Deploy Docker images with anyuid SCC
editDeploy Docker images with anyuid
SCC
editStarting with version 7.9, it is possible to run the APM Server with the restricted
SCC. For APM versions older than 7.9 and Enterprise Search version 7.9, you can use this workaround which allows the Pod to run with the default uid 1000
by assigning it to the anyuid
SCC:
-
Create a service account to run the APM Server:
oc create serviceaccount apm-server -n elastic
-
Add the APM service account to the
anyuid
SCC:oc adm policy add-scc-to-user anyuid -z apm-server -n elastic
scc "anyuid" added to: ["system:serviceaccount:elastic:apm-server"]
-
Deploy an APM Server and a
Route
with the following manifest:cat <<EOF | oc apply -n elastic -f - apiVersion: apm.k8s.elastic.co/v1 kind: ApmServer metadata: name: apm-server-sample spec: version: 8.16.0 count: 1 elasticsearchRef: name: "elasticsearch-sample" podTemplate: spec: serviceAccountName: apm-server --- apiVersion: route.openshift.io/v1 kind: Route metadata: name: apm-server-sample spec: #host: apm-server.example.com # override if you don't want to use the host that is automatically generated by OpenShift (<route-name>[-<namespace>].<suffix>) tls: termination: passthrough # the APM Server is the TLS endpoint insecureEdgeTerminationPolicy: Redirect to: kind: Service name: apm-server-sample-apm-http EOF
To check that the Pod of the APM Server is using the correct SCC, use the following command:
oc get pod -o go-template='{{range .items}}{{$scc := index .metadata.annotations "openshift.io/scc"}}{{.metadata.name}}{{" scc:"}}{{range .spec.containers}}{{$scc}}{{" "}}{{"\n"}}{{end}}{{end}}'
apm-server-sample-apm-server-86bfc5c95c-96lbx scc:anyuid elasticsearch-sample-es-5tsqghmm79 scc:restricted elasticsearch-sample-es-6qk52mz5jk scc:restricted elasticsearch-sample-es-dg4vvpm2mr scc:restricted kibana-sample-kb-97c6b6b8d-lqfd2 scc:restricted