Merge pull request #140 from elastic/outta_the_group

Remove fsGroup from container level security context
elastic · May 29, 2019 · 4d6d768 · 4d6d768
2 parents 97f0004 + 2408b21
commit 4d6d768
Show file tree

Hide file tree

Showing 5 changed files with 1 addition and 8 deletions.
diff --git a/filebeat/README.md b/filebeat/README.md
@@ -55,7 +55,7 @@ helm install --name filebeat elastic/filebeat --version 7.1.0 --set imageTag=7.1
 | `imagePullSecrets`       | Configuration for [imagePullSecrets](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-pod-that-uses-your-secret) so that you can use a private registry for your image                                                        | `[]`                                                                                                                      |
 | `managedServiceAccount`  | Whether the `serviceAccount` should be managed by this helm chart. Set this to `false` in order to manage your own service account and related roles.                                                                                                                       | `true`                                                                                                                    |
 | `podAnnotations`         | Configurable [annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) applied to all Filebeat pods                                                                                                                                     | `{}`                                                                                                                      |
-| `podSecurityContext`     | Configurable [podSecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for Filebeat pod execution environment                                                                                                                        | `fsGroup: 1000`<br>`runAsUser: 0`<br>`privileged: false`                                                                  |
+| `podSecurityContext`     | Configurable [podSecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for Filebeat pod execution environment                                                                                                                        | `runAsUser: 0`<br>`privileged: false`                                                                  |
 | `livenessProbe`          | Parameters to pass to [liveness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/) checks for values such as timeouts and thresholds.                                                                                    | `failureThreshold: 3`<br>`initialDelaySeconds: 10`<br>`periodSeconds: 10`<br>`successThreshold: 3`<br>`timeoutSeconds: 5` |
 | `readinessProbe`         | Parameters to pass to [readiness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/) checks for values such as timeouts and thresholds.                                                                                   | `failureThreshold: 3`<br>`initialDelaySeconds: 10`<br>`periodSeconds: 10`<br>`successThreshold: 3`<br>`timeoutSeconds: 5` |
 | `resources`              | Allows you to set the [resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) for the `DaemonSet`                                                                                                                                | `requests.cpu: 100m`<br>`requests.memory: 100Mi`<br>`limits.cpu: 1000m`<br>`limits.memory: 200Mi`                         |

diff --git a/filebeat/tests/filebeat_test.py b/filebeat/tests/filebeat_test.py
@@ -106,13 +106,11 @@ def test_setting_pod_security_context():
     config = '''
 podSecurityContext:
   runAsUser: 1001
-  fsGroup: 1002
   privileged: false
 '''
     r = helm_template(config)
     c = r['daemonset'][name]['spec']['template']['spec']['containers'][0]
     assert c['securityContext']['runAsUser'] == 1001
-    assert c['securityContext']['fsGroup'] == 1002
     assert c['securityContext']['privileged'] == False
 
 def test_adding_in_filebeat_config():

diff --git a/filebeat/values.yaml b/filebeat/values.yaml
@@ -58,11 +58,9 @@ podAnnotations: {}
 
 # Various pod security context settings. Bear in mind that many of these have an impact on Filebeat functioning properly.
 #
-# - Filesystem group for the Filebeat user. The official elastic docker images always have an id of 1000.
 # - User that the container will execute as. Typically necessary to run as root (0) in order to properly collect host container logs.
 # - Whether to execute the Filebeat containers as privileged containers. Typically not necessarily unless running within environments such as OpenShift.
 podSecurityContext:
-  fsGroup: 1000
   runAsUser: 0
   privileged: false
 

diff --git a/kibana/tests/kibana_test.py b/kibana/tests/kibana_test.py
@@ -186,11 +186,9 @@ def test_setting_pod_security_context():
     config = '''
 podSecurityContext:
   runAsUser: 1001
-  fsGroup: 1002
 '''
     r = helm_template(config)
     assert r['deployment'][name]['spec']['template']['spec']['securityContext']['runAsUser'] == 1001
-    assert r['deployment'][name]['spec']['template']['spec']['securityContext']['fsGroup'] == 1002
 
 def test_adding_in_kibana_config():
     config = '''

diff --git a/kibana/values.yaml b/kibana/values.yaml
@@ -46,7 +46,6 @@ kibanaConfig: {}
 # If Pod Security Policy in use it may be required to specify security context as well as service account
 podSecurityContext: {}
   #runAsUser: "place the user id here"
-  #fsGroup: "place the group id here"
 
 serviceAccount: ""