[wazuh]: fix security context and permissions issues (#88)

Author: thread-koder

charts/wazuh/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 2.2.0
+version: 2.2.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/wazuh/templates/indexer/indexer-sts.yaml

@@ -39,18 +39,11 @@ spec:
           image: busybox
           resources:
             {{- toYaml .Values.indexer.initContainers.resources | nindent 12 }}
-          env:
-            - name: RUN_AS_USER
-              value: {{ .Values.indexer.initContainers.securityContext.runAsUser | quote }}
-            - name: RUN_AS_GROUP
-              value: {{ .Values.indexer.initContainers.securityContext.runAsGroup | quote }}
           command:
             - sh
             - '-c'
             - |
-              chown -R $RUN_AS_USER:$RUN_AS_GROUP /var/lib/wazuh-indexer
-          securityContext:
-            {{- toYaml .Values.indexer.initContainers.securityContext | nindent 12 }}
+              chown -R 1000:1000 /var/lib/wazuh-indexer
           volumeMounts:
             - name: wazuh-indexer
               mountPath: /var/lib/wazuh-indexer
@@ -61,7 +54,7 @@ spec:
             - -w
             - vm.max_map_count=262144
           securityContext:
-            {{- toYaml .Values.indexer.initContainers.securityContext | nindent 12 }}
+            privileged: true
       containers:
         - name: {{ include "wazuh.fullname" . }}-indexer
           securityContext:

charts/wazuh/values.yaml

@@ -88,9 +88,6 @@ indexer:
       limits:
         cpu: 100m
         memory: 256Mi
-    securityContext:
-      runAsUser: 1000 # Match Docker image UID (wazuh-indexer user)
-      runAsGroup: 1000 # Match Docker image GID
 
   config:
     sslEnabled: true
@@ -129,15 +126,10 @@ indexer:
 
   podSecurityContext:
     fsGroup: 1000 # Match Docker image user group
-    runAsUser: 1000 # Match Docker image UID (wazuh-indexer user)
-    runAsGroup: 1000 # Match Docker image GID
-    runAsNonRoot: true # Docker image runs as non-root user
 
   securityContext:
     runAsUser: 1000 # Match Docker image UID (wazuh-indexer user)
     runAsGroup: 1000 # Match Docker image GID
-    runAsNonRoot: true # Docker image runs as non-root user
-    allowPrivilegeEscalation: false # Security hardening
     capabilities:
       add: ["SYS_CHROOT"] # Required for OpenSearch/Elasticsearch
   # capabilities:
@@ -251,19 +243,12 @@ manager:
   master:
     podSecurityContext:
       fsGroup: 101 # Wazuh group GID (matches Docker image wazuh group)
-      runAsUser: 0 # Docker image runs as root (no USER directive)
-      runAsGroup: 0 # Root group
-      runAsNonRoot: false # Docker image runs as root
 
     podAnnotations: {}
 
     podLabels: {}
 
     securityContext:
-      runAsUser: 0 # Docker image runs as root (no USER directive)
-      runAsGroup: 0 # Root group
-      runAsNonRoot: false # Docker image runs as root
-      allowPrivilegeEscalation: false # Security hardening
       capabilities:
         add: ["SYS_CHROOT"] # Required for Wazuh manager
     # capabilities:
@@ -328,19 +313,12 @@ manager:
 
     podSecurityContext:
       fsGroup: 101 # Wazuh group GID (matches Docker image wazuh group)
-      runAsUser: 0 # Docker image runs as root (no USER directive)
-      runAsGroup: 0 # Root group
-      runAsNonRoot: false # Docker image runs as root
 
     podAnnotations: {}
 
     podLabels: {}
 
     securityContext:
-      runAsUser: 0 # Docker image runs as root (no USER directive)
-      runAsGroup: 0 # Root group
-      runAsNonRoot: false # Docker image runs as root
-      allowPrivilegeEscalation: false # Security hardening
       capabilities:
         add: ["SYS_CHROOT"] # Required for Wazuh manager
     # capabilities: