Michael Morello

This PR adds a CPU recommender to the Autoscaling controller. Fixes https://github.com/elastic/cloud-on-k8s/issues/5823

Fix #5917 by setting `ssl.verification_mode` to `certificate` in the Beat output configuration. This PR also adds a unit test to cover `newBeatConfig` and `buildOutputConfig`.

E2E: Use Kyverno to enforce security constraints

3

Alternative to https://github.com/elastic/cloud-on-k8s/pull/5820/ I think I'll close #5820 in favour of this one as [Kyverno](https://kyverno.io/) is simpler to apprehend. The Open Policy Agent is great, the idea of having `ConstraintTemplates`...

Some deciders should soon include a `processors` field in the autoscaling capacity response: https://github.com/elastic/elasticsearch/pull/87895 We should evaluate how this information can be used by the operator.

[Run as non-root Elasticsearch](https://www.elastic.co/guide/en/cloud-on-k8s/2.3/k8s-security-context.html#k8s_run_as_non_root_elasticsearch) is outdated: > By default, the Elastisearch container is run as root and its entrypoint is responsible to run the Elasticsearch process with the elasticsearch user...

[E2E][Snapshot] TestNameValidation is flaky

1

`TestNameValidation/longestPossibleName/ApmServer_should_accept_event_and_write_data_to_Elasticsearch` [failed](https://devops-ci.elastic.co/job/cloud-on-k8s-e2e-tests-snapshot-versions/636/testReport/github/com_elastic_cloud-on-k8s_v2_test_e2e/TestNameValidation_longestPossibleName_ApmServer_should_accept_event_and_write_data_to_Elasticsearch/) with the following error: ``` === RUN TestNameValidation/longestPossibleName/ApmServer_should_accept_event_and_write_data_to_Elasticsearch Retries (30m0s timeout): ....................................................... step.go:43: Error Trace: utils.go:88 Error: Received unexpected error: elasticsearch client failed for https://es-naming-lhpx-xxxxxxxxxxxxxxxxxxxxx-es-internal-http.e2e-4bw2c-mercury.svc:9200/metrics-apm.app.1234_service_12a3-default/_count: 404 Not Found:...

TestMutationSecondMasterSetDown is flaky

4

`TestMutationSecondMasterSetDown` failed 4 times today: * [cloud-on-k8s-e2e-tests-gke-k8s-versions](https://devops-ci.elastic.co/job/cloud-on-k8s-e2e-tests-gke-k8s-versions/770/testReport/) on GKE `1.20` and `1.22` * [cloud-on-k8s-e2e-tests-kind-k8s-versions](https://devops-ci.elastic.co/job/cloud-on-k8s-e2e-tests-kind-k8s-versions/790/testReport/) on Kind `1.23.6 IPV6` * [cloud-on-k8s-e2e-tests-main](https://devops-ci.elastic.co/job/cloud-on-k8s-e2e-tests-main/384/testReport/) ``` === RUN TestMutationSecondMasterSetDown/Elasticsearch_cluster_health_should_not_have_been_red_during_mutation_process steps_mutation.go:150: Elasticsearch cluster health check failure...

Elasticsearch should include new deciders in the near future to decide whether or not a cluster should run with dedicated masters: https://github.com/elastic/elasticsearch/pull/81297 We should evaluate if we want these deciders...

`PodSecurityPolicy` API is removed in K8S `1.25`. While this API is not actively used by the operator we rely on it to ensure that stack applications are running with restricted...

When referenced in the Elasticsearch configuration file, environment variables must not only be set in the elasticsearch container but also in the keystore init-container. Otherwise `/usr/share/elasticsearch/bin/elasticsearch-keystore` may not be able...