Skip to content

Sysctls

Managing Sysctls via Init Containers📜

It is possible to use the built in initContainers to set the sysclts. This is needed for Elastic to set the values of vm.max_map_count.

Note that the recommended way to set the sysctls is by setting them directly on the cluster nodes. If this is not possible there are a couple of options.

The values.yaml file provides access to the elasticsearch serviceAccountName. This serviceAccount will be auto-created for you and used by elastic - defaults to “logging-elasticsearch”.

elasticsearch:
  serviceAccountName: "logging-elasticsearch"

An example of a service account that gives root access to the elastic pods (needed to give the init containers root) is given below.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ek-psp-role
rules:
- apiGroups:
  - policy
  resourceNames:
  - privileged
  resources:
  - podsecuritypolicies
  verbs:
  - use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ek-sa-psp-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ek-psp-role
subjects:
- kind: ServiceAccount
  name: logging-elasticsearch
  namespace: logging

Using a Daemonset📜

It is possible to create a Daemonset that achieves the same goal as the init containers without giving the elastic pod root credentials.

An example is given below.

---
# Deny all network access to the pod
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: ek-node-prep-deny-all
spec:
  podSelector:
    matchLabels:
      app: ek-node-prep
  policyTypes:
  - Ingress
  - Egress
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: elasticsearch-ds
  namespace: logging
  labels:
    app: ek-node-prep
spec:
  selector:
    matchLabels:
      name: elasticsearch-ds
  template:
    metadata:
      labels:
        name: elasticsearch-ds
        app: ek-node-prep
      annotations:
        sidecar.istio.io/inject: "false"
    spec:
      serviceAccount: logging-elasticsearch
      containers:
      - name: elasticsearch-ds
        securityContext:
         privileged: true
        image: busybox:latest
        # image: registry1.dso.mil/ironbank/redhat/ubi/ubi8:8.3
        resources:
          limits:
            memory: 200Mi
          requests:
            cpu: 100m
            memory: 200Mi
        command:
        - "/bin/sh"
        - "-c"
        - |
          set -o errexit
          set -o xtrace
          while sysctl -w vm.max_map_count=262144
          do
            sleep 300s
          done