Add set-default-security-context flag to handle runAs user in ES 8.0+

[david-kow]

Implements @sebgl proposal from #2791 (comment). We should make a final call whether we want to only do it for 8.0+ and I can add that.

Also, for Kibana to work we also need a separate fix for 8.0 default resources issue - Kibana OOMs with 1Gi.

[pebrc]

This looks good. But I realise that we will have a problem with this flag for our OLM version of ECK because users cannot the flip this switch and OLM applies to both OpenShift and vanilla k8s environments, so no good default here. I am OK tackling that problem separately though, as long as we don't forget. [Update] TIL there seems to be a way to customize operators deployed via OLM through the subscription CRD https://github.com/operator-framework/operator-lifecycle-manager/blob/master/doc/design/subscription-config.md

[anyasabo]

TIL there seems to be a way to customize operators deployed via OLM through the subscription CRD https://github.com/operator-framework/operator-lifecycle-manager/blob/master/doc/design/subscription-config.md

This seems like a good argument to move to using env vars by default rather than cli flags (which take precedence): https://github.com/elastic/cloud-on-k8s/blob/master/hack/manifest-gen/assets/charts/eck/templates/statefulset.yaml#L58

[barkbay]

TIL there seems to be a way to customize operators deployed via OLM through the subscription CRD

This can't be done through the web ui though. Even if primary interest of OLM is no lost (managing the deployment and the lifecycle of the operator) it will be hard for users using the Openshift console to figure out what is happening.

[pebrc]

This can't be done through the web ui though.

Technically it can be done even in the OpenShift console if you count editing raw-YAML as "through the web ui"

[barkbay]

Technically it can be done even in the OpenShift console if you count editing raw-YAML as "through the web ui"

Agreed, but my point was more about the fact that it can't be done when the user clicks on the "Install" button. I think that most of the users are expecting an up and running operator when doing that, editing the raw content of the Subscription in a second step sounds like a broken process to me.

[pebrc]

LGTM!

[sebgl]

I'm good with the approach 👍

I would expect we also change the init container script to get rid of this block starting 8.0:

cloud-on-k8s/pkg/controller/elasticsearch/initcontainer/prepare_fs_script.go

Lines 114 to 128 in 090d2aa

	######################
	# Volumes chown #
	######################
	# chown the data and logs volume to the elasticsearch user
	# only done when running as root, other cases should be handled
	# with a proper security context
	chown_start=$(date +%s)
	if [[ $EUID -eq 0 ]]; then
	{{range .ChownToElasticsearch}}
	echo "chowning {{.}} to elasticsearch:elasticsearch"
	chown -v elasticsearch:elasticsearch {{.}}
	{{end}}
	fi
	echo "chown duration: $(duration $chown_start) sec."

Other than that we probably need some E2E tests tweak for ES 8.0 on Openshift, and the right documentation for this new behaviour, but that can be done as part of different PRs.

[sebgl]

Can we also add this setting to the list of explicit values in our manifest-gen: https://github.com/elastic/cloud-on-k8s/blob/master/hack/manifest-gen/assets/charts/eck/values.yaml
And to the default configmap: https://github.com/elastic/cloud-on-k8s/blob/master/hack/manifest-gen/assets/charts/eck/templates/configmap.yaml

Otherwise LGTM

[sebgl]

LGTM