Deploy Docker images with anyuid SCC

edit

Starting with version 7.9, it is possible to run the APM Server with the restricted SCC. For APM versions older than 7.9 and Enterprise Search version 7.9, you can use this workaround which allows the Pod to run with the default uid 1000 by assigning it to the anyuid SCC:

  1. Create a service account to run the APM Server:

    oc create serviceaccount apm-server -n elastic
  2. Add the APM service account to the anyuid SCC:

    oc adm policy add-scc-to-user anyuid -z apm-server -n elastic
    scc "anyuid" added to: ["system:serviceaccount:elastic:apm-server"]
  3. Deploy an APM Server and a Route with the following manifest:

    cat <<EOF | oc apply -n elastic -f -
    apiVersion: apm.k8s.elastic.co/v1
    kind: ApmServer
    metadata:
      name: apm-server-sample
    spec:
      version: 8.16.0
      count: 1
      elasticsearchRef:
        name: "elasticsearch-sample"
      podTemplate:
        spec:
          serviceAccountName: apm-server
    ---
    apiVersion: route.openshift.io/v1
    kind: Route
    metadata:
      name: apm-server-sample
    spec:
      #host: apm-server.example.com # override if you don't want to use the host that is automatically generated by OpenShift (<route-name>[-<namespace>].<suffix>)
      tls:
        termination: passthrough # the APM Server is the TLS endpoint
        insecureEdgeTerminationPolicy: Redirect
      to:
        kind: Service
        name: apm-server-sample-apm-http
    EOF

    To check that the Pod of the APM Server is using the correct SCC, use the following command:

    oc get pod -o go-template='{{range .items}}{{$scc := index .metadata.annotations "openshift.io/scc"}}{{.metadata.name}}{{" scc:"}}{{range .spec.containers}}{{$scc}}{{" "}}{{"\n"}}{{end}}{{end}}'
    apm-server-sample-apm-server-86bfc5c95c-96lbx scc:anyuid
    elasticsearch-sample-es-5tsqghmm79 scc:restricted
    elasticsearch-sample-es-6qk52mz5jk scc:restricted
    elasticsearch-sample-es-dg4vvpm2mr scc:restricted
    kibana-sample-kb-97c6b6b8d-lqfd2 scc:restricted