I'm trying to understand why Elastic Search is running as a root group (and how to stop it).

I have created a new AKS cluster and have followed the Elastic Quick start documentation to install the CRDs and the ES Operator:

kubectl create -f .16.1/crds.yaml
kubectl apply -f .16.1/operator.yaml

Then to install the Elastic Search cluster:

apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
  name: quickstart
spec:
  version: 8.17.3
  nodeSets:
  - name: default
    config:
      node.store.allow_mmap: false
    count: 3
    volumeClaimTemplates:
    - metadata:
        name: elasticsearch-data
      spec:
        accessModes:
        - ReadWriteOnce
        resources:
          requests:
            storage: 5Gi
        storageClassName: default

The ECK documentation states that the Security Context it will run as the following context:

securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
    - ALL
  privileged: false
  readOnlyRootFilesystem: true 

It does have a note saying that:

readOnlyRootFilesystem is only enabled if the elasticsearch-data directory is mounted in a volume.

I have added the VolumeClaimTemplates to the quickstart so that this criteria is met.

When I exec into the container it shows:

kubectl exec -it quickstart-es-default-0 -- bash
elasticsearch@quickstart-es-default-0:~$ id
uid=1000(elasticsearch) gid=1000(elasticsearch) groups=1000(elasticsearch),0(root)

It is the 0(root) that is concerning me.

Looking at the statefulset I can see the correct security context for the init containers and that it will run ES as:

  securityContext:
    fsGroup: 1000

Checking the pod security context:

kubectl get pod quickstart-es-default-0 -o jsonpath='{.spec.securityContext}'
{"fsGroup":1000}

Microsoft Defender states that the container is running as root, which I can only assume is due to the group 0 (root) being returned when the id command is run.

This stack post has some useful steps but I'm still confused at to why root is being added.

How can I stop it and satisfy Microsoft Defender?

I'm trying to understand why Elastic Search is running as a root group (and how to stop it).

I have created a new AKS cluster and have followed the Elastic Quick start documentation to install the CRDs and the ES Operator:

kubectl create -f https://download.elastic.co/downloads/eck/2.16.1/crds.yaml
kubectl apply -f https://download.elastic.co/downloads/eck/2.16.1/operator.yaml

Then to install the Elastic Search cluster:

apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
  name: quickstart
spec:
  version: 8.17.3
  nodeSets:
  - name: default
    config:
      node.store.allow_mmap: false
    count: 3
    volumeClaimTemplates:
    - metadata:
        name: elasticsearch-data
      spec:
        accessModes:
        - ReadWriteOnce
        resources:
          requests:
            storage: 5Gi
        storageClassName: default

The ECK documentation states that the Security Context it will run as the following context:

securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
    - ALL
  privileged: false
  readOnlyRootFilesystem: true 

It does have a note saying that:

readOnlyRootFilesystem is only enabled if the elasticsearch-data directory is mounted in a volume.

I have added the VolumeClaimTemplates to the quickstart so that this criteria is met.

When I exec into the container it shows:

kubectl exec -it quickstart-es-default-0 -- bash
elasticsearch@quickstart-es-default-0:~$ id
uid=1000(elasticsearch) gid=1000(elasticsearch) groups=1000(elasticsearch),0(root)

It is the 0(root) that is concerning me.

Looking at the statefulset I can see the correct security context for the init containers and that it will run ES as:

  securityContext:
    fsGroup: 1000

Checking the pod security context:

kubectl get pod quickstart-es-default-0 -o jsonpath='{.spec.securityContext}'
{"fsGroup":1000}

Microsoft Defender states that the container is running as root, which I can only assume is due to the group 0 (root) being returned when the id command is run.

This stack post has some useful steps but I'm still confused at to why root is being added.

How can I stop it and satisfy Microsoft Defender?

• elasticsearch
• azure-aks

• Prevent Root Execution: Set runAsNonRoot: true in pod and container security contexts. Enforce User: Set runAsUser: 1000 to run as the Elasticsearch user. Fix Volume Permissions: Set fsGroup: 1000. Enhance Security: Drop all capabilities and set readOnlyRootFilesystem: true. Verify Fix: Run kubectl exec -it quickstart-es-default-0 -- id, expecting uid=1000 gid=1000 without gid=0(root). This should resolve the issue and satisfy Microsoft Defender – Venkat V Commented Mar 18 at 9:40
• Thanks @VenkatV, it was runAsGroup that needed to be set, which I thought I had tested before I posted! – Gruss Commented Mar 20 at 10:14

1 Answer 1

Just in case anyone else is looking at how to resolve this, the answer was to add runAsGroup to the security context:

apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
  name: quickstart
spec:
  version: 8.17.3
  nodeSets:
  - name: default
    config:
      node.store.allow_mmap: false
    count: 1
    volumeClaimTemplates:
    - metadata:
        name: elasticsearch-data
      spec:
        accessModes:
        - ReadWriteOnce
        resources:
          requests:
            storage: 6Gi
        storageClassName: local-path
    podTemplate:
      spec:
        # This isn't needed as it is set by default:
        # containers:
        # - name: elasticsearch
        #   securityContext:
        #     allowPrivilegeEscalation: false
        #     capabilities:
        #       drop:
        #         - ALL
        #     privileged: false
        #     readOnlyRootFilesystem: true
        #     runAsNonRoot: true
        securityContext:
          fsGroup: 1001
          runAsUser: 1001
          runAsGroup: 1001

Setting allowPrivilegeEscalation and dropping the capabilities isn't necessary as this is the default (as the documentation states).