[BUG][helm chart of opensearch] init container for fsgroup-volume requires root

[patrickdung]

Describe the bug
A clear and concise description of what the bug is.

The helm chart requires root, after the helm chart is deployed:

      initContainers:
      - args:
        - chown -R 1000:1000 /usr/share/opensearch/data
        command:
        - sh
        - -c
        image: busybox:latest
        imagePullPolicy: IfNotPresent
        name: fsgroup-volume
        resources: {}
        securityContext:
          runAsUser: 0
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /usr/share/opensearch/data
          name: opensearch-cluster-master

runAsUser: 0 is in securityContext.
This cause problem with some kubernetes environment which does not allow to run as root.
Like OpenShift platform. On openshift, the workaronud could be:
oc adm policy add-scc-to-user privileged -z default
But it requires cluster admin level privilege and may not be possible to run it as tenants.

To Reproduce
Steps to reproduce the behavior:
Deploy the default helm chart.

Expected behavior
Provide a method for users that cannot run the initcontainer as root (user 0).

Chart Name
Specify the Chart which is affected?
opensearch-2.15.0

Screenshots
If applicable, add screenshots to help explain your problem.

Similar to level=error msg="container_linux.go:367: starting container process caused: exec: \"./opensearch-docker-entrypoint.sh\": stat ./opensearch-docker-entrypoint.sh: permission denied"
opensearch-project/opensearch-devops#97

Host/Environment (please complete the following information):

• Helm Version: v3.13.0
• Kubernetes Version: k3s 1.27.6

Additional context
Add any other context about the problem here.

https://forum.opensearch.org/t/opensearch-failing-on-openshift-environment/13052/3
#384
opensearch-project/opensearch-build#3625

[felix185]

is there a workaround for k8s, too?
On the cluster I am working with there are policies that containers are not allowed to run with root users. Another policy is existing which forbids containers to be run as privileged.

[patrickdung]

On a newer version of the helm chart (e.g. 2.21)

The default value should be like

podSecurityContext:
  fsGroup: 1000
  runAsUser: 1000

securityContext:
  capabilities:
    drop:
      - ALL
  # readOnlyRootFilesystem: true
  runAsNonRoot: true
  runAsUser: 1000

I think this should make the Opensearch helm chart to be able to run as non-root by default.
I had already installed it on a K3S, it should run as non-root.

For Openshift, I think the users need to update the UID to the values that their namespace should use.