Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Openshift Agent documentation. #8050

Open
naemono opened this issue Sep 12, 2024 · 0 comments
Open

Update Openshift Agent documentation. #8050

naemono opened this issue Sep 12, 2024 · 0 comments
Assignees
@barkbay
Labels
>docs Documentation v2.15.0

Comments

@naemono
Copy link
Contributor

naemono commented Sep 12, 2024

Our documentation notes that you need to add the serviceAccount to the hostaccess SCC to allow Elastic Agent to function in Openshift environments. Unfortunately this seems to be insufficient, as errors similar to the following:

[
    provider "anyuid": Forbidden: not usable by user or serviceaccount, spec.containers[0].securityContext.runAsUser: Invalid value: 0: must be in the ranges: [1000670000, 1000679999], 
    
    provider "restricted": Forbidden: not usable by user or serviceaccount,
    
    provider "nonroot-v2": Forbidden: not usable by user or serviceaccount,
    
    provider "nonroot": Forbidden: not usable by user or serviceaccount,
    
    provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount,
    
    provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount,
    
    provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount,
    
    provider "hostnetwork": Forbidden: not usable by user or serviceaccount,
    
    provider "node-exporter": Forbidden: not usable by user or serviceaccount,
    
    provider "privileged": Forbidden: not usable by user or serviceaccount
]

This is using an example such as: fleet-kubernetes-integration, which uses the following:

spec:
  daemonSet:
    podTemplate:
      spec:
        containers:
          - name: agent
            securityContext:
              privileged: true
        serviceAccountName: elastic-agent
        hostNetwork: true
        securityContext:
          runAsUser: 0

Where the hostNetwork: true, runasuser: 0, and 'privileged: true` do not seem to be allowed. There seem to be 2 options:

  1. Add the serviceAccount to the privileged SCC. (oc adm policy add-scc-to-user privileged -z elastic-agent -n your-namespace)
  2. Create a custom SCC, such as:
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  name: eck-openshift-agents
allowHostDirVolumePlugin: true
allowHostIPC: false
allowHostPID: false
allowHostNetwork: true
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: true
allowedCapabilities:
- CHOWN
fsGroup:
  type: RunAsAny
priority: 0
readOnlyRootFilesystem: false
requiredDropCapabilities: []
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: RunAsAny
seccompProfiles: []
supplementalGroups:
  type: RunAsAny
users:
- system:serviceaccount:elastic-system:elastic-agent
groups:
- system:serviceaccounts:elastic-system
volumes:
- '*'

Which allows the Agent to run properly. We should update our documentation to be more clear in this area.
@naemono naemono added the >docs Documentation label Sep 12, 2024
@barkbay barkbay self-assigned this Oct 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@barkbay barkbay

Labels
>docs Documentation v2.15.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@barkbay @naemono