From 44ead3002cdff8f7b9428f6bd56efeedc43098af Mon Sep 17 00:00:00 2001 From: rene-dekker Date: Fri, 27 Dec 2024 16:25:36 -0800 Subject: [PATCH] Make ES work with ECK 2.16.0 by setting the appropriate security contexts. Starting with the new version, ECK will apply security contexts if unset. These contexts prevent our (customized) init containers from starting. --- pkg/render/logstorage.go | 71 ++++++++++++++------------- pkg/render/logstorage/eck/eck.go | 52 ++++++++++++-------- pkg/render/logstorage/eck/eck_test.go | 53 ++++++++++++-------- 3 files changed, 101 insertions(+), 75 deletions(-) diff --git a/pkg/render/logstorage.go b/pkg/render/logstorage.go index a740f52413..72b7701692 100644 --- a/pkg/render/logstorage.go +++ b/pkg/render/logstorage.go @@ -406,44 +406,46 @@ func (es *elasticsearchComponent) podTemplate() corev1.PodTemplateSpec { SecurityContext: securitycontext.NewRootContext(true), } - initContainers := []corev1.Container{initOSSettingsContainer} - annotations := es.cfg.TrustedBundle.HashAnnotations() - annotations[ElasticsearchTLSHashAnnotation] = rmeta.SecretsAnnotationHash(es.cfg.ElasticsearchUserSecret) - annotations[es.cfg.ElasticsearchKeyPair.HashAnnotationKey()] = es.cfg.ElasticsearchKeyPair.HashAnnotationValue() + initFSContainer := corev1.Container{ + Name: "elastic-internal-init-filesystem", + Image: es.esImage, + ImagePullPolicy: ImagePullPolicy(), + Resources: corev1.ResourceRequirements{ + Limits: corev1.ResourceList{ + "cpu": resource.MustParse("100m"), + "memory": resource.MustParse("50Mi"), + }, + Requests: corev1.ResourceList{ + "cpu": resource.MustParse("100m"), + "memory": resource.MustParse("50Mi"), + }, + }, + // Without a root context, it is not able to ln and chown. + SecurityContext: securitycontext.NewRootContext(true), + } - var volumes []corev1.Volume + suspendContainer := corev1.Container{ + Name: "elastic-internal-suspend", + Image: es.esImage, + ImagePullPolicy: ImagePullPolicy(), + // Without a root context, it is not able to start. + SecurityContext: securitycontext.NewRootContext(true), + } + initContainers := []corev1.Container{initOSSettingsContainer, initFSContainer, suspendContainer} + var volumes []corev1.Volume var autoMountToken bool + // If certificate management is used, we need to override a mounting options for this init container. if es.cfg.Installation.CertificateManagement != nil { - // If certificate management is used, we need to override a mounting options for this init container. - initFSName := "elastic-internal-init-filesystem" - initFSContainer := corev1.Container{ - Name: initFSName, - Image: es.esImage, - ImagePullPolicy: ImagePullPolicy(), - Command: []string{"bash", "-c", "mkdir /mnt/elastic-internal/transport-certificates/ && touch /mnt/elastic-internal/transport-certificates/$HOSTNAME.tls.key && /mnt/elastic-internal/scripts/prepare-fs.sh"}, - Resources: corev1.ResourceRequirements{ - Limits: corev1.ResourceList{ - "cpu": resource.MustParse("100m"), - "memory": resource.MustParse("50Mi"), - }, - Requests: corev1.ResourceList{ - "cpu": resource.MustParse("100m"), - "memory": resource.MustParse("50Mi"), - }, - }, - // Without a root context, it is not able to ln and chown. - SecurityContext: securitycontext.NewRootContext(true), - VolumeMounts: []corev1.VolumeMount{ - // Create transport mount, such that ECK will not auto-fill this with a secret volume. - { - Name: CSRVolumeNameTransport, - MountPath: "/csr", - ReadOnly: false, - }, + initFSContainer.Command = []string{"bash", "-c", "mkdir /mnt/elastic-internal/transport-certificates/ && touch /mnt/elastic-internal/transport-certificates/$HOSTNAME.tls.key && /mnt/elastic-internal/scripts/prepare-fs.sh"} + initFSContainer.VolumeMounts = []corev1.VolumeMount{ + // Create transport mount, such that ECK will not auto-fill this with a secret volume. + { + Name: CSRVolumeNameTransport, + MountPath: "/csr", + ReadOnly: false, }, } - csrInitContainerHTTP := es.cfg.ElasticsearchKeyPair.InitContainer(ElasticsearchNamespace) csrInitContainerHTTP.Name = "key-cert-elastic" csrInitContainerHTTP.VolumeMounts[0].Name = CSRVolumeNameHTTP @@ -465,7 +467,6 @@ func (es *elasticsearchComponent) podTemplate() corev1.PodTemplateSpec { initContainers = append( initContainers, - initFSContainer, csrInitContainerHTTP, csrInitContainerTransport) @@ -512,6 +513,10 @@ func (es *elasticsearchComponent) podTemplate() corev1.PodTemplateSpec { tolerations = append(tolerations, rmeta.TolerateGKEARM64NoSchedule) } + annotations := es.cfg.TrustedBundle.HashAnnotations() + annotations[ElasticsearchTLSHashAnnotation] = rmeta.SecretsAnnotationHash(es.cfg.ElasticsearchUserSecret) + annotations[es.cfg.ElasticsearchKeyPair.HashAnnotationKey()] = es.cfg.ElasticsearchKeyPair.HashAnnotationValue() + podTemplate := corev1.PodTemplateSpec{ ObjectMeta: metav1.ObjectMeta{ Annotations: annotations, diff --git a/pkg/render/logstorage/eck/eck.go b/pkg/render/logstorage/eck/eck.go index 5f215f9b58..3c7c8aa085 100644 --- a/pkg/render/logstorage/eck/eck.go +++ b/pkg/render/logstorage/eck/eck.go @@ -147,17 +147,17 @@ func (e *eck) operatorClusterRole() *rbacv1.ClusterRole { }, { APIGroups: []string{""}, - Resources: []string{"pods", "endpoints", "events", "persistentvolumeclaims", "secrets", "services", "configmaps", "serviceaccounts"}, - Verbs: []string{"get", "list", "watch", "create", "update", "patch", "delete"}, + Resources: []string{"endpoints"}, + Verbs: []string{"get", "list", "watch"}, }, { - APIGroups: []string{"apps"}, - Resources: []string{"deployments", "statefulsets", "daemonsets"}, + APIGroups: []string{""}, + Resources: []string{"pods", "events", "persistentvolumeclaims", "secrets", "services", "configmaps"}, Verbs: []string{"get", "list", "watch", "create", "update", "patch", "delete"}, }, { - APIGroups: []string{"batch"}, - Resources: []string{"cronjobs"}, + APIGroups: []string{"apps"}, + Resources: []string{"deployments", "statefulsets", "daemonsets"}, Verbs: []string{"get", "list", "watch", "create", "update", "patch", "delete"}, }, { @@ -167,59 +167,69 @@ func (e *eck) operatorClusterRole() *rbacv1.ClusterRole { }, { APIGroups: []string{"elasticsearch.k8s.elastic.co"}, - Resources: []string{"elasticsearches", "elasticsearches/status", "elasticsearches/finalizers", "enterpriselicenses", "enterpriselicenses/status"}, - Verbs: []string{"get", "list", "watch", "create", "update", "patch", "delete"}, + Resources: []string{"elasticsearches", "elasticsearches/status", "elasticsearches/finalizers"}, + Verbs: []string{"get", "list", "watch", "create", "update", "patch"}, }, { APIGroups: []string{"autoscaling.k8s.elastic.co"}, Resources: []string{"elasticsearchautoscalers", "elasticsearchautoscalers/status", "elasticsearchautoscalers/finalizers"}, - Verbs: []string{"get", "list", "watch", "create", "update", "patch", "delete"}, + Verbs: []string{"get", "list", "watch", "create", "update", "patch"}, }, { APIGroups: []string{"kibana.k8s.elastic.co"}, Resources: []string{"kibanas", "kibanas/status", "kibanas/finalizers"}, - Verbs: []string{"get", "list", "watch", "create", "update", "patch", "delete"}, + Verbs: []string{"get", "list", "watch", "create", "update", "patch"}, }, { APIGroups: []string{"apm.k8s.elastic.co"}, Resources: []string{"apmservers", "apmservers/status", "apmservers/finalizers"}, - Verbs: []string{"get", "list", "watch", "create", "update", "patch", "delete"}, + Verbs: []string{"get", "list", "watch", "create", "update", "patch"}, }, { APIGroups: []string{"enterprisesearch.k8s.elastic.co"}, Resources: []string{"enterprisesearches", "enterprisesearches/status", "enterprisesearches/finalizers"}, - Verbs: []string{"get", "list", "watch", "create", "update", "patch", "delete"}, + Verbs: []string{"get", "list", "watch", "create", "update", "patch"}, }, { APIGroups: []string{"beat.k8s.elastic.co"}, Resources: []string{"beats", "beats/status", "beats/finalizers"}, - Verbs: []string{"get", "list", "watch", "create", "update", "patch", "delete"}, + Verbs: []string{"get", "list", "watch", "create", "update", "patch"}, }, { APIGroups: []string{"agent.k8s.elastic.co"}, Resources: []string{"agents", "agents/status", "agents/finalizers"}, - Verbs: []string{"get", "list", "watch", "create", "update", "patch", "delete"}, + Verbs: []string{"get", "list", "watch", "create", "update", "patch"}, }, { APIGroups: []string{"maps.k8s.elastic.co"}, Resources: []string{"elasticmapsservers", "elasticmapsservers/status", "elasticmapsservers/finalizers"}, - Verbs: []string{"get", "list", "watch", "create", "update", "patch", "delete"}, + Verbs: []string{"get", "list", "watch", "create", "update", "patch"}, }, { APIGroups: []string{"stackconfigpolicy.k8s.elastic.co"}, Resources: []string{"stackconfigpolicies", "stackconfigpolicies/status", "stackconfigpolicies/finalizers"}, - Verbs: []string{"get", "list", "watch", "create", "update", "patch", "delete"}, + Verbs: []string{"get", "list", "watch", "create", "update", "patch"}, }, { - APIGroups: []string{"associations.k8s.elastic.co"}, - Resources: []string{"apmserverelasticsearchassociations", "apmserverelasticsearchassociations/status"}, - Verbs: []string{"get", "list", "watch", "create", "update", "patch", "delete"}, + APIGroups: []string{"logstash.k8s.elastic.co"}, + Resources: []string{"logstashes", "logstashes/status", "logstashes/finalizers"}, + Verbs: []string{"get", "list", "watch", "create", "update", "patch"}, }, { - APIGroups: []string{"autoscaling.k8s.elastic.co"}, - Resources: []string{"elasticsearchautoscalers", "elasticsearchautoscalers/status", "elasticsearchautoscalers/finalizers"}, + APIGroups: []string{"storage.k8s.io"}, + Resources: []string{"storageclasses"}, + Verbs: []string{"get", "list", "watch"}, + }, + { + APIGroups: []string{"admissionregistration.k8s.io"}, + Resources: []string{"validatingwebhookconfigurations"}, Verbs: []string{"get", "list", "watch", "create", "update", "patch", "delete"}, }, + { + APIGroups: []string{""}, + Resources: []string{"nodes"}, + Verbs: []string{"get", "list", "watch"}, + }, } if e.cfg.Installation.KubernetesProvider.IsOpenShift() { diff --git a/pkg/render/logstorage/eck/eck_test.go b/pkg/render/logstorage/eck/eck_test.go index 9bcf1cc081..05148adad4 100644 --- a/pkg/render/logstorage/eck/eck_test.go +++ b/pkg/render/logstorage/eck/eck_test.go @@ -28,6 +28,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" v3 "github.com/tigera/api/pkg/apis/projectcalico/v3" + operatorv1 "github.com/tigera/operator/api/v1" "github.com/tigera/operator/pkg/render" rtest "github.com/tigera/operator/pkg/render/common/test" @@ -148,17 +149,17 @@ var _ = Describe("ECK rendering tests", func() { }, { APIGroups: []string{""}, - Resources: []string{"pods", "endpoints", "events", "persistentvolumeclaims", "secrets", "services", "configmaps", "serviceaccounts"}, - Verbs: []string{"get", "list", "watch", "create", "update", "patch", "delete"}, + Resources: []string{"endpoints"}, + Verbs: []string{"get", "list", "watch"}, }, { - APIGroups: []string{"apps"}, - Resources: []string{"deployments", "statefulsets", "daemonsets"}, + APIGroups: []string{""}, + Resources: []string{"pods", "events", "persistentvolumeclaims", "secrets", "services", "configmaps"}, Verbs: []string{"get", "list", "watch", "create", "update", "patch", "delete"}, }, { - APIGroups: []string{"batch"}, - Resources: []string{"cronjobs"}, + APIGroups: []string{"apps"}, + Resources: []string{"deployments", "statefulsets", "daemonsets"}, Verbs: []string{"get", "list", "watch", "create", "update", "patch", "delete"}, }, { @@ -168,59 +169,69 @@ var _ = Describe("ECK rendering tests", func() { }, { APIGroups: []string{"elasticsearch.k8s.elastic.co"}, - Resources: []string{"elasticsearches", "elasticsearches/status", "elasticsearches/finalizers", "enterpriselicenses", "enterpriselicenses/status"}, - Verbs: []string{"get", "list", "watch", "create", "update", "patch", "delete"}, + Resources: []string{"elasticsearches", "elasticsearches/status", "elasticsearches/finalizers"}, + Verbs: []string{"get", "list", "watch", "create", "update", "patch"}, }, { APIGroups: []string{"autoscaling.k8s.elastic.co"}, Resources: []string{"elasticsearchautoscalers", "elasticsearchautoscalers/status", "elasticsearchautoscalers/finalizers"}, - Verbs: []string{"get", "list", "watch", "create", "update", "patch", "delete"}, + Verbs: []string{"get", "list", "watch", "create", "update", "patch"}, }, { APIGroups: []string{"kibana.k8s.elastic.co"}, Resources: []string{"kibanas", "kibanas/status", "kibanas/finalizers"}, - Verbs: []string{"get", "list", "watch", "create", "update", "patch", "delete"}, + Verbs: []string{"get", "list", "watch", "create", "update", "patch"}, }, { APIGroups: []string{"apm.k8s.elastic.co"}, Resources: []string{"apmservers", "apmservers/status", "apmservers/finalizers"}, - Verbs: []string{"get", "list", "watch", "create", "update", "patch", "delete"}, + Verbs: []string{"get", "list", "watch", "create", "update", "patch"}, }, { APIGroups: []string{"enterprisesearch.k8s.elastic.co"}, Resources: []string{"enterprisesearches", "enterprisesearches/status", "enterprisesearches/finalizers"}, - Verbs: []string{"get", "list", "watch", "create", "update", "patch", "delete"}, + Verbs: []string{"get", "list", "watch", "create", "update", "patch"}, }, { APIGroups: []string{"beat.k8s.elastic.co"}, Resources: []string{"beats", "beats/status", "beats/finalizers"}, - Verbs: []string{"get", "list", "watch", "create", "update", "patch", "delete"}, + Verbs: []string{"get", "list", "watch", "create", "update", "patch"}, }, { APIGroups: []string{"agent.k8s.elastic.co"}, Resources: []string{"agents", "agents/status", "agents/finalizers"}, - Verbs: []string{"get", "list", "watch", "create", "update", "patch", "delete"}, + Verbs: []string{"get", "list", "watch", "create", "update", "patch"}, }, { APIGroups: []string{"maps.k8s.elastic.co"}, Resources: []string{"elasticmapsservers", "elasticmapsservers/status", "elasticmapsservers/finalizers"}, - Verbs: []string{"get", "list", "watch", "create", "update", "patch", "delete"}, + Verbs: []string{"get", "list", "watch", "create", "update", "patch"}, }, { APIGroups: []string{"stackconfigpolicy.k8s.elastic.co"}, Resources: []string{"stackconfigpolicies", "stackconfigpolicies/status", "stackconfigpolicies/finalizers"}, - Verbs: []string{"get", "list", "watch", "create", "update", "patch", "delete"}, + Verbs: []string{"get", "list", "watch", "create", "update", "patch"}, }, { - APIGroups: []string{"associations.k8s.elastic.co"}, - Resources: []string{"apmserverelasticsearchassociations", "apmserverelasticsearchassociations/status"}, - Verbs: []string{"get", "list", "watch", "create", "update", "patch", "delete"}, + APIGroups: []string{"logstash.k8s.elastic.co"}, + Resources: []string{"logstashes", "logstashes/status", "logstashes/finalizers"}, + Verbs: []string{"get", "list", "watch", "create", "update", "patch"}, }, { - APIGroups: []string{"autoscaling.k8s.elastic.co"}, - Resources: []string{"elasticsearchautoscalers", "elasticsearchautoscalers/status", "elasticsearchautoscalers/finalizers"}, + APIGroups: []string{"storage.k8s.io"}, + Resources: []string{"storageclasses"}, + Verbs: []string{"get", "list", "watch"}, + }, + { + APIGroups: []string{"admissionregistration.k8s.io"}, + Resources: []string{"validatingwebhookconfigurations"}, Verbs: []string{"get", "list", "watch", "create", "update", "patch", "delete"}, }, + { + APIGroups: []string{""}, + Resources: []string{"nodes"}, + Verbs: []string{"get", "list", "watch"}, + }, })) })