elastic · naemono · Mar 22, 2023 · Mar 23, 2023 · Mar 27, 2023 · Mar 27, 2023
diff --git a/config/recipes/elastic-agent/fleet-apm-integration.yaml b/config/recipes/elastic-agent/fleet-apm-integration.yaml
@@ -86,8 +86,6 @@ spec:
       spec:
         serviceAccountName: fleet-server
         automountServiceAccountToken: true
-        securityContext:
-          runAsUser: 0
 ---
 apiVersion: agent.k8s.elastic.co/v1alpha1
 kind: Agent
@@ -102,10 +100,6 @@ spec:
   mode: fleet
   deployment:
     replicas: 1
-    podTemplate:
-      spec:
-        securityContext:
-          runAsUser: 0
 ---
 apiVersion: v1
 kind: Service

diff --git a/config/recipes/elastic-agent/fleet-custom-logs-integration.yaml b/config/recipes/elastic-agent/fleet-custom-logs-integration.yaml
@@ -95,8 +95,6 @@ spec:
       spec:
         serviceAccountName: fleet-server
         automountServiceAccountToken: true
-        securityContext:
-          runAsUser: 0
 ---
 apiVersion: agent.k8s.elastic.co/v1alpha1
 kind: Agent
@@ -114,8 +112,6 @@ spec:
       spec:
         serviceAccountName: elastic-agent
         automountServiceAccountToken: true
-        securityContext:
-          runAsUser: 0
         containers:
         - name: agent
           volumeMounts:

diff --git a/config/recipes/elastic-agent/fleet-kubernetes-integration.yaml b/config/recipes/elastic-agent/fleet-kubernetes-integration.yaml
@@ -79,8 +79,6 @@ spec:
       spec:
         serviceAccountName: fleet-server
         automountServiceAccountToken: true
-        securityContext:
-          runAsUser: 0
 // Beats managed by the Elastic Agent don't trust the Elasticsearch CA that Elastic Agent itself is configured 
 // to trust. There is currently no way to configure those Beats to trust a particular CA. The intended way to handle 
 // it is to allow Fleet to provide Beat output settings, but due to https://github.com/elastic/kibana/issues/102794 
 // this is not supported outside of UI. To workaround this limitation the Agent is going to update Pod-wide CA store 
 // before starting Elastic Agent. 
 cmd := trustCAScript(path.Join(certificatesDir(esAssociation), CAFileName)) 
 return builder.WithCommand([]string{"/usr/bin/env", "bash", "-c", cmd}), nil 
 // Beats managed by the Elastic Agent don't trust the Elasticsearch CA that Elastic Agent itself is configured 
 // to trust. There is currently no way to configure those Beats to trust a particular CA. The intended way to handle 
 // it is to allow Fleet to provide Beat output settings, but due to https://github.com/elastic/kibana/issues/102794 
 // this is not supported outside of UI. To workaround this limitation the Agent is going to update Pod-wide CA store 
 // before starting Elastic Agent. 
 cmd := trustCAScript(path.Join(certificatesDir(esAssociation), CAFileName)) 
 return builder.WithCommand([]string{"/usr/bin/env", "bash", "-c", cmd}), nil 
 ---
 apiVersion: agent.k8s.elastic.co/v1alpha1
 kind: Agent
@@ -97,11 +95,7 @@ spec:
     podTemplate:
       spec:
         serviceAccountName: elastic-agent
-        hostNetwork: true
-        dnsPolicy: ClusterFirstWithHostNet
         automountServiceAccountToken: true
-        securityContext:
-          runAsUser: 0
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

diff --git a/config/recipes/elastic-agent/kubernetes-integration.yaml b/config/recipes/elastic-agent/kubernetes-integration.yaml
@@ -13,8 +13,6 @@ spec:
         serviceAccountName: elastic-agent
         containers:
         - name: agent
-          securityContext:
-            runAsUser: 0
           env:
           - name: NODE_NAME
             valueFrom:

diff --git a/config/recipes/elastic-agent/multi-output.yaml b/config/recipes/elastic-agent/multi-output.yaml
@@ -14,8 +14,6 @@ spec:
       spec:
         containers:
         - name: agent
-          securityContext:
-            runAsUser: 0
           volumeMounts:
           - mountPath: /var/log
             name: varlog

diff --git a/config/recipes/elastic-agent/system-integration.yaml b/config/recipes/elastic-agent/system-integration.yaml
@@ -11,8 +11,6 @@ spec:
       spec:
         containers:
         - name: agent
-          securityContext:
-            runAsUser: 0
   config:
     id: 488e0b80-3634-11eb-8208-57893829af4e
     revision: 2

diff --git a/docs/orchestrating-elastic-stack-applications/agent-standalone.asciidoc b/docs/orchestrating-elastic-stack-applications/agent-standalone.asciidoc
@@ -32,11 +32,7 @@ spec:
   version: {version}
   elasticsearchRefs:
   - name: quickstart
-  daemonSet:
-    podTemplate:
-      spec:
-        securityContext:
-          runAsUser: 0 <1>
+  daemonSet: {}
   config:
     inputs:
       - name: system-1
@@ -62,9 +58,6 @@ spec:
             period: 10s
 EOF
 ----
-+
-<1> The root user is required to persist state in a hostPath volume. See <<{p}_storing_local_state_in_host_path_volume>> on how to disable this feature.
-+
 Check <<{p}-elastic-agent-configuration-examples>> for more ready-to-use manifests.
 
 . Monitor the status of Elastic Agent.
@@ -140,11 +133,7 @@ spec:
   version: {version}
   elasticsearchRefs:
   - name: quickstart
-  daemonSet:
-    podTemplate:
-      spec:
-        securityContext:
-          runAsUser: 0 <1>
+  daemonSet: {}
   config:
     inputs:
       - name: system-1
@@ -170,8 +159,6 @@ spec:
             period: 10s
 ----
 
-<1> The root user is required to persist state in a hostPath volume. See <<{p}_storing_local_state_in_host_path_volume>> on how to disable this feature.
-
 Alternatively, it can be provided through a Secret specified in the `configRef` element. The Secret must have an `agent.yml` entry with this configuration:
 [source,yaml,subs="attributes,+macros"]
 ----
@@ -183,11 +170,7 @@ spec:
   version: {version}
   elasticsearchRefs:
   - name: quickstart
-  daemonSet:
-    podTemplate:
-      spec:
-        securityContext:
-          runAsUser: 0
+  daemonSet: {}
   configRef:
     secretName: system-cpu-config
 ---
@@ -239,11 +222,7 @@ metadata:
   name: quickstart
 spec:
   version: {version}
-  daemonSet:
-    podTemplate:
-      spec:
-        securityContext:
-          runAsUser: 0
+  daemonSet: {}
   elasticsearchRefs:
   - name: quickstart
     outputName: default
@@ -285,11 +264,7 @@ metadata:
   name: quickstart
 spec:
   version: {version}
-  daemonSet:
-    podTemplate:
-      spec:
-        securityContext:
-          runAsUser: 0
+  daemonSet: {}
   config:
     outputs:
       default:
@@ -316,11 +291,7 @@ metadata:
   name: quickstart
 spec:
   version: {version}
-  daemonSet:
-    podTemplate:
-      spec:
-        securityContext:
-          runAsUser: 0
+  daemonSet: {}
     strategy:
       type: RollingUpdate
       rollingUpdate:
@@ -350,8 +321,6 @@ spec:
       spec:
         automountServiceAccountToken: true
         serviceAccountName: elastic-agent
-        securityContext:
-          runAsUser: 0
 ...
 ---
 apiVersion: rbac.authorization.k8s.io/v1

diff --git a/pkg/controller/agent/pod.go b/pkg/controller/agent/pod.go
@@ -183,6 +183,7 @@ func buildPodTemplate(params Params, fleetCerts *certificates.CertificatesSecret
 		WithDockerImage(spec.Image, container.ImageRepository(container.AgentImage, spec.Version)).
 		WithAutomountServiceAccountToken().
 		WithVolumeLikes(vols...).
+		WithInitContainers(maybeAgentInitContainerForHostpathVolume(spec, v)...).
 		WithEnv(
 			corev1.EnvVar{Name: "NODE_NAME", ValueFrom: &corev1.EnvVarSource{
 				FieldRef: &corev1.ObjectFieldSelector{

diff --git a/pkg/controller/agent/volume.go b/pkg/controller/agent/volume.go
@@ -0,0 +1,153 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0;
+// you may not use this file except in compliance with the Elastic License 2.0.
+
+package agent
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
+
+	"github.com/blang/semver/v4"
+
+	agentv1alpha1 "github.com/elastic/cloud-on-k8s/v2/pkg/apis/agent/v1alpha1"
+	container "github.com/elastic/cloud-on-k8s/v2/pkg/controller/common/container"
+	"github.com/elastic/cloud-on-k8s/v2/pkg/controller/common/version"
+	"github.com/elastic/cloud-on-k8s/v2/pkg/utils/pointer"
+)
+
+const (
+	hostPathVolumeInitContainerName = "permissions"
+)
+
+var (
+	hostPathVolumeInitContainerResources = corev1.ResourceRequirements{
+		Requests: map[corev1.ResourceName]resource.Quantity{
+			corev1.ResourceMemory: resource.MustParse("128Mi"),
+			corev1.ResourceCPU:    resource.MustParse("100m"),
+		},
+		Limits: map[corev1.ResourceName]resource.Quantity{
+			corev1.ResourceMemory: resource.MustParse("128Mi"),
+			corev1.ResourceCPU:    resource.MustParse("100m"),
+		},
+	}
+)
+
+// maybeAgentInitContainerForHostpathVolume will return an init container that ensures that the host
+// volume's permissions are sufficient for the Agent to maintain state if the Elastic Agent
+// has the following attributes:
+//
+// 1. Agent volume is not set to emptyDir.
+// 2. Agent version is above 7.15.
+// 3. Agent spec is not configured to run as root.
+func maybeAgentInitContainerForHostpathVolume(spec *agentv1alpha1.AgentSpec, v semver.Version) (initContainers []corev1.Container) {
+	// Only add initContainer to chown hostpath data volume for Agent > 7.15
+	if !v.GTE(version.MinFor(7, 15, 0)) {
+		return nil
+	}
+
+	image := spec.Image
+	if image == "" {
+		image = container.ImageRepository(container.AgentImage, spec.Version)
+	}
+
+	if !dataVolumeEmptyDir(spec) && !runningAsRoot(spec) {
+		initContainers = append(initContainers, corev1.Container{
+			Image:   image,
+			Command: hostPathVolumeInitContainerCommand(),
+			Name:    hostPathVolumeInitContainerName,
+			SecurityContext: &corev1.SecurityContext{
+				RunAsUser: pointer.Int64(0),
+			},
+			Resources: hostPathVolumeInitContainerResources,
+			VolumeMounts: []corev1.VolumeMount{
+				{
+					Name:      DataVolumeName,
+					MountPath: DataMountPath,
+				},
+			},
+		})
+	}
+
+	return initContainers
+}
+
+// hostPathVolumeInitContainerCommand returns the container command
+// for maintaining permissions for Elastic Agent.
+func hostPathVolumeInitContainerCommand() []string {
+	return []string{
+		"/usr/bin/env",
+		"bash",
+		"-c",
+		`#!/usr/bin/env bash
+set -e
+if [[ -d /usr/share/elastic-agent/state ]]; then
+  chmod g+rw /usr/share/elastic-agent/state
+  chgrp 1000 /usr/share/elastic-agent/state
+  if [ -n "$(ls -A /usr/share/elastic-agent/state 2>/dev/null)" ]; then
+    chgrp 1000 /usr/share/elastic-agent/state/*
+    chmod g+rw /usr/share/elastic-agent/state/*
+  fi
+fi
+`}
+}
+
+// runningAsRoot will return true if either the Daemonset or Deployment for
+// Elastic Agent has a security context set where the container will run as root.
+func runningAsRoot(spec *agentv1alpha1.AgentSpec) bool {
+	if spec.DaemonSet != nil {
+		templateSpec := spec.DaemonSet.PodTemplate.Spec
+		if templateSpec.SecurityContext != nil &&
+			templateSpec.SecurityContext.RunAsUser != nil && *templateSpec.SecurityContext.RunAsUser == 0 {
+			return true
+		}
+		return containerRunningAsUser0(templateSpec)
+	}
+	if spec.Deployment != nil {
+		templateSpec := spec.Deployment.PodTemplate.Spec
+		if templateSpec.SecurityContext != nil &&
+			templateSpec.SecurityContext.RunAsUser != nil && *templateSpec.SecurityContext.RunAsUser == 0 {
+			return true
+		}
+		return containerRunningAsUser0(templateSpec)
+	}
+	return false
+}
+
+// containerRunningAsUser0 will return true if the Agent container
+// has its pod security context set to run as root.
+func containerRunningAsUser0(spec corev1.PodSpec) bool {
+	for _, container := range spec.Containers {
+		if container.Name == "agent" {
+			if container.SecurityContext == nil {
+				return false
+			}
+			if container.SecurityContext.RunAsUser != nil && *container.SecurityContext.RunAsUser == 0 {
+				return true
+			}
+			return false
+		}
+	}
+	return false
+}
+
+// dataVolumeEmptyDir will return true if either the Daemonset or Deployment for
+// Elastic Agent has it's Agent volume configured for EmptyDir.
+func dataVolumeEmptyDir(spec *agentv1alpha1.AgentSpec) bool {
+	if spec.DaemonSet != nil {
+		return volumeIsEmptyDir(spec.DaemonSet.PodTemplate.Spec.Volumes)
+	}
+	if spec.Deployment != nil {
+		return volumeIsEmptyDir(spec.Deployment.PodTemplate.Spec.Volumes)
+	}
+	return false
+}
+
+func volumeIsEmptyDir(vols []corev1.Volume) bool {
+	for _, vol := range vols {
+		if vol.Name == DataVolumeName && vol.VolumeSource.EmptyDir != nil {
+			return true
+		}
+	}
+	return false
+}