diff --git a/kibana/README.md b/kibana/README.md
index 2d2415922..a24c2260b 100644
--- a/kibana/README.md
+++ b/kibana/README.md
@@ -52,7 +52,8 @@ helm install --name kibana elastic/kibana --version 7.1.1 --set imageTag=7.1.1
| `protocol` | The protocol that will be used for the readinessProbe. Change this to `https` if you have `server.ssl.enabled: true` set | `http` |
| `healthCheckPath` | The path used for the readinessProbe to check that Kibana is ready | `/app/kibana` |
| `kibanaConfig` | Allows you to add any config files in `/usr/share/kibana/config/` such as `kibana.yml`. See [values.yaml](./values.yaml) for an example of the formatting. | `{}` |
-| `podSecurityContext` | Allows you to set the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) for the pod | `{}` |
+| `podSecurityContext` | Allows you to set the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) for the pod | `fsGroup: 2000` |
+| `securityContext` | Allows you to set the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) for the container | `capabilities.drop:[ALL]`
`runAsNonRoot: true`
`runAsUser: 1000` |
| `serviceAccount` | Allows you to overwrite the "default" [serviceAccount](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) for the pod | `[]` |
| `priorityClassName` | The [name of the PriorityClass](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass). No default is supplied as the PriorityClass must be created first. | `` |
| `antiAffinityTopologyKey` | The [anti-affinity topology key](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). By default this will prevent multiple Kibana instances from running on the same Kubernetes node | `kubernetes.io/hostname` |
diff --git a/kibana/templates/deployment.yaml b/kibana/templates/deployment.yaml
index 52a473d67..af608ce1d 100644
--- a/kibana/templates/deployment.yaml
+++ b/kibana/templates/deployment.yaml
@@ -27,10 +27,8 @@ spec:
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
-{{- if .Values.podSecurityContext }}
securityContext:
{{ toYaml .Values.podSecurityContext | indent 8 }}
-{{- end }}
{{- if .Values.serviceAccount }}
serviceAccount: {{ .Values.serviceAccount }}
{{- end }}
@@ -63,6 +61,8 @@ spec:
{{- end }}
containers:
- name: kibana
+ securityContext:
+{{ toYaml .Values.securityContext | indent 10 }}
image: "{{ .Values.image }}:{{ .Values.imageTag }}"
env:
{{- if .Values.elasticsearchURL }}
@@ -78,7 +78,7 @@ spec:
readinessProbe:
{{ toYaml .Values.readinessProbe | indent 10 }}
exec:
- command:
+ command:
- sh
- -c
- |
@@ -93,7 +93,7 @@ spec:
curl -k "$@" "{{ .Values.protocol }}://localhost:{{ .Values.httpPort }}${path}"
}
-
+
http "{{ .Values.healthCheckPath }}"
ports:
- containerPort: {{ .Values.httpPort }}
diff --git a/kibana/values.yaml b/kibana/values.yaml
index 6cf1bb47e..ba8fe42a6 100755
--- a/kibana/values.yaml
+++ b/kibana/values.yaml
@@ -44,8 +44,17 @@ kibanaConfig: {}
# nestedkey: value
# If Pod Security Policy in use it may be required to specify security context as well as service account
-podSecurityContext: {}
- #runAsUser: "place the user id here"
+
+podSecurityContext:
+ fsGroup: 1000
+
+securityContext:
+ capabilities:
+ drop:
+ - ALL
+ # readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
serviceAccount: ""