kubernetes statefulset-controller privileged init containers for elasticsearch

11/12/2019

I'm trying to create an ElasticSearch stateful set (STS) with init containers to increase the worker nodes vm.max_map_count=262144 and also the ulimit -n 65536.

However some PodSecurityPolicy (PSP) is denying the escalation of privilaged containers from what I can tell.

Warning FailedCreate 1s (x12 over 11s) statefulset-controller create Pod elasticsearch-node-0 in StatefulSet elasticsearch-node failed error: pods "elasticsearch-node-0" is forbidden: unable to validate against any pod security policy: [spec.initContainers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed spec.initContainers[1].securityContext.privileged: Invalid value: true: Privileged containers are not allowed]

And there are in fact 2x PSP in the cluster, privilaged and unprivilaged. Do I need to specify the privilaged PSP in the STS somehow? Or a svc-acc?

The k8s server version is 1.9.8 - if it matters.

This is the STS (with some helm elements)

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: elasticsearch-node
  namespace: {{ .Release.Namespace }}
  labels:
    component: elasticsearch
    role: node
spec:
  replicas: {{ .Values.replicas }}
  serviceName: elasticsearch-discovery
  selector:
    matchLabels:
      component: elasticsearch
      role: node
  template:
    metadata:
      namespace: {{ .Release.Namespace }}
      labels:
        component: elasticsearch
        role: node
    spec:
      affinity:
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
          - labelSelector:
              matchExpressions:
              - key: component
                operator: In
                values:
                - elasticsearch
              - key: role
                operator: In
                values:
                - node
            topologyKey: kubernetes.io/hostname
      terminationGracePeriodSeconds: 100
      securityContext:
        fsGroup: 1000
      initContainers:
        # To increase the default vm.max_map_count to 262144
      - name: increase-vm-max-map-count
        image: busybox
        command:
        - sysctl
        - -w
        - vm.max_map_count=262144
        securityContext:
          privileged: true
        # To increase the ulimit to 65536
      - name: increase-ulimit
        image: busybox
        command:
        - sh
        - -c
        - ulimit -n 65536
        securityContext:
          privileged: true
      containers:
      - name: elasticsearch
        image: docker.elastic.co/elasticsearch/elasticsearch:{{ .Values.global.version }}
        imagePullPolicy: Always
        ports:
        - name: http
          containerPort: 9200
        - name: transport
          containerPort: 9300
        volumeMounts:
        # - name: storage
        #   mountPath: /data
        - name: config
          mountPath: /usr/share/elasticsearch/config/elasticsearch.yml
          subPath: elasticsearch.yml
        resources:
{{ toYaml .Values.resources | indent 12 }}
        env:
        - name: ES_JAVA_OPTS
          value: {{ .Values.java.options }}
      volumes:
      - name: config
        configMap:
          name: elasticsearch-node

$ kubectl describe sts elasticsearch-node

Name:               elasticsearch-node
Namespace:          default
CreationTimestamp:  Tue, 12 Nov 2019 17:09:50 +0100
Selector:           component=elasticsearch,role=node
Labels:             component=elasticsearch
                    role=node
Annotations:        <none>
Replicas:           2 desired | 0 total
Update Strategy:    RollingUpdate
  Partition:        824638159384
Pods Status:        0 Running / 0 Waiting / 0 Succeeded / 0 Failed
Pod Template:
  Labels:  component=elasticsearch
           role=node
  Init Containers:
   increase-vm-max-map-count:
    Image:      busybox
    Port:       <none>
    Host Port:  <none>
    Command:
      sysctl
      -w
      vm.max_map_count=262144
    Environment:  <none>
    Mounts:       <none>
   increase-ulimit:
    Image:      busybox
    Port:       <none>
    Host Port:  <none>
    Command:
      sh
      -c
      ulimit -n 65536
    Environment:  <none>
    Mounts:       <none>
  Containers:
   elasticsearch:
    Image:       docker.elastic.co/elasticsearch/elasticsearch:7.3.2
    Ports:       9200/TCP, 9300/TCP
    Host Ports:  0/TCP, 0/TCP
    Limits:
      cpu:     1
      memory:  3Gi
    Requests:
      cpu:     250m
      memory:  2Gi
    Environment:
      ES_JAVA_OPTS:  -Xms2G -Xmx2G
    Mounts:
      /usr/share/elasticsearch/config/elasticsearch.yml from config (rw,path="elasticsearch.yml")
  Volumes:
   config:
    Type:       ConfigMap (a volume populated by a ConfigMap)
    Name:       elasticsearch-node
    Optional:   false
Volume Claims:  <none>
Events:
  Type     Reason        Age                From                    Message
  ----     ------        ----               ----                    -------
  Warning  FailedCreate  1s (x17 over 78s)  statefulset-controller  create Pod elasticsearch-node-0 in StatefulSet elasticsearch-node failed error: pods "elasticsearch-node-0" is forbidden: unable to validate against any pod security policy: [spec.initContainers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed spec.initContainers[1].securityContext.privileged: Invalid value: true: Privileged containers are not allowed]

Been staring at the PSP docs for some time now: https://kubernetes.io/docs/concepts/policy/pod-security-policy/

-- Henkolicious
elasticsearch
kubernetes

0 Answers