Hi! I am experiencing issues in deploying Elasticsearch cluster from datahub-helm prerequisites as pod security constraints complain about root access for

configure-sysctl

initcontainer pod. I see running sysctl command requires root access but the container constraints does not allow that. Attached is my StatefulSet that results in this error. How can I fix this?

Event  : elasticsearch-master   StatefulSet   elasticsearch-master   datahub     create Pod elasticsearch-master-0 in StatefulSet elasticsearch-master failed error: admission webhook "<http://pod-security-webhook.kubernetes.io|pod-security-webhook.kubernetes.io>" denied the request: pods "elasticsearch-master-0" is forbidden: violates PodSecurity "restricted:latest": privileged (container "configure-sysctl" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "configure-sysctl" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "configure-sysctl" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "configure-sysctl" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "configure-sysctl" must not set runAsUser=0), seccompProfile (pod or container "configure-sysctl" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")   FailedCreate

Hi! What version of Kubernetes are you trying to deploy with? We've tested with up to v1.22 and it seems like there were some PodSecurity updates in more recent versions

Hi! I am running on 1.24.3

below is the issue in elastic helm chart repository, you can follow the suggestion mentioned there https://github.com/elastic/helm-charts/issues/689 or you can deploy it in k8s v1.22 , where it is working fine

Thanks for the reply Navin. I tried that but still there is no way to get around with root access which is required to increase the virtual memory. Then I’m left with going back to k8s 1.22

was it failing after setting below in values.yaml under elasticsearch key

sysctlInitContainer:
  enabled: false

After setting this would leave container with default vm size 65535 which is not enough to run at least the single node server

ok

So I tried extraInitContainers option without

runAsUser: 0

but obviously that couldn’t run sysctl either

i am not sure if it will work , could you try with below option

securityContext:
          allowPrivilegeEscalation: true

It wont work on k8s 1.24 as it has podSecurityPolicy restricted which means always allowPrivilegeEscalation: false

@shy-dog-84302 - We are running into same issue. Were you able to find any solution regarding the init container running as root?

@white-appointment-14217 No we could not fix this problem but resorted to a managed OpenSearch service where we can skip setting up ES infrastructure ourselves.