Add additional volume for Kibana logs when hardened security context …

…is enabled (elastic#8380)

* Add additional volume for Kibana logs when hardened security context is enabled.

Co-authored-by: Peter Brachwitz <[email protected]>

---------

Signed-off-by: Michael Montgomery <[email protected]>
Co-authored-by: Peter Brachwitz <[email protected]>

pkg/controller/kibana/driver_test.go

@@ -531,6 +531,12 @@ func expectedDeploymentParams() deployment.Params {
 							EmptyDir: &corev1.EmptyDirVolumeSource{},
 						},
 					},
+					{
+						Name: "kibana-logs",
+						VolumeSource: corev1.VolumeSource{
+							EmptyDir: &corev1.EmptyDirVolumeSource{},
+						},
+					},
 					{
 						Name: "kibana-plugins",
 						VolumeSource: corev1.VolumeSource{
@@ -586,6 +592,11 @@ func expectedDeploymentParams() deployment.Params {
 							ReadOnly:  falseVal,
 							MountPath: DataVolumeMountPath,
 						},
+						{
+							Name:      "kibana-logs",
+							ReadOnly:  falseVal,
+							MountPath: "/usr/share/kibana/logs",
+						},
 						{
 							Name:      "kibana-plugins",
 							ReadOnly:  falseVal,
@@ -632,6 +643,11 @@ func expectedDeploymentParams() deployment.Params {
 							ReadOnly:  falseVal,
 							MountPath: DataVolumeMountPath,
 						},
+						{
+							Name:      "kibana-logs",
+							ReadOnly:  falseVal,
+							MountPath: "/usr/share/kibana/logs",
+						},
 						{
 							Name:      "kibana-plugins",
 							ReadOnly:  falseVal,

pkg/controller/kibana/pod.go

@@ -35,6 +35,8 @@ const (
 	DataVolumeMountPath          = "/usr/share/kibana/data"
 	PluginsVolumeName            = "kibana-plugins"
 	PluginsVolumeMountPath       = "/usr/share/kibana/plugins"
+	LogsVolumeName               = "kibana-logs"
+	LogsVolumeMountPath          = "/usr/share/kibana/logs"
 	TempVolumeName               = "temp-volume"
 	TempVolumeMountPath          = "/tmp"
 	KibanaBasePathEnvName        = "SERVER_BASEPATH"
@@ -53,6 +55,10 @@ var (
 	// the Kibana pod has readOnlyRootFilesystem set to true.
 	PluginsVolume = volume.NewEmptyDirVolume(PluginsVolumeName, PluginsVolumeMountPath)
 
+	// LogsVolume can be used to persist logs even when
+	// the Kibana pod has readOnlyRootFilesystem set to true.
+	LogsVolume = volume.NewEmptyDirVolume(LogsVolumeName, LogsVolumeMountPath)
+
 	// TempVolume can be used for some reporting features when the Kibana pod has
 	// readOnlyRootFilesystem set to true.
 	TempVolume = volume.NewEmptyDirVolume(TempVolumeName, TempVolumeMountPath)
@@ -143,8 +149,9 @@ func NewPodTemplateSpec(
 	if v.GTE(version.From(7, 10, 0)) && setDefaultSecurityContext {
 		builder.WithContainersSecurityContext(defaultSecurityContext).
 			WithPodSecurityContext(defaultPodSecurityContext).
-			WithVolumes(TempVolume.Volume()).WithVolumeMounts(TempVolume.VolumeMount()).
-			WithVolumes(PluginsVolume.Volume()).WithVolumeMounts(PluginsVolume.VolumeMount())
+			WithVolumes(LogsVolume.Volume()).WithVolumeMounts(LogsVolume.VolumeMount()).
+			WithVolumes(PluginsVolume.Volume()).WithVolumeMounts(PluginsVolume.VolumeMount()).
+			WithVolumes(TempVolume.Volume()).WithVolumeMounts(TempVolume.VolumeMount())
 	}
 
 	if keystore != nil {

pkg/controller/kibana/pod_test.go

@@ -219,9 +219,9 @@ func TestNewPodTemplateSpec(t *testing.T) {
 			}},
 			assertions: func(pod corev1.PodTemplateSpec) {
 				assert.Len(t, pod.Spec.InitContainers, 1)
-				assert.Len(t, pod.Spec.InitContainers[0].VolumeMounts, 5)
-				assert.Len(t, pod.Spec.Volumes, 3)
-				assert.Len(t, GetKibanaContainer(pod.Spec).VolumeMounts, 3)
+				assert.Len(t, pod.Spec.InitContainers[0].VolumeMounts, 6)
+				assert.Len(t, pod.Spec.Volumes, 4)
+				assert.Len(t, GetKibanaContainer(pod.Spec).VolumeMounts, 4)
 				assert.Equal(t, GetKibanaContainer(pod.Spec).SecurityContext, &defaultSecurityContext)
 			},
 		},