Set default SecurityContext for Elasticsearch. (#1072)

* Default Container Security Context For All Containers in Elasticsearch.

Signed-off-by: pritamdas99 <[email protected]>

* Update kernelSettings API and dashboard defaulter

Signed-off-by: raihankhan <[email protected]>

* Update Elasticsearch defaults

Signed-off-by: raihankhan <[email protected]>

* Re-format

Signed-off-by: raihankhan <[email protected]>

* Set default user for exporter container

Signed-off-by: raihankhan <[email protected]>

* Default disableSecurity to false.

Signed-off-by: pritamdas99 <[email protected]>

* Initialize kernelSettings if nil.

Signed-off-by: pritamdas99 <[email protected]>

* Refactor kernelSettings default function.

Signed-off-by: pritamdas99 <[email protected]>

---------

Signed-off-by: pritamdas99 <[email protected]>
Signed-off-by: raihankhan <[email protected]>
Co-authored-by: raihankhan <[email protected]>

apis/dashboard/v1alpha1/elasticsearchdashboard_webhook.go

@@ -24,11 +24,13 @@ import (
 	amv "kubedb.dev/apimachinery/pkg/validator"
 
 	"gomodules.xyz/pointer"
+	core "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	kmapi "kmodules.xyz/client-go/api/v1"
+	ofst "kmodules.xyz/offshoot-api/api/v1"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
@@ -70,6 +72,38 @@ func (ed *ElasticsearchDashboard) SetupWebhookWithManager(mgr manager.Manager) e
 
 var _ webhook.Defaulter = &ElasticsearchDashboard{}
 
+func (ed *ElasticsearchDashboard) setDefaultContainerSecurityContext(podTemplate *ofst.PodTemplateSpec) {
+	if podTemplate == nil {
+		return
+	}
+	if podTemplate.Spec.ContainerSecurityContext == nil {
+		podTemplate.Spec.ContainerSecurityContext = &core.SecurityContext{}
+	}
+	ed.assignDefaultContainerSecurityContext(podTemplate.Spec.ContainerSecurityContext)
+}
+
+func (ed *ElasticsearchDashboard) assignDefaultContainerSecurityContext(sc *core.SecurityContext) {
+	if sc.AllowPrivilegeEscalation == nil {
+		sc.AllowPrivilegeEscalation = pointer.BoolP(false)
+	}
+	if sc.Capabilities == nil {
+		sc.Capabilities = &core.Capabilities{
+			Drop: []core.Capability{"ALL"},
+		}
+	}
+	if sc.RunAsNonRoot == nil {
+		sc.RunAsNonRoot = pointer.BoolP(true)
+	}
+	if sc.RunAsUser == nil {
+		sc.RunAsUser = pointer.Int64P(1000)
+	}
+	if sc.SeccompProfile == nil {
+		sc.SeccompProfile = &core.SeccompProfile{
+			Type: core.SeccompProfileTypeRuntimeDefault,
+		}
+	}
+}
+
 // Default implements webhook.Defaulter so a webhook will be registered for the type
 func (ed *ElasticsearchDashboard) Default() {
 	if ed.Spec.Replicas == nil {
@@ -85,6 +119,8 @@ func (ed *ElasticsearchDashboard) Default() {
 		edLog.Info(".Spec.TerminationPolicy have been set to TerminationPolicyWipeOut")
 	}
 
+	ed.setDefaultContainerSecurityContext(&ed.Spec.PodTemplate)
+
 	if ed.Spec.EnableSSL {
 		if ed.Spec.TLS == nil {
 			ed.Spec.TLS = &kmapi.TLSConfig{}

apis/kubedb/v1alpha2/elasticsearch_helpers.go

@@ -385,6 +385,38 @@ func (e Elasticsearch) StatsServiceLabels() map[string]string {
 	return e.ServiceLabels(StatsServiceAlias, map[string]string{LabelRole: RoleStats})
 }
 
+func (e Elasticsearch) setContainerSecurityContextDefaults(podTemplate *ofst.PodTemplateSpec) {
+	if podTemplate == nil {
+		return
+	}
+	if podTemplate.Spec.ContainerSecurityContext == nil {
+		podTemplate.Spec.ContainerSecurityContext = &core.SecurityContext{}
+	}
+	e.assignDefaultContainerSecurityContext(podTemplate.Spec.ContainerSecurityContext)
+}
+
+func (e Elasticsearch) assignDefaultContainerSecurityContext(sc *core.SecurityContext) {
+	if sc.AllowPrivilegeEscalation == nil {
+		sc.AllowPrivilegeEscalation = pointer.BoolP(false)
+	}
+	if sc.Capabilities == nil {
+		sc.Capabilities = &core.Capabilities{
+			Drop: []core.Capability{"ALL"},
+		}
+	}
+	if sc.RunAsNonRoot == nil {
+		sc.RunAsNonRoot = pointer.BoolP(true)
+	}
+	if sc.RunAsUser == nil {
+		sc.RunAsUser = pointer.Int64P(1000)
+	}
+	if sc.SeccompProfile == nil {
+		sc.SeccompProfile = &core.SeccompProfile{
+			Type: core.SeccompProfileTypeRuntimeDefault,
+		}
+	}
+}
+
 func (e *Elasticsearch) SetDefaults(esVersion *catalog.ElasticsearchVersion, topology *core_util.Topology) {
 	if e == nil {
 		return
@@ -563,37 +595,44 @@ func (e *Elasticsearch) SetDefaults(esVersion *catalog.ElasticsearchVersion, top
 
 	// set default kernel settings
 	// -	Ref: https://www.elastic.co/guide/en/elasticsearch/reference/7.9/vm-max-map-count.html
+	// if kernelSettings defaults is enabled systls-init container will be injected with the default vm_map_count settings
+	// if not init container will not be injected and default values will not be set
 	if e.Spec.KernelSettings == nil {
 		e.Spec.KernelSettings = &KernelSettings{
-			Privileged: true,
-			Sysctls: []core.Sysctl{
-				{
-					Name:  "vm.max_map_count",
-					Value: "262144",
-				},
-			},
+			DisableDefaults: false,
 		}
 	}
-
-	if e.Spec.PodTemplate.Spec.ContainerSecurityContext == nil {
-		e.Spec.PodTemplate.Spec.ContainerSecurityContext = &core.SecurityContext{
-			Privileged: pointer.BoolP(false),
-			Capabilities: &core.Capabilities{
-				Add: []core.Capability{"IPC_LOCK", "SYS_RESOURCE"},
-			},
+	if !e.Spec.KernelSettings.DisableDefaults {
+		e.Spec.KernelSettings.Privileged = true
+		vmMapCountNotSet := true
+		if len(e.Spec.KernelSettings.Sysctls) != 0 {
+			for i := 0; i < len(e.Spec.KernelSettings.Sysctls); i++ {
+				if e.Spec.KernelSettings.Sysctls[i].Name == "vm.max_map_count" {
+					vmMapCountNotSet = false
+					break
+				}
+			}
+		}
+		if vmMapCountNotSet {
+			e.Spec.KernelSettings.Sysctls = append(e.Spec.KernelSettings.Sysctls, core.Sysctl{
+				Name:  "vm.max_map_count",
+				Value: "262144",
+			})
 		}
-	}
-
-	// Add default Elasticsearch UID
-	if e.Spec.PodTemplate.Spec.ContainerSecurityContext.RunAsUser == nil &&
-		esVersion.Spec.SecurityContext.RunAsUser != nil {
-		e.Spec.PodTemplate.Spec.ContainerSecurityContext.RunAsUser = esVersion.Spec.SecurityContext.RunAsUser
 	}
 
 	e.setDefaultAffinity(&e.Spec.PodTemplate, e.OffshootSelectors(), topology)
-	e.SetTLSDefaults(esVersion)
+	e.setContainerSecurityContextDefaults(&e.Spec.PodTemplate)
 	e.setDefaultInternalUsersAndRoleMappings(esVersion)
+	e.SetMetricsExporterDefaults()
+	e.SetTLSDefaults(esVersion)
+}
+
+func (e *Elasticsearch) SetMetricsExporterDefaults() {
 	e.Spec.Monitor.SetDefaults()
+	if e.Spec.Monitor != nil && e.Spec.Monitor.Prometheus != nil && e.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsUser == nil {
+		e.Spec.Monitor.Prometheus.Exporter.SecurityContext.RunAsUser = pointer.Int64P(1000)
+	}
 }
 
 // setDefaultAffinity

apis/kubedb/v1alpha2/types.go

@@ -143,6 +143,8 @@ type NamedServiceTemplateSpec struct {
 }
 
 type KernelSettings struct {
+	// DisableDefaults can be set to false to avoid defaulting via mutator
+	DisableDefaults bool `json:"disableDefaults,omitempty"`
 	// Privileged specifies the status whether the init container
 	// requires privileged access to perform the following commands.
 	// +optional

crds/kubedb.com_elasticsearches.yaml

@@ -1018,6 +1018,8 @@ spec:
                 type: object
               kernelSettings:
                 properties:
+                  disableDefaults:
+                    type: boolean
                   privileged:
                     type: boolean
                   sysctls:

openapi/swagger.json

@@ -30925,6 +30925,10 @@
     "dev.kubedb.apimachinery.apis.kubedb.v1alpha2.KernelSettings": {
       "type": "object",
       "properties": {
+        "disableDefaults": {
+          "description": "DisableDefaults can be set to false to avoid defaulting via mutator",
+          "type": "boolean"
+        },
         "privileged": {
           "description": "Privileged specifies the status whether the init container requires privileged access to perform the following commands.",
           "type": "boolean"