https://rancher.com/ logo
#rke2
Title
f

future-monitor-61871

08/23/2022, 9:41 PM
The elastic operator is deploying elasticsearch w/ an init container that has to run as root. It's setting the vm.max_map_count to 262144. RKE2 is barfing on the stateful set creation : "create Pod elasticsearch-master-0 in StatefulSet elasticsearch-master failed error: pods "elasticsearch-master-0" is forbidden: PodSecurityPolicy: unable to admit pod: [spec.initContainers[0].securityContext.runAsUser: Invalid value: 0: running with the root UID is forbidden spec.initContainers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed]" What's the proper way to get elastic to run inside RKE2?
c

creamy-pencil-82913

08/23/2022, 9:43 PM
Sounds like you’ve enabled one of the CIS hardened profiles that enforces pod security policy. You can disable that hardening, or modify the elasticsearch deployment to not run a privileged, root container
f

future-monitor-61871

08/23/2022, 9:44 PM
Yes, we're running cis 1.6 I think.
c

creamy-pencil-82913

08/23/2022, 9:52 PM
yep that’d do it.
f

future-monitor-61871

08/23/2022, 9:55 PM
Well, we'll just set that setting on the bare metal and comment out the init pod in the chart that is trying to do it.
c

creamy-pencil-82913

08/23/2022, 9:58 PM
you might check with the operator project to see if they have a different way of addressing that problem, or if there is an open issue for supporting hardened clusters.
c

cuddly-restaurant-47972

08/24/2022, 5:22 PM
26 Views