Skip to content

Commit

Permalink
Add additional volume for Kibana logs when hardened security context …
Browse files Browse the repository at this point in the history
…is enabled (#8380) (#8408)

* Add additional volume for Kibana logs when hardened security context is enabled.

Co-authored-by: Peter Brachwitz <[email protected]>

---------

Signed-off-by: Michael Montgomery <[email protected]>
Co-authored-by: Peter Brachwitz <[email protected]>
(cherry picked from commit 186d4fb)
  • Loading branch information
naemono authored Jan 15, 2025

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
1 parent 8ecd6e0 commit b983dd1
Showing 3 changed files with 28 additions and 5 deletions.
16 changes: 16 additions & 0 deletions pkg/controller/kibana/driver_test.go
Original file line number Diff line number Diff line change
@@ -531,6 +531,12 @@ func expectedDeploymentParams() deployment.Params {
EmptyDir: &corev1.EmptyDirVolumeSource{},
},
},
{
Name: "kibana-logs",
VolumeSource: corev1.VolumeSource{
EmptyDir: &corev1.EmptyDirVolumeSource{},
},
},
{
Name: "kibana-plugins",
VolumeSource: corev1.VolumeSource{
@@ -586,6 +592,11 @@ func expectedDeploymentParams() deployment.Params {
ReadOnly: falseVal,
MountPath: DataVolumeMountPath,
},
{
Name: "kibana-logs",
ReadOnly: falseVal,
MountPath: "/usr/share/kibana/logs",
},
{
Name: "kibana-plugins",
ReadOnly: falseVal,
@@ -632,6 +643,11 @@ func expectedDeploymentParams() deployment.Params {
ReadOnly: falseVal,
MountPath: DataVolumeMountPath,
},
{
Name: "kibana-logs",
ReadOnly: falseVal,
MountPath: "/usr/share/kibana/logs",
},
{
Name: "kibana-plugins",
ReadOnly: falseVal,
11 changes: 9 additions & 2 deletions pkg/controller/kibana/pod.go
Original file line number Diff line number Diff line change
@@ -35,6 +35,8 @@ const (
DataVolumeMountPath = "/usr/share/kibana/data"
PluginsVolumeName = "kibana-plugins"
PluginsVolumeMountPath = "/usr/share/kibana/plugins"
LogsVolumeName = "kibana-logs"
LogsVolumeMountPath = "/usr/share/kibana/logs"
TempVolumeName = "temp-volume"
TempVolumeMountPath = "/tmp"
KibanaBasePathEnvName = "SERVER_BASEPATH"
@@ -53,6 +55,10 @@ var (
// the Kibana pod has readOnlyRootFilesystem set to true.
PluginsVolume = volume.NewEmptyDirVolume(PluginsVolumeName, PluginsVolumeMountPath)

// LogsVolume can be used to persist logs even when
// the Kibana pod has readOnlyRootFilesystem set to true.
LogsVolume = volume.NewEmptyDirVolume(LogsVolumeName, LogsVolumeMountPath)

// TempVolume can be used for some reporting features when the Kibana pod has
// readOnlyRootFilesystem set to true.
TempVolume = volume.NewEmptyDirVolume(TempVolumeName, TempVolumeMountPath)
@@ -143,8 +149,9 @@ func NewPodTemplateSpec(
if v.GTE(version.From(7, 10, 0)) && setDefaultSecurityContext {
builder.WithContainersSecurityContext(defaultSecurityContext).
WithPodSecurityContext(defaultPodSecurityContext).
WithVolumes(TempVolume.Volume()).WithVolumeMounts(TempVolume.VolumeMount()).
WithVolumes(PluginsVolume.Volume()).WithVolumeMounts(PluginsVolume.VolumeMount())
WithVolumes(LogsVolume.Volume()).WithVolumeMounts(LogsVolume.VolumeMount()).
WithVolumes(PluginsVolume.Volume()).WithVolumeMounts(PluginsVolume.VolumeMount()).
WithVolumes(TempVolume.Volume()).WithVolumeMounts(TempVolume.VolumeMount())
}

if keystore != nil {
6 changes: 3 additions & 3 deletions pkg/controller/kibana/pod_test.go
Original file line number Diff line number Diff line change
@@ -219,9 +219,9 @@ func TestNewPodTemplateSpec(t *testing.T) {
}},
assertions: func(pod corev1.PodTemplateSpec) {
assert.Len(t, pod.Spec.InitContainers, 1)
assert.Len(t, pod.Spec.InitContainers[0].VolumeMounts, 5)
assert.Len(t, pod.Spec.Volumes, 3)
assert.Len(t, GetKibanaContainer(pod.Spec).VolumeMounts, 3)
assert.Len(t, pod.Spec.InitContainers[0].VolumeMounts, 6)
assert.Len(t, pod.Spec.Volumes, 4)
assert.Len(t, GetKibanaContainer(pod.Spec).VolumeMounts, 4)
assert.Equal(t, GetKibanaContainer(pod.Spec).SecurityContext, &defaultSecurityContext)
},
},

0 comments on commit b983dd1

Please sign in to comment.