Cherry-pick #18873 to 7.x: Allow the Docker image to be run with a random user id (#12905)

[jsoriano]

Cherry-pick of PR #18873 to 7.x branch. Original message:

Apply changes on ownership proposed in #12905, but keep the permissions, to avoid the
issues reported in #18858.

I think this could be enough to run containers with arbitrary user ids, because beats don't need to write these files, only read them.

Make changes also to the kubernetes reference manifests to help running beats with arbitrary user ids. These manifests still won't work on restricted environments.

Fixes #18871
Changes were previously reverted in #18872

Co-authored-by: Michael Morello michael.morello@elastic.co

How to test

• Do it with auditbeat (that uses the root user by default), and with some other beat like metricbeat or filebeat (that use a non-root user by default):
  • Build the docker image for the beat with PLATFORMS=linux/amd64 mage package, or use one of the pre-built snapshots including this change.
  • Run the docker container with and without explicit user id, and check that beat is able to start and read configuration without --privileged and without BEAT_STRICT_PERMS.
    It should behave the same on these scenarios (auditbeat will fail to configure audit, this is expected unless --privileged --user 0 --pid=host is also used):
    • Default user: docker run -it --rm docker.elastic.co/beats/filebeat:8.0.0
    • Root: docker run -it --rm --user 0 docker.elastic.co/beats/filebeat:8.0.0
    • Beat user: docker run -it --rm --user 1000 docker.elastic.co/beats/filebeat:8.0.0
    • Arbitrary user (use any other user id): docker run -it --rm --user 100042 docker.elastic.co/beats/filebeat:8.0.0
  • Check that reference kubernetes manifests continue working as they are (using arbitrary user ids there will require more changes).

[elasticmachine]

Pinging @elastic/integrations-platforms (Team:Platforms)