-
Notifications
You must be signed in to change notification settings - Fork 1.9k
adding securityContext/PSP support for Kibana #38
adding securityContext/PSP support for Kibana #38
Conversation
Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Out of curiosity could you tell me why you need to be able to set these options? I'm mostly just curious since it is not something I have needed to do when running Kibana myself. And maybe this is something that could better be done by default if there is a more secure way to run Kibana in Kubernetes.
Apart from the requested changes I left inline there are few other missing pieces before this is mergeable.
- Update the readme with the two new options you have added
- Add a basic templating test to make sure that the templating rules work as expected and don't get broken by future changes.
- Seems like you still need to sign the CLA agreement before I can accept any of these changes.
I can help you out if needed for number 2. I realise that we don't yet have a developer guide (you are the first contributor yay!). So I'll work on making sure that these steps are included as part of the readme and the pull request template.
I have several users in my cluster with special privileges. I want to enforce using the specific, unprivileged user for running services that does not require special permissions.
Done
Some help might be required here as I don't fully understand the script.
Done
👍 |
jenkins test this please |
Thank you so much for adding this in and for explaining what the use case is! I'll add in the template testing in a separate PR and link it from here to show you how it looks. |
Adding tests for pull request: #38
@mszumilak Here are the tests that I added #44 |
When Pod Security Policy is in use it might be required to specify serviceAccount as well as runAsUser and fsGroups for starting the pod. Unless requested parameters are not specified pod cannot start.