Skip to content

Add seccompProfile #8770

Closed
nreisingercres wants to merge 4 commits intoelastic:mainfrom
nreisingercres:patch-1
Closed

Add seccompProfile #8770
nreisingercres wants to merge 4 commits intoelastic:mainfrom
nreisingercres:patch-1

Conversation

@nreisingercres
Copy link

@nreisingercres nreisingercres commented Jul 26, 2025

As mentioned in #7167, this is recommended for security reasons.
Before this change it is not possible to deploy on a cluster that is in restricted mode as there is not way to modify the securityContext on the initContainers that are automatically created.

If you would prefer, I can change it to allow the user to set the securityContext on those initcontainers instead of setting this as the default.

@prodsecmachine
Copy link
Collaborator

prodsecmachine commented Jul 26, 2025
edited
Loading

🎉 Snyk checks have passed. No issues have been found so far.

security/snyk check is complete. No issues have been found. (View Details)

license/snyk check is complete. No issues have been found. (View Details)

@botelastic botelastic bot added the triage label Jul 26, 2025
pebrc
pebrc reviewed Dec 30, 2025
View reviewed changes
Copy link
Collaborator

@pebrc pebrc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apologies for the very late response to your contribution.

I think

cloud-on-k8s/pkg/controller/kibana/securitycontext.go

Lines 13 to 23 in 93406ed

defaultSecurityContext = corev1.SecurityContext{
AllowPrivilegeEscalation: ptr.To(bool(false)),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{
corev1.Capability("ALL"),
},
},
Privileged: ptr.To(bool(false)),
ReadOnlyRootFilesystem: ptr.To(bool(true)),
RunAsUser: ptr.To(int64(defaultFSUser)),
RunAsGroup: ptr.To(int64(defaultFSGroup)),
should probably also be updated.

Any reason you did not include it?

pkg/controller/elasticsearch/securitycontext/securitycontext_test.go
Privileged: ptr.To[bool](false),
ReadOnlyRootFilesystem: ptr.To[bool](false),
AllowPrivilegeEscalation: ptr.To[bool](false),
SeccompProfile: &corev1.SeccompProfile{
Copy link
Collaborator

@pebrc pebrc Dec 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indentation seems off here and below.

pkg/controller/elasticsearch/securitycontext/securitycontext_test.go
Copy link
Collaborator

@pebrc pebrc Dec 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe add a test case for v8.8+

@pebrc pebrc added the >enhancement Enhancement of existing functionality label Dec 30, 2025
@botelastic botelastic bot removed the triage label Dec 30, 2025
@barkbay barkbay self-assigned this Jan 8, 2026
@barkbay
Copy link
Contributor

barkbay commented Jan 9, 2026

Closed in favor of #9012

@barkbay barkbay closed this Jan 9, 2026
@nreisingercres
Copy link
Author

nreisingercres commented Jan 26, 2026

Closed in favor of #9012

Thanks for picking up and finishing this. I didn't see the review come through a month ago.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pebrc pebrc pebrc left review comments

Assignees

@barkbay barkbay

Labels

>enhancement Enhancement of existing functionality

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@nreisingercres @prodsecmachine @barkbay @pebrc