From bcafa01a1fa0783891e12d0997207c3f1aae7329 Mon Sep 17 00:00:00 2001 From: Michael Montgomery Date: Tue, 8 Oct 2024 13:30:40 -0500 Subject: [PATCH 01/15] Add Kibana default security context Signed-off-by: Michael Montgomery --- pkg/controller/kibana/driver_test.go | 11 ++++++----- pkg/controller/kibana/pod.go | 2 ++ pkg/controller/kibana/securitycontext.go | 24 ++++++++++++++++++++++++ 3 files changed, 32 insertions(+), 5 deletions(-) create mode 100644 pkg/controller/kibana/securitycontext.go diff --git a/pkg/controller/kibana/driver_test.go b/pkg/controller/kibana/driver_test.go index 0f8af3c6a3..e34e7f4c3f 100644 --- a/pkg/controller/kibana/driver_test.go +++ b/pkg/controller/kibana/driver_test.go @@ -11,6 +11,7 @@ import ( "testing" "github.com/go-test/deep" + "github.com/google/go-cmp/cmp" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" appsv1 "k8s.io/api/apps/v1" @@ -382,7 +383,7 @@ func TestDriverDeploymentParams(t *testing.T) { } if diff := deep.Equal(got, tt.want); diff != nil { - t.Error(diff) + t.Error(cmp.Diff(got, tt.want)) } }) } @@ -496,9 +497,7 @@ func expectedDeploymentParams() deployment.Params { ImagePullPolicy: corev1.PullIfNotPresent, Image: "my-image", Command: []string{"/usr/bin/env", "bash", "-c", InitConfigScript}, - SecurityContext: &corev1.SecurityContext{ - Privileged: &falseVal, - }, + SecurityContext: &defaultSecurityContext, Env: []corev1.EnvVar{ {Name: settings.EnvPodIP, Value: "", ValueFrom: &corev1.EnvVarSource{ FieldRef: &corev1.ObjectFieldSelector{APIVersion: "v1", FieldPath: "status.podIP"}, @@ -591,9 +590,11 @@ func expectedDeploymentParams() deployment.Params { }, }, }, - Resources: DefaultResources, + Resources: DefaultResources, + SecurityContext: &defaultSecurityContext, }}, AutomountServiceAccountToken: &falseVal, + SecurityContext: &defaultPodSecurityContext, }, }, } diff --git a/pkg/controller/kibana/pod.go b/pkg/controller/kibana/pod.go index 1b59554f03..5437410deb 100644 --- a/pkg/controller/kibana/pod.go +++ b/pkg/controller/kibana/pod.go @@ -110,6 +110,8 @@ func NewPodTemplateSpec(ctx context.Context, client k8sclient.Client, kb kbv1.Ki WithDockerImage(kb.Spec.Image, container.ImageRepository(container.KibanaImage, v)). WithReadinessProbe(readinessProbe(kb.Spec.HTTP.TLS.Enabled(), kibanaBasePath)). WithPorts(ports). + WithContainersSecurityContext(defaultSecurityContext). + WithPodSecurityContext(defaultPodSecurityContext). WithInitContainers(initConfigContainer(kb)) for _, volume := range volumes { diff --git a/pkg/controller/kibana/securitycontext.go b/pkg/controller/kibana/securitycontext.go new file mode 100644 index 0000000000..66d004db5b --- /dev/null +++ b/pkg/controller/kibana/securitycontext.go @@ -0,0 +1,24 @@ +package kibana + +import ( + corev1 "k8s.io/api/core/v1" + "k8s.io/utils/ptr" +) + +var ( + defaultSecurityContext = corev1.SecurityContext{ + AllowPrivilegeEscalation: ptr.To(bool(false)), + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{ + corev1.Capability("ALL"), + }, + }, + Privileged: ptr.To(bool(false)), + ReadOnlyRootFilesystem: ptr.To(bool(true)), + RunAsUser: ptr.To(int64(1000)), + RunAsGroup: ptr.To(int64(1000)), + } + defaultPodSecurityContext = corev1.PodSecurityContext{ + FSGroup: ptr.To(int64(1000)), + } +) From 1792e5620261a12b3babee8ed377da0198990c96 Mon Sep 17 00:00:00 2001 From: Michael Montgomery Date: Tue, 8 Oct 2024 13:56:25 -0500 Subject: [PATCH 02/15] do not set sec context in initConfigContainer Signed-off-by: Michael Montgomery --- pkg/controller/kibana/init_configuration.go | 7 +------ pkg/controller/kibana/pod.go | 4 ++-- 2 files changed, 3 insertions(+), 8 deletions(-) diff --git a/pkg/controller/kibana/init_configuration.go b/pkg/controller/kibana/init_configuration.go index a3804c692f..ed2481753a 100644 --- a/pkg/controller/kibana/init_configuration.go +++ b/pkg/controller/kibana/init_configuration.go @@ -38,16 +38,11 @@ echo "Kibana configuration successfully prepared." // The script creates symbolic links from the generated configuration files in /mnt/elastic-internal/kibana-config/ to // an empty directory later mounted in /use/share/kibana/config func initConfigContainer(kb kbv1.Kibana) corev1.Container { - privileged := false - return corev1.Container{ // Image will be inherited from pod template defaults ImagePullPolicy: corev1.PullIfNotPresent, Name: InitConfigContainerName, - SecurityContext: &corev1.SecurityContext{ - Privileged: &privileged, - }, - Command: []string{"/usr/bin/env", "bash", "-c", InitConfigScript}, + Command: []string{"/usr/bin/env", "bash", "-c", InitConfigScript}, VolumeMounts: []corev1.VolumeMount{ ConfigSharedVolume.InitContainerVolumeMount(), ConfigVolume(kb).VolumeMount(), diff --git a/pkg/controller/kibana/pod.go b/pkg/controller/kibana/pod.go index 5437410deb..8df083ced5 100644 --- a/pkg/controller/kibana/pod.go +++ b/pkg/controller/kibana/pod.go @@ -110,9 +110,9 @@ func NewPodTemplateSpec(ctx context.Context, client k8sclient.Client, kb kbv1.Ki WithDockerImage(kb.Spec.Image, container.ImageRepository(container.KibanaImage, v)). WithReadinessProbe(readinessProbe(kb.Spec.HTTP.TLS.Enabled(), kibanaBasePath)). WithPorts(ports). + WithInitContainers(initConfigContainer(kb)). WithContainersSecurityContext(defaultSecurityContext). - WithPodSecurityContext(defaultPodSecurityContext). - WithInitContainers(initConfigContainer(kb)) + WithPodSecurityContext(defaultPodSecurityContext) for _, volume := range volumes { builder.WithVolumes(volume.Volume()).WithVolumeMounts(volume.VolumeMount()) From 3ceb5d212352a8fe85520675bdb076ce945e951c Mon Sep 17 00:00:00 2001 From: Michael Montgomery Date: Tue, 8 Oct 2024 14:00:04 -0500 Subject: [PATCH 03/15] revert test change. Signed-off-by: Michael Montgomery --- pkg/controller/kibana/driver_test.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/pkg/controller/kibana/driver_test.go b/pkg/controller/kibana/driver_test.go index e34e7f4c3f..3abea62843 100644 --- a/pkg/controller/kibana/driver_test.go +++ b/pkg/controller/kibana/driver_test.go @@ -11,7 +11,6 @@ import ( "testing" "github.com/go-test/deep" - "github.com/google/go-cmp/cmp" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" appsv1 "k8s.io/api/apps/v1" @@ -383,7 +382,7 @@ func TestDriverDeploymentParams(t *testing.T) { } if diff := deep.Equal(got, tt.want); diff != nil { - t.Error(cmp.Diff(got, tt.want)) + t.Error(diff) } }) } From dca85315e8289f2ec0e4afeae653dbe0c6b19197 Mon Sep 17 00:00:00 2001 From: Michael Montgomery Date: Tue, 8 Oct 2024 14:09:43 -0500 Subject: [PATCH 04/15] Add license header Signed-off-by: Michael Montgomery --- pkg/controller/kibana/securitycontext.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkg/controller/kibana/securitycontext.go b/pkg/controller/kibana/securitycontext.go index 66d004db5b..9dd5bc3381 100644 --- a/pkg/controller/kibana/securitycontext.go +++ b/pkg/controller/kibana/securitycontext.go @@ -1,3 +1,7 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License 2.0; +// you may not use this file except in compliance with the Elastic License 2.0. + package kibana import ( From dd194934ef2ba37849af7dd812f9e8c073caee03 Mon Sep 17 00:00:00 2001 From: Michael Montgomery Date: Fri, 25 Oct 2024 13:33:59 -0500 Subject: [PATCH 05/15] Only allow hardened sec context in 7.6+ Signed-off-by: Michael Montgomery --- pkg/controller/kibana/pod.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/pkg/controller/kibana/pod.go b/pkg/controller/kibana/pod.go index 8df083ced5..a0c648e8b9 100644 --- a/pkg/controller/kibana/pod.go +++ b/pkg/controller/kibana/pod.go @@ -118,6 +118,14 @@ func NewPodTemplateSpec(ctx context.Context, client k8sclient.Client, kb kbv1.Ki builder.WithVolumes(volume.Volume()).WithVolumeMounts(volume.VolumeMount()) } + // Kibana 7.6.0 and above support running with a read-only root filesystem, + // but require a temporary volume to be mounted at /tmp for some reporting features. + if v.GTE(version.From(7, 6, 0)) { + tmpVolume := volume.NewEmptyDirVolume("temp-volume", "/tmp") + builder.WithPodSecurityContext(defaultPodSecurityContext). + WithVolumes(tmpVolume.Volume()).WithVolumeMounts(tmpVolume.VolumeMount()) + } + if keystore != nil { builder.WithVolumes(keystore.Volume). WithInitContainers(keystore.InitContainer) From bf0d1dd33a8989df646bfc4aedce6951ebbeac24 Mon Sep 17 00:00:00 2001 From: Michael Montgomery Date: Fri, 25 Oct 2024 13:56:21 -0500 Subject: [PATCH 06/15] Update tests to be accurate. Update logic issue with default builder. Signed-off-by: Michael Montgomery --- pkg/controller/kibana/pod.go | 5 ++--- pkg/controller/kibana/pod_test.go | 14 +++++++++----- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/pkg/controller/kibana/pod.go b/pkg/controller/kibana/pod.go index a0c648e8b9..8c648b96eb 100644 --- a/pkg/controller/kibana/pod.go +++ b/pkg/controller/kibana/pod.go @@ -110,9 +110,7 @@ func NewPodTemplateSpec(ctx context.Context, client k8sclient.Client, kb kbv1.Ki WithDockerImage(kb.Spec.Image, container.ImageRepository(container.KibanaImage, v)). WithReadinessProbe(readinessProbe(kb.Spec.HTTP.TLS.Enabled(), kibanaBasePath)). WithPorts(ports). - WithInitContainers(initConfigContainer(kb)). - WithContainersSecurityContext(defaultSecurityContext). - WithPodSecurityContext(defaultPodSecurityContext) + WithInitContainers(initConfigContainer(kb)) for _, volume := range volumes { builder.WithVolumes(volume.Volume()).WithVolumeMounts(volume.VolumeMount()) @@ -123,6 +121,7 @@ func NewPodTemplateSpec(ctx context.Context, client k8sclient.Client, kb kbv1.Ki if v.GTE(version.From(7, 6, 0)) { tmpVolume := volume.NewEmptyDirVolume("temp-volume", "/tmp") builder.WithPodSecurityContext(defaultPodSecurityContext). + WithContainersSecurityContext(defaultSecurityContext). WithVolumes(tmpVolume.Volume()).WithVolumeMounts(tmpVolume.VolumeMount()) } diff --git a/pkg/controller/kibana/pod_test.go b/pkg/controller/kibana/pod_test.go index 7d2f19e5d1..fe1c459ad8 100644 --- a/pkg/controller/kibana/pod_test.go +++ b/pkg/controller/kibana/pod_test.go @@ -140,7 +140,7 @@ func TestNewPodTemplateSpec(t *testing.T) { }, }, { - name: "with user-provided labels", + name: "with user-provided labels, and 7.4.x shouldn't have security contexts set", keystore: nil, kb: kbv1.Kibana{ ObjectMeta: metav1.ObjectMeta{ @@ -165,6 +165,8 @@ func TestNewPodTemplateSpec(t *testing.T) { labels["label2"] = "value2" labels[kblabel.KibanaNameLabelName] = "overridden-kibana-name" assert.Equal(t, labels, pod.Labels) + assert.Nil(t, pod.Spec.SecurityContext) + assert.Nil(t, GetKibanaContainer(pod.Spec).SecurityContext) }, }, { @@ -192,7 +194,7 @@ func TestNewPodTemplateSpec(t *testing.T) { }, }, { - name: "with user-provided volumes and volume mounts", + name: "with user-provided volumes and 8.x should have volume mounts including /tmp volume and security contexts", kb: kbv1.Kibana{Spec: kbv1.KibanaSpec{ PodTemplate: corev1.PodTemplateSpec{ Spec: corev1.PodSpec{ @@ -217,9 +219,11 @@ func TestNewPodTemplateSpec(t *testing.T) { }}, assertions: func(pod corev1.PodTemplateSpec) { assert.Len(t, pod.Spec.InitContainers, 1) - assert.Len(t, pod.Spec.InitContainers[0].VolumeMounts, 3) - assert.Len(t, pod.Spec.Volumes, 1) - assert.Len(t, GetKibanaContainer(pod.Spec).VolumeMounts, 1) + assert.Len(t, pod.Spec.InitContainers[0].VolumeMounts, 4) + assert.Len(t, pod.Spec.Volumes, 2) + assert.Len(t, GetKibanaContainer(pod.Spec).VolumeMounts, 2) + assert.Equal(t, pod.Spec.SecurityContext, &defaultPodSecurityContext) + assert.Equal(t, GetKibanaContainer(pod.Spec).SecurityContext, &defaultSecurityContext) }, }, { From 712350006767c97a3af6a82c9eac24dc76e5e851 Mon Sep 17 00:00:00 2001 From: Michael Montgomery Date: Fri, 25 Oct 2024 13:57:13 -0500 Subject: [PATCH 07/15] Move to 7.5, not 7.6 Signed-off-by: Michael Montgomery --- pkg/controller/kibana/pod.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/controller/kibana/pod.go b/pkg/controller/kibana/pod.go index 8c648b96eb..129c8c6f01 100644 --- a/pkg/controller/kibana/pod.go +++ b/pkg/controller/kibana/pod.go @@ -116,9 +116,9 @@ func NewPodTemplateSpec(ctx context.Context, client k8sclient.Client, kb kbv1.Ki builder.WithVolumes(volume.Volume()).WithVolumeMounts(volume.VolumeMount()) } - // Kibana 7.6.0 and above support running with a read-only root filesystem, + // Kibana 7.5.0 and above support running with a read-only root filesystem, // but require a temporary volume to be mounted at /tmp for some reporting features. - if v.GTE(version.From(7, 6, 0)) { + if v.GTE(version.From(7, 5, 0)) { tmpVolume := volume.NewEmptyDirVolume("temp-volume", "/tmp") builder.WithPodSecurityContext(defaultPodSecurityContext). WithContainersSecurityContext(defaultSecurityContext). From 5171c7e510919b4b56321db841cec4e72d3bd53a Mon Sep 17 00:00:00 2001 From: Michael Montgomery Date: Fri, 25 Oct 2024 14:32:49 -0500 Subject: [PATCH 08/15] Add tests for new volumes and sec contexts across different versions Signed-off-by: Michael Montgomery --- pkg/controller/kibana/driver_test.go | 57 ++++++++++++++++++++++++---- 1 file changed, 50 insertions(+), 7 deletions(-) diff --git a/pkg/controller/kibana/driver_test.go b/pkg/controller/kibana/driver_test.go index 3abea62843..cc1a0521d3 100644 --- a/pkg/controller/kibana/driver_test.go +++ b/pkg/controller/kibana/driver_test.go @@ -223,7 +223,7 @@ func TestDriverDeploymentParams(t *testing.T) { kb: kibanaFixture, initialObjects: defaultInitialObjects, }, - want: expectedDeploymentParams(), + want: pre750(expectedDeploymentParams()), wantErr: false, }, { @@ -233,7 +233,7 @@ func TestDriverDeploymentParams(t *testing.T) { initialObjects: defaultInitialObjects, policyAnnotations: map[string]string{"policy.k8s.elastic.co/kibana-config-hash": "2123345"}, }, - want: expectedDeploymentWithPolicyAnnotations(map[string]string{"policy.k8s.elastic.co/kibana-config-hash": "2123345"}), + want: pre750(expectedDeploymentWithPolicyAnnotations(map[string]string{"policy.k8s.elastic.co/kibana-config-hash": "2123345"})), wantErr: false, }, { @@ -249,7 +249,7 @@ func TestDriverDeploymentParams(t *testing.T) { initialObjects: defaultInitialObjects, }, want: func() deployment.Params { - params := expectedDeploymentParams() + params := pre750(expectedDeploymentParams()) params.PodTemplateSpec.Spec.Volumes = params.PodTemplateSpec.Spec.Volumes[1:] params.PodTemplateSpec.Spec.InitContainers[0].VolumeMounts = params.PodTemplateSpec.Spec.InitContainers[0].VolumeMounts[1:] params.PodTemplateSpec.Spec.Containers[0].VolumeMounts = params.PodTemplateSpec.Spec.Containers[0].VolumeMounts[1:] @@ -266,7 +266,7 @@ func TestDriverDeploymentParams(t *testing.T) { initialObjects: defaultInitialObjects, }, want: func() deployment.Params { - p := expectedDeploymentParams() + p := pre750(expectedDeploymentParams()) p.PodTemplateSpec.Labels["mylabel"] = "value" for i, c := range p.PodTemplateSpec.Spec.Containers { if c.Name == kbv1.KibanaContainerName { @@ -323,7 +323,7 @@ func TestDriverDeploymentParams(t *testing.T) { }, }, want: func() deployment.Params { - p := expectedDeploymentParams() + p := pre750(expectedDeploymentParams()) p.PodTemplateSpec.Annotations["kibana.k8s.elastic.co/config-hash"] = "2368465874" return p }(), @@ -340,7 +340,7 @@ func TestDriverDeploymentParams(t *testing.T) { initialObjects: defaultInitialObjects, }, want: func() deployment.Params { - p := expectedDeploymentParams() + p := pre750(expectedDeploymentParams()) p.PodTemplateSpec.Labels["kibana.k8s.elastic.co/version"] = "6.8.0" return p }(), @@ -357,12 +357,29 @@ func TestDriverDeploymentParams(t *testing.T) { initialObjects: defaultInitialObjects, }, want: func() deployment.Params { - p := expectedDeploymentParams() + p := pre750(expectedDeploymentParams()) p.PodTemplateSpec.Labels["kibana.k8s.elastic.co/version"] = "6.8.0" return p }(), wantErr: false, }, + { + name: "7.5+ contains security contexts", + args: args{ + kb: func() *kbv1.Kibana { + kb := kibanaFixture() + kb.Spec.Version = "7.5.0" + return kb + }, + initialObjects: defaultInitialObjects, + }, + want: func() deployment.Params { + p := expectedDeploymentParams() + p.PodTemplateSpec.Labels["kibana.k8s.elastic.co/version"] = "7.5.0" + return p + }(), + wantErr: false, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { @@ -490,6 +507,12 @@ func expectedDeploymentParams() deployment.Params { EmptyDir: &corev1.EmptyDirVolumeSource{}, }, }, + { + Name: "temp-volume", + VolumeSource: corev1.VolumeSource{ + EmptyDir: &corev1.EmptyDirVolumeSource{}, + }, + }, }, InitContainers: []corev1.Container{{ Name: "elastic-internal-init-config", @@ -533,6 +556,11 @@ func expectedDeploymentParams() deployment.Params { ReadOnly: falseVal, MountPath: DataVolumeMountPath, }, + { + Name: "temp-volume", + ReadOnly: falseVal, + MountPath: "/tmp", + }, }, Resources: corev1.ResourceRequirements{ Requests: map[corev1.ResourceName]resource.Quantity{ @@ -569,6 +597,11 @@ func expectedDeploymentParams() deployment.Params { ReadOnly: falseVal, MountPath: DataVolumeMountPath, }, + { + Name: "temp-volume", + ReadOnly: falseVal, + MountPath: "/tmp", + }, }, Image: "my-image", Name: kbv1.KibanaContainerName, @@ -608,6 +641,16 @@ func expectedDeploymentWithPolicyAnnotations(policyAnnotations map[string]string return deploymentParams } +func pre750(params deployment.Params) deployment.Params { + params.PodTemplateSpec.Spec.Containers[0].SecurityContext = nil + params.PodTemplateSpec.Spec.InitContainers[0].SecurityContext = nil + params.PodTemplateSpec.Spec.SecurityContext = nil + params.PodTemplateSpec.Spec.Volumes = params.PodTemplateSpec.Spec.Volumes[:5] + params.PodTemplateSpec.Spec.InitContainers[0].VolumeMounts = params.PodTemplateSpec.Spec.InitContainers[0].VolumeMounts[:5] + params.PodTemplateSpec.Spec.Containers[0].VolumeMounts = params.PodTemplateSpec.Spec.Containers[0].VolumeMounts[:5] + return params +} + func kibanaFixture() *kbv1.Kibana { kbFixture := &kbv1.Kibana{ ObjectMeta: metav1.ObjectMeta{ From 2757ea26de76c2288fab5d10269d1b8ab2762e2e Mon Sep 17 00:00:00 2001 From: Michael Montgomery Date: Fri, 25 Oct 2024 15:12:26 -0500 Subject: [PATCH 09/15] Move to 7.10 and adjust tests. Signed-off-by: Michael Montgomery --- pkg/controller/kibana/driver_test.go | 6 +++--- pkg/controller/kibana/pod.go | 5 ++++- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/pkg/controller/kibana/driver_test.go b/pkg/controller/kibana/driver_test.go index cc1a0521d3..965c81a4f1 100644 --- a/pkg/controller/kibana/driver_test.go +++ b/pkg/controller/kibana/driver_test.go @@ -364,18 +364,18 @@ func TestDriverDeploymentParams(t *testing.T) { wantErr: false, }, { - name: "7.5+ contains security contexts", + name: "7.10+ contains security contexts", args: args{ kb: func() *kbv1.Kibana { kb := kibanaFixture() - kb.Spec.Version = "7.5.0" + kb.Spec.Version = "7.10.0" return kb }, initialObjects: defaultInitialObjects, }, want: func() deployment.Params { p := expectedDeploymentParams() - p.PodTemplateSpec.Labels["kibana.k8s.elastic.co/version"] = "7.5.0" + p.PodTemplateSpec.Labels["kibana.k8s.elastic.co/version"] = "7.10.0" return p }(), wantErr: false, diff --git a/pkg/controller/kibana/pod.go b/pkg/controller/kibana/pod.go index 129c8c6f01..ae86d96fff 100644 --- a/pkg/controller/kibana/pod.go +++ b/pkg/controller/kibana/pod.go @@ -118,7 +118,10 @@ func NewPodTemplateSpec(ctx context.Context, client k8sclient.Client, kb kbv1.Ki // Kibana 7.5.0 and above support running with a read-only root filesystem, // but require a temporary volume to be mounted at /tmp for some reporting features. - if v.GTE(version.From(7, 5, 0)) { + // Limiting to 7.10.0 here as there was a bug in previous versions causing rebuilding + // of browser bundles to happen on plugin install, which would attempt a write to the + // root filesystem on restart. + if v.GTE(version.From(7, 10, 0)) { tmpVolume := volume.NewEmptyDirVolume("temp-volume", "/tmp") builder.WithPodSecurityContext(defaultPodSecurityContext). WithContainersSecurityContext(defaultSecurityContext). From a6f6ed33d8ff43b994d81bb3d3378b189b756766 Mon Sep 17 00:00:00 2001 From: Michael Montgomery Date: Tue, 29 Oct 2024 11:47:23 -0500 Subject: [PATCH 10/15] Add plugins volume and fix some tests. Signed-off-by: Michael Montgomery --- pkg/controller/kibana/pod.go | 12 ++++++++++-- pkg/controller/kibana/pod_test.go | 8 ++++---- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/pkg/controller/kibana/pod.go b/pkg/controller/kibana/pod.go index ae86d96fff..39395e4864 100644 --- a/pkg/controller/kibana/pod.go +++ b/pkg/controller/kibana/pod.go @@ -33,6 +33,8 @@ import ( const ( DataVolumeName = "kibana-data" DataVolumeMountPath = "/usr/share/kibana/data" + PluginsVolumeName = "kibana-data" + PluginsVolumeMountPath = "/usr/share/kibana/plugins" KibanaBasePathEnvName = "SERVER_BASEPATH" KibanaRewriteBasePathEnvName = "SERVER_REWRITEBASEPATH" ) @@ -43,6 +45,10 @@ var ( // Since Kibana is stateless and the keystore is created on pod start, an EmptyDir is fine here. DataVolume = volume.NewEmptyDirVolume(DataVolumeName, DataVolumeMountPath) + // PluginsVolume is used to persist plugins after installation via an init container when + // the Kibana pod has readOnlyRootFilesystem set to true. + PluginsVolume = volume.NewEmptyDirVolume(PluginsVolumeName, PluginsVolumeMountPath) + DefaultMemoryLimits = resource.MustParse("1Gi") DefaultResources = corev1.ResourceRequirements{ Requests: map[corev1.ResourceName]resource.Quantity{ @@ -117,7 +123,8 @@ func NewPodTemplateSpec(ctx context.Context, client k8sclient.Client, kb kbv1.Ki } // Kibana 7.5.0 and above support running with a read-only root filesystem, - // but require a temporary volume to be mounted at /tmp for some reporting features. + // but require a temporary volume to be mounted at /tmp for some reporting features + // and a plugin volume mounted at /usr/share/kibana/plugins. // Limiting to 7.10.0 here as there was a bug in previous versions causing rebuilding // of browser bundles to happen on plugin install, which would attempt a write to the // root filesystem on restart. @@ -125,7 +132,8 @@ func NewPodTemplateSpec(ctx context.Context, client k8sclient.Client, kb kbv1.Ki tmpVolume := volume.NewEmptyDirVolume("temp-volume", "/tmp") builder.WithPodSecurityContext(defaultPodSecurityContext). WithContainersSecurityContext(defaultSecurityContext). - WithVolumes(tmpVolume.Volume()).WithVolumeMounts(tmpVolume.VolumeMount()) + WithVolumes(tmpVolume.Volume()).WithVolumeMounts(tmpVolume.VolumeMount()). + WithVolumes(PluginsVolume.Volume()).WithVolumeMounts(PluginsVolume.VolumeMount()) } if keystore != nil { diff --git a/pkg/controller/kibana/pod_test.go b/pkg/controller/kibana/pod_test.go index fe1c459ad8..8b82970769 100644 --- a/pkg/controller/kibana/pod_test.go +++ b/pkg/controller/kibana/pod_test.go @@ -194,7 +194,7 @@ func TestNewPodTemplateSpec(t *testing.T) { }, }, { - name: "with user-provided volumes and 8.x should have volume mounts including /tmp volume and security contexts", + name: "with user-provided volumes and 8.x should have volume mounts including /tmp and plugins volumes and security contexts", kb: kbv1.Kibana{Spec: kbv1.KibanaSpec{ PodTemplate: corev1.PodTemplateSpec{ Spec: corev1.PodSpec{ @@ -219,9 +219,9 @@ func TestNewPodTemplateSpec(t *testing.T) { }}, assertions: func(pod corev1.PodTemplateSpec) { assert.Len(t, pod.Spec.InitContainers, 1) - assert.Len(t, pod.Spec.InitContainers[0].VolumeMounts, 4) - assert.Len(t, pod.Spec.Volumes, 2) - assert.Len(t, GetKibanaContainer(pod.Spec).VolumeMounts, 2) + assert.Len(t, pod.Spec.InitContainers[0].VolumeMounts, 5) + assert.Len(t, pod.Spec.Volumes, 3) + assert.Len(t, GetKibanaContainer(pod.Spec).VolumeMounts, 3) assert.Equal(t, pod.Spec.SecurityContext, &defaultPodSecurityContext) assert.Equal(t, GetKibanaContainer(pod.Spec).SecurityContext, &defaultSecurityContext) }, From cc77f113a819ddc071f2efc4b141ac51ab111bcd Mon Sep 17 00:00:00 2001 From: Michael Montgomery Date: Tue, 29 Oct 2024 18:53:02 -0500 Subject: [PATCH 11/15] Update func name in pkg/controller/kibana/driver_test.go Co-authored-by: Peter Brachwitz --- pkg/controller/kibana/driver_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/controller/kibana/driver_test.go b/pkg/controller/kibana/driver_test.go index 965c81a4f1..b7aa558e3b 100644 --- a/pkg/controller/kibana/driver_test.go +++ b/pkg/controller/kibana/driver_test.go @@ -641,7 +641,7 @@ func expectedDeploymentWithPolicyAnnotations(policyAnnotations map[string]string return deploymentParams } -func pre750(params deployment.Params) deployment.Params { +func pre710(params deployment.Params) deployment.Params { params.PodTemplateSpec.Spec.Containers[0].SecurityContext = nil params.PodTemplateSpec.Spec.InitContainers[0].SecurityContext = nil params.PodTemplateSpec.Spec.SecurityContext = nil From 0234dccdd102a3834e776f7e964737f6a3ec4f31 Mon Sep 17 00:00:00 2001 From: Michael Montgomery Date: Wed, 30 Oct 2024 10:34:21 -0500 Subject: [PATCH 12/15] Fix tests Signed-off-by: Michael Montgomery --- pkg/controller/kibana/driver_test.go | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/pkg/controller/kibana/driver_test.go b/pkg/controller/kibana/driver_test.go index b7aa558e3b..49f5e832f5 100644 --- a/pkg/controller/kibana/driver_test.go +++ b/pkg/controller/kibana/driver_test.go @@ -223,7 +223,7 @@ func TestDriverDeploymentParams(t *testing.T) { kb: kibanaFixture, initialObjects: defaultInitialObjects, }, - want: pre750(expectedDeploymentParams()), + want: pre710(expectedDeploymentParams()), wantErr: false, }, { @@ -233,7 +233,7 @@ func TestDriverDeploymentParams(t *testing.T) { initialObjects: defaultInitialObjects, policyAnnotations: map[string]string{"policy.k8s.elastic.co/kibana-config-hash": "2123345"}, }, - want: pre750(expectedDeploymentWithPolicyAnnotations(map[string]string{"policy.k8s.elastic.co/kibana-config-hash": "2123345"})), + want: pre710(expectedDeploymentWithPolicyAnnotations(map[string]string{"policy.k8s.elastic.co/kibana-config-hash": "2123345"})), wantErr: false, }, { @@ -249,7 +249,7 @@ func TestDriverDeploymentParams(t *testing.T) { initialObjects: defaultInitialObjects, }, want: func() deployment.Params { - params := pre750(expectedDeploymentParams()) + params := pre710(expectedDeploymentParams()) params.PodTemplateSpec.Spec.Volumes = params.PodTemplateSpec.Spec.Volumes[1:] params.PodTemplateSpec.Spec.InitContainers[0].VolumeMounts = params.PodTemplateSpec.Spec.InitContainers[0].VolumeMounts[1:] params.PodTemplateSpec.Spec.Containers[0].VolumeMounts = params.PodTemplateSpec.Spec.Containers[0].VolumeMounts[1:] @@ -266,7 +266,7 @@ func TestDriverDeploymentParams(t *testing.T) { initialObjects: defaultInitialObjects, }, want: func() deployment.Params { - p := pre750(expectedDeploymentParams()) + p := pre710(expectedDeploymentParams()) p.PodTemplateSpec.Labels["mylabel"] = "value" for i, c := range p.PodTemplateSpec.Spec.Containers { if c.Name == kbv1.KibanaContainerName { @@ -323,7 +323,7 @@ func TestDriverDeploymentParams(t *testing.T) { }, }, want: func() deployment.Params { - p := pre750(expectedDeploymentParams()) + p := pre710(expectedDeploymentParams()) p.PodTemplateSpec.Annotations["kibana.k8s.elastic.co/config-hash"] = "2368465874" return p }(), @@ -340,7 +340,7 @@ func TestDriverDeploymentParams(t *testing.T) { initialObjects: defaultInitialObjects, }, want: func() deployment.Params { - p := pre750(expectedDeploymentParams()) + p := pre710(expectedDeploymentParams()) p.PodTemplateSpec.Labels["kibana.k8s.elastic.co/version"] = "6.8.0" return p }(), @@ -357,7 +357,7 @@ func TestDriverDeploymentParams(t *testing.T) { initialObjects: defaultInitialObjects, }, want: func() deployment.Params { - p := pre750(expectedDeploymentParams()) + p := pre710(expectedDeploymentParams()) p.PodTemplateSpec.Labels["kibana.k8s.elastic.co/version"] = "6.8.0" return p }(), From 7177226c7cb8d3fdff03fc4d7687150618e62019 Mon Sep 17 00:00:00 2001 From: Michael Montgomery Date: Wed, 30 Oct 2024 10:39:38 -0500 Subject: [PATCH 13/15] adjust plugin volume name Signed-off-by: Michael Montgomery --- pkg/controller/kibana/pod.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/controller/kibana/pod.go b/pkg/controller/kibana/pod.go index 39395e4864..7d2ea8db5e 100644 --- a/pkg/controller/kibana/pod.go +++ b/pkg/controller/kibana/pod.go @@ -33,7 +33,7 @@ import ( const ( DataVolumeName = "kibana-data" DataVolumeMountPath = "/usr/share/kibana/data" - PluginsVolumeName = "kibana-data" + PluginsVolumeName = "kibana-plugins" PluginsVolumeMountPath = "/usr/share/kibana/plugins" KibanaBasePathEnvName = "SERVER_BASEPATH" KibanaRewriteBasePathEnvName = "SERVER_REWRITEBASEPATH" From 2a531468714e1f6cd2bac4dda69d569df7709b09 Mon Sep 17 00:00:00 2001 From: Michael Montgomery Date: Wed, 30 Oct 2024 11:25:43 -0500 Subject: [PATCH 14/15] fix unit test Signed-off-by: Michael Montgomery --- pkg/controller/kibana/driver_test.go | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/pkg/controller/kibana/driver_test.go b/pkg/controller/kibana/driver_test.go index 49f5e832f5..ca3db18b8c 100644 --- a/pkg/controller/kibana/driver_test.go +++ b/pkg/controller/kibana/driver_test.go @@ -507,6 +507,12 @@ func expectedDeploymentParams() deployment.Params { EmptyDir: &corev1.EmptyDirVolumeSource{}, }, }, + { + Name: "kibana-plugins", + VolumeSource: corev1.VolumeSource{ + EmptyDir: &corev1.EmptyDirVolumeSource{}, + }, + }, { Name: "temp-volume", VolumeSource: corev1.VolumeSource{ @@ -556,6 +562,11 @@ func expectedDeploymentParams() deployment.Params { ReadOnly: falseVal, MountPath: DataVolumeMountPath, }, + { + Name: "kibana-plugins", + ReadOnly: falseVal, + MountPath: "/usr/share/kibana/plugins", + }, { Name: "temp-volume", ReadOnly: falseVal, @@ -597,6 +608,11 @@ func expectedDeploymentParams() deployment.Params { ReadOnly: falseVal, MountPath: DataVolumeMountPath, }, + { + Name: "kibana-plugins", + ReadOnly: falseVal, + MountPath: "/usr/share/kibana/plugins", + }, { Name: "temp-volume", ReadOnly: falseVal, From f30e5069e94e88d4c922f4450f63456e1a134b5f Mon Sep 17 00:00:00 2001 From: Michael Montgomery Date: Thu, 31 Oct 2024 15:30:38 -0500 Subject: [PATCH 15/15] Adjust temp volume to be a constant to be consistent. Adjust comments. Signed-off-by: Michael Montgomery --- pkg/controller/kibana/pod.go | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/pkg/controller/kibana/pod.go b/pkg/controller/kibana/pod.go index 7d2ea8db5e..386198c1a3 100644 --- a/pkg/controller/kibana/pod.go +++ b/pkg/controller/kibana/pod.go @@ -35,6 +35,8 @@ const ( DataVolumeMountPath = "/usr/share/kibana/data" PluginsVolumeName = "kibana-plugins" PluginsVolumeMountPath = "/usr/share/kibana/plugins" + TempVolumeName = "temp-volume" + TempVolumeMountPath = "/tmp" KibanaBasePathEnvName = "SERVER_BASEPATH" KibanaRewriteBasePathEnvName = "SERVER_REWRITEBASEPATH" ) @@ -45,10 +47,14 @@ var ( // Since Kibana is stateless and the keystore is created on pod start, an EmptyDir is fine here. DataVolume = volume.NewEmptyDirVolume(DataVolumeName, DataVolumeMountPath) - // PluginsVolume is used to persist plugins after installation via an init container when + // PluginsVolume can be used to persist plugins after installation via an init container when // the Kibana pod has readOnlyRootFilesystem set to true. PluginsVolume = volume.NewEmptyDirVolume(PluginsVolumeName, PluginsVolumeMountPath) + // TempVolume can be used for some reporting features when the Kibana pod has + // readOnlyRootFilesystem set to true. + TempVolume = volume.NewEmptyDirVolume(TempVolumeName, TempVolumeMountPath) + DefaultMemoryLimits = resource.MustParse("1Gi") DefaultResources = corev1.ResourceRequirements{ Requests: map[corev1.ResourceName]resource.Quantity{ @@ -129,10 +135,9 @@ func NewPodTemplateSpec(ctx context.Context, client k8sclient.Client, kb kbv1.Ki // of browser bundles to happen on plugin install, which would attempt a write to the // root filesystem on restart. if v.GTE(version.From(7, 10, 0)) { - tmpVolume := volume.NewEmptyDirVolume("temp-volume", "/tmp") builder.WithPodSecurityContext(defaultPodSecurityContext). WithContainersSecurityContext(defaultSecurityContext). - WithVolumes(tmpVolume.Volume()).WithVolumeMounts(tmpVolume.VolumeMount()). + WithVolumes(TempVolume.Volume()).WithVolumeMounts(TempVolume.VolumeMount()). WithVolumes(PluginsVolume.Volume()).WithVolumeMounts(PluginsVolume.VolumeMount()) }