+				},
+				{
+					APIGroups: []string{"admissionregistration.k8s.io"},
+					Resources: []string{"validatingwebhookconfigurations"},
 					Verbs:     []string{"get", "list", "watch", "create", "update", "patch", "delete"},
 				},
+				{
+					APIGroups: []string{""},
+					Resources: []string{"nodes"},
+					Verbs:     []string{"get", "list", "watch"},
+				},
 			}))
 		})