Enhancement request: Elasticsearch docker image and helm chart should support readonly filesystem to make it more secure #138835
Description
Description
Is your feature request related to a problem? Please describe.
I am trying to configure Elasticsearch to run on a read-only filesystem for enhanced security and compliance requirements. However, there is limited documentation or guidance on how to achieve this setup, especially for Kubernetes or Helm-based deployments. It is unclear which paths need to remain writable for Elasticsearch to function correctly.
Describe the solution you'd like
I would like clear documentation or configuration options to support running Elasticsearch on a read-only filesystem. This could include:
A list of directories or paths that must remain writable.
Helm chart values or Kubernetes configurations to enable a read-only filesystem.
Best practices for securing Elasticsearch in such environments.
Describe alternatives you've considered
Attempted to use readOnlyRootFilesystem: true in Kubernetes security contexts, but encountered issues with certain writable paths.
Tried mounting specific writable volumes for logs or temporary files, but it is unclear which paths are mandatory.
Explored Docker’s --read-only flag, but faced similar challenges.
Additional context
Add any other context or screenshots about the feature request here.
List of images:
Elasticsearch : 7.17.29
Any guidance or support on this would be greatly appreciated. Thank you!