[FSH] Removed kibana user from root group#244798
Merged
elena-shostak merged 16 commits intoelastic:mainfrom Dec 22, 2025
Merged
[FSH] Removed kibana user from root group#244798elena-shostak merged 16 commits intoelastic:mainfrom
elena-shostak merged 16 commits intoelastic:mainfrom
Conversation
elena-shostak
added
Feature:Hardening
elena-shostak
added
ci:cloud-deploy
elena-shostak
added
ci:build-cloud-image
and removed
ci:cloud-deploy
Contributor
Author
|
/ci |
elena-shostak
added
ci:project-deploy-security
elena-shostak
added
ci:build-serverless-image
and removed
ci:build-serverless-image
labels
Contributor
|
Project deployed, see credentials at: https://buildkite.com/elastic/kibana-deploy-project-from-pr/builds/811 |
Contributor
|
Pinging @elastic/kibana-security (Team:Security) |
Contributor
|
A few considerations for self managed Kibana:
If we're okay with these tradeoffs I think it would good to make sure there's a release note on the change and what to do if effected. |
elena-shostak
added
release_note:deprecation
and removed
release_note:skip
Contributor
Author
|
cc @legrego / @azasypkin to confirm on release note and consistency adjustment (I've put release note as deprecation) |
Contributor
Author
|
@jbudz what is the best way to roll it out for us first? |
Contributor
The Dockerfile is templated using handlebars, there's a few variables available: cloud, fips, serverless, depending on how we want to define it. In the context of us, are you thinking everything except self managed artifacts? |
Contributor
Author
yep |
elena-shostak
commented
Dec 11, 2025
src/dev/build/tasks/os_packages/docker_generator/templates/base/Dockerfile
Outdated
Show resolved
Hide resolved
jbudz
approved these changes
Dec 18, 2025
Contributor
|
Small note on the cloud variable because it's confusing: |
Contributor
💚 Build Succeeded
Metrics [docs]
History
|
CAWilson94
pushed a commit
to CAWilson94/kibana
that referenced
this pull request
Jan 6, 2026
## Summary We initially added Kibana to the root group as part of this issue https://discuss.elastic.co/t/group-permission-inconsistency-between-kibana-and-elasticsearch-docker-images/261051 I seems to be excessive to add kibana to the group for this specific self-hosted case (if even relevant anymore). User is also added to the group with GID 1000 and you can use GID 1000 for bind-mounted directories. If there is anything I'm missing, please let me know. ## Release Note Kibana user is removed from the root group (GID 0) on cloud. The Kibana user (UID 1000) remains in the primary group (GID 1000), which can be used for bind-mounted directories. OpenShift deployments will continue to work correctly, docker image sets up files and directories with GID 0 ownership and group write permissions, which allows containers to function properly regardless of the Kibana user's group membership.
dej611
pushed a commit
to dej611/kibana
that referenced
this pull request
Jan 8, 2026
## Summary We initially added Kibana to the root group as part of this issue https://discuss.elastic.co/t/group-permission-inconsistency-between-kibana-and-elasticsearch-docker-images/261051 I seems to be excessive to add kibana to the group for this specific self-hosted case (if even relevant anymore). User is also added to the group with GID 1000 and you can use GID 1000 for bind-mounted directories. If there is anything I'm missing, please let me know. ## Release Note Kibana user is removed from the root group (GID 0) on cloud. The Kibana user (UID 1000) remains in the primary group (GID 1000), which can be used for bind-mounted directories. OpenShift deployments will continue to work correctly, docker image sets up files and directories with GID 0 ownership and group write permissions, which allows containers to function properly regardless of the Kibana user's group membership.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
We initially added Kibana to the root group as part of this issue https://discuss.elastic.co/t/group-permission-inconsistency-between-kibana-and-elasticsearch-docker-images/261051
I seems to be excessive to add kibana to the group for this specific self-hosted case (if even relevant anymore). User is also added to the group with GID 1000 and you can use GID 1000 for bind-mounted directories.
If there is anything I'm missing, please let me know.
Release Note
Kibana user is removed from the root group (GID 0) on serverless. The Kibana user (UID 1000) remains in the primary group (GID 1000), which can be used for bind-mounted directories. OpenShift deployments will continue to work correctly, docker image sets up files and directories with GID 0 ownership and group write permissions, which allows containers to function properly regardless of the Kibana user's group membership.