In Kubernetes, a
securityContext defines privilege and access control settings for a Pod or Container. You can set up it through the
podTemplate section of an Elastic resource specification.
By default, the Elastisearch container is run as root and its entrypoint is responsible to run the Elasticsearch process with the
elasticsearch user (defined with ID 1000). In the background, ECK makes sure via an
initContainer that the data volume is writable for the
To run the Elastisearch container as a non-root user, you need to configure the Elasticsearch manifest with an appropriate security context to make the data volume writable to the
elasticsearch user by specifying the right group ID through the
Kubernetes recursively changes ownership and permissions for the contents of each volume to match the
fsGroup specified in a Pod’s securityContext when that volume is mounted and makes all processes of the containers part of the supplementary group ID.
For example, if you force the Pod to run as user
1234, you need to set
fsGroup accordingly to
apiVersion: elasticsearch.k8s.elastic.co/v1 kind: Elasticsearch metadata: name: quickstart spec: version: 8.8.0 spec: nodeSets: - name: default count: 3 podTemplate: spec: securityContext: runAsUser: 1234 fsGroup: 1234
Intro to Kibana
ELK for Logs & Metrics