added psp to the es server and fixed vm max_map_count setting (#16)

charts/efk/v0.1.1/Chart.yaml → charts/efk/v0.1.2/Chart.yaml

 apiVersion: v1
 description: EFK(Elasticsearch + FluentBit + Kibana)
 name: efk
-version: 0.1.1
+version: 0.1.2
 icon: https://image.slidesharecdn.com/challengesinamicroservicesage-170505115849/95/challenges-in-a-microservices-age-monitoring-logging-and-tracing-on-red-hat-openshift-68-638.jpg
 sources:
 - https://www.elastic.co/products/elasticsearch

charts/efk/v0.1.1/charts/elasticsearch/templates/clusterrole.yaml → charts/efk/v0.1.2/charts/elasticsearch/templates/clusterrole.yaml

@@ -25,4 +25,12 @@ rules:
   - statefulsets/status
   verbs:
   - get
+- apiGroups:
+  - extensions
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+  resourceNames:
+  - {{ template "elasticsearch.fullname" . }}
 {{- end -}}

charts/efk/v0.1.2/charts/elasticsearch/templates/psp.yaml

+{{- if .Values.pspEnable }}
+apiVersion: extensions/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  labels:
+    app: {{ template "elasticsearch.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  name: {{ template "elasticsearch.fullname" . }}
+  annotations:
+    security.alpha.kubernetes.io/sysctls: 'vm.max_map_count'
+spec:
+  privileged: false
+  # Required to prevent escalations to root.
+  # allowPrivilegeEscalation: false
+  # This is redundant with non-root + disallow privilege escalation,
+  # but we can provide it for defense in depth.
+  #requiredDropCapabilities:
+  #  - ALL
+  # Allow core volume types.
+  volumes:
+    - '*'
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    # Permits the container to run with root privileges as well.
+    rule: 'RunAsAny'
+  seLinux:
+    # This policy assumes the nodes are using AppArmor rather than SELinux.
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      # Forbid adding the root group.
+      - min: 0
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      # Forbid adding the root group.
+      - min: 0
+        max: 65535
+  readOnlyRootFilesystem: false
+{{- end }}

charts/efk/v0.1.1/charts/elasticsearch/templates/statefulsets.yaml → charts/efk/v0.1.2/charts/elasticsearch/templates/statefulsets.yaml

@@ -23,9 +23,11 @@ spec:
         {{- end }}
     spec:
       serviceAccountName: {{ template "elasticsearch.fullname" . }}
+      {{- if .Values.securityContextEnable }}
       securityContext:
         runAsUser: 1000
         fsGroup: 1000
+      {{- end }}
       {{- if eq .Values.master.antiAffinity "hard" }}
       affinity:
         podAntiAffinity:
@@ -71,8 +73,6 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        - name: discovery.zen.ping.unicast.hosts
-          value: {{ template "elasticsearch.fullname" . }}
         # node roles, default to all true
         # - name: NODE_MASTER
         #   value: "true"
@@ -108,10 +108,10 @@ spec:
 {{ end }}
         volumeMounts:
         - mountPath: /usr/share/elasticsearch/data
-          name: data
+          name: es-data
       volumes:
   {{- if not .Values.master.persistence.enabled }}
-      - name: data
+      - name: es-data
         emptyDir: {}
   {{- else }}
       terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}

charts/efk/v0.1.1/charts/elasticsearch/values.yaml → charts/efk/v0.1.2/charts/elasticsearch/values.yaml

@@ -4,6 +4,8 @@
 elasticsearch:
   rbac:
     create: true
+  pspEnable: true
+  securityContextEnable: true
 
   image:
     repository: "docker.elastic.co/elasticsearch/elasticsearch-oss"
@@ -38,9 +40,9 @@ elasticsearch:
     ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
     ##
     persistence:
-      name: data
+      name: es-data
       enabled: false
-      ## wordpress data Persistent Volume Storage Class
+      ## data Persistent Volume Storage Class
       ## If defined, storageClassName: <storageClass>
       ## If set to "-", storageClassName: "", which disables dynamic provisioning
       ## If undefined (the default) or set to null, no storageClassName spec is

charts/efk/v0.1.1/values.yaml → charts/efk/v0.1.2/values.yaml

@@ -4,6 +4,8 @@
 elasticsearch:
   rbac:
     create: true
+  pspEnable: true
+  securityContextEnable: true
 
   image:
     repository: "docker.elastic.co/elasticsearch/elasticsearch-oss"
@@ -38,7 +40,7 @@ elasticsearch:
     ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
     ##
     persistence:
-      name: data
+      name: es-data
       enabled: false
       ## wordpress data Persistent Volume Storage Class
       ## If defined, storageClassName: <storageClass>