diff --git a/kibana/README.md b/kibana/README.md index 2d2415922..a24c2260b 100644 --- a/kibana/README.md +++ b/kibana/README.md @@ -52,7 +52,8 @@ helm install --name kibana elastic/kibana --version 7.1.1 --set imageTag=7.1.1 | `protocol` | The protocol that will be used for the readinessProbe. Change this to `https` if you have `server.ssl.enabled: true` set | `http` | | `healthCheckPath` | The path used for the readinessProbe to check that Kibana is ready | `/app/kibana` | | `kibanaConfig` | Allows you to add any config files in `/usr/share/kibana/config/` such as `kibana.yml`. See [values.yaml](./values.yaml) for an example of the formatting. | `{}` | -| `podSecurityContext` | Allows you to set the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) for the pod | `{}` | +| `podSecurityContext` | Allows you to set the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) for the pod | `fsGroup: 2000` | +| `securityContext` | Allows you to set the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) for the container | `capabilities.drop:[ALL]`
`runAsNonRoot: true`
`runAsUser: 1000` | | `serviceAccount` | Allows you to overwrite the "default" [serviceAccount](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) for the pod | `[]` | | `priorityClassName` | The [name of the PriorityClass](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass). No default is supplied as the PriorityClass must be created first. | `` | | `antiAffinityTopologyKey` | The [anti-affinity topology key](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). By default this will prevent multiple Kibana instances from running on the same Kubernetes node | `kubernetes.io/hostname` | diff --git a/kibana/templates/deployment.yaml b/kibana/templates/deployment.yaml index 52a473d67..af608ce1d 100644 --- a/kibana/templates/deployment.yaml +++ b/kibana/templates/deployment.yaml @@ -27,10 +27,8 @@ spec: {{- if .Values.priorityClassName }} priorityClassName: {{ .Values.priorityClassName }} {{- end }} -{{- if .Values.podSecurityContext }} securityContext: {{ toYaml .Values.podSecurityContext | indent 8 }} -{{- end }} {{- if .Values.serviceAccount }} serviceAccount: {{ .Values.serviceAccount }} {{- end }} @@ -63,6 +61,8 @@ spec: {{- end }} containers: - name: kibana + securityContext: +{{ toYaml .Values.securityContext | indent 10 }} image: "{{ .Values.image }}:{{ .Values.imageTag }}" env: {{- if .Values.elasticsearchURL }} @@ -78,7 +78,7 @@ spec: readinessProbe: {{ toYaml .Values.readinessProbe | indent 10 }} exec: - command: + command: - sh - -c - | @@ -93,7 +93,7 @@ spec: curl -k "$@" "{{ .Values.protocol }}://localhost:{{ .Values.httpPort }}${path}" } - + http "{{ .Values.healthCheckPath }}" ports: - containerPort: {{ .Values.httpPort }} diff --git a/kibana/values.yaml b/kibana/values.yaml index 6cf1bb47e..ba8fe42a6 100755 --- a/kibana/values.yaml +++ b/kibana/values.yaml @@ -44,8 +44,17 @@ kibanaConfig: {} # nestedkey: value # If Pod Security Policy in use it may be required to specify security context as well as service account -podSecurityContext: {} - #runAsUser: "place the user id here" + +podSecurityContext: + fsGroup: 1000 + +securityContext: + capabilities: + drop: + - ALL + # readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 serviceAccount: ""