Security Variables 🔗︎

You can use the following variables in the Logging custom resource to configure the security settings of the containers deployed by the Logging operator.

Variable Name Type Required Default Description
roleBasedAccessControlCreate bool No True Create RBAC resources. For examples, see Using RBAC Authorization.
podSecurityPolicyCreate bool No False Create PSP resources.
serviceAccount string No - Set ServiceAccount. For examples, see Service Account.
securityContext SecurityContext No {} SecurityContext holds security configuration that will be applied to a container. For examples, see Security Context.
podSecurityContext PodSecurityContext No {} PodSecurityContext holds pod-level security attributes and common container settings. For examples, see Enabling Pod Security Policies.

Using RBAC Authorization 🔗︎

By default, RBAC is enabled.

Deploy with Kubernetes Manifests 🔗︎

Create logging resource with RBAC 🔗︎

kubectl -n logging apply -f - <<"EOF"
apiVersion: logging.banzaicloud.io/v1beta1
kind: Logging
metadata:
  name: default-logging-simple
spec:
  fluentd:
    security:
      roleBasedAccessControlCreate: true
  fluentbit:
    security:
      roleBasedAccessControlCreate: true
  controlNamespace: logging
EOF

Deploy with Helm 🔗︎

 helm upgrade --install --wait --create-namespace --namespace logging logging-demo banzaicloud-stable/logging-demo \
    --set=loggingOperator.fluentd.security.roleBasedAccessControlCreate=True \
    --set=loggingOperator.fluentbit.security.roleBasedAccessControlCreate=True

Example Manifest Generated by the operator 🔗︎

Fluentd Role & RoleBinding Output 🔗︎

- apiVersion: rbac.authorization.k8s.io/v1
  kind: Role
  metadata:
    name: logging-demo-nginx-logging-demo-logging-fluentd
    namespace: logging
    ownerReferences:
    - apiVersion: logging.banzaicloud.io/v1beta1
      controller: true
      kind: Logging
  rules:
  - apiGroups:
    - ""
    resources:
    - configmaps
    - secrets
    verbs:
    - '*'

--
- apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata:
    annotations:
    name: logging-demo-nginx-logging-demo-logging-fluentd
    namespace: logging
    ownerReferences:
    - apiVersion: logging.banzaicloud.io/v1beta1
      controller: true
      kind: Logging
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: Role
    name: logging-demo-nginx-logging-demo-logging-fluentd
  subjects:
  - kind: ServiceAccount
    name: logging-demo-nginx-logging-demo-logging-fluentd
    namespace: logging

Fluentbit ClusterRole & ClusterRoleBinding Output 🔗︎

kind: ClusterRole
metadata:
  annotations:
  name: logging-demo-nginx-logging-demo-logging-fluentbit
  ownerReferences:
  - apiVersion: logging.banzaicloud.io/v1beta1
    controller: true
    kind: Logging
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - namespaces
  verbs:
  - get
  - list
  - watch

---
kind: ClusterRoleBinding
metadata:
  annotations:
  name: logging-nginx-demo-nginx-logging-demo-logging-fluentbit
  ownerReferences:
  - apiVersion: logging.banzaicloud.io/v1beta1
    controller: true
    kind: Logging
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: nginx-demo-nginx-logging-demo-logging-fluentbit
subjects:
- kind: ServiceAccount
  name: nginx-demo-nginx-logging-demo-logging-fluentbit
  namespace: logging

Service Account (SA) 🔗︎

Deploy with Kubernetes Manifests 🔗︎

Create logging resource with Service Account 🔗︎

kubectl -n logging apply -f - <<"EOF"
apiVersion: logging.banzaicloud.io/v1beta1
kind: Logging
metadata:
  name: default-logging-simple
spec:
  fluentd:
    security:
      serviceAccount: fluentdUser1
  fluentbit:
    security:
      serviceAccount: fluentbitUser1
  controlNamespace: logging
EOF

Deploy with Helm 🔗︎

 helm upgrade --install --wait --create-namespace --namespace logging logging-demo banzaicloud-stable/logging-demo \
    --set=loggingOperator.fluentd.security.serviceAccount=fluentdUser1 \
    --set=loggingOperator.fluentbit.security.serviceAccount=fluentbitUser1

Enabling Pod Security Policies (PSP) 🔗︎

This option depends on the roleBasedAccessControlCreate enabled status because the psp requires rbac roles also.

Deploy with Kubernetes Manifests 🔗︎

Create logging resource with PSP

kubectl -n logging apply -f - <<"EOF"
apiVersion: logging.banzaicloud.io/v1beta1
kind: Logging
metadata:
  name: default-logging-simple
spec:
  fluentd:
    security:
      podSecurityPolicyCreate: true
      roleBasedAccessControlCreate: true
  fluentbit:
    security:
      podSecurityPolicyCreate: true
      roleBasedAccessControlCreate: true
  controlNamespace: logging
EOF

Deploy with Helm 🔗︎

 helm upgrade --install --wait --create-namespace --namespace logging logging-demo banzaicloud-stable/logging-demo \
    --set=loggingOperator.fluentd.security.podSecurityPolicyCreate=True \
    --set=loggingOperator.fluentd.security.roleBasedAccessControlCreate=True \
    --set=loggingOperator.fluentbit.security.podSecurityPolicyCreate=True \
    --set=loggingOperator.fluentbit.security.roleBasedAccessControlCreate=True

Example Manifest Generated by the operator 🔗︎

Fluentd PSP+Role Output 🔗︎

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: nginx-demo-nginx-logging-demo-logging-fluentd-psp
rules:
- apiGroups:
  - policy
  - extensions
  resources:
  - podsecuritypolicies
  resourceNames:
  - nginx-demo-nginx-logging-demo-logging-fluentd
  verbs:
  - use

---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: nginx-demo-nginx-logging-demo-logging-fluentd
spec:
  allowPrivilegeEscalation: false
  fsGroup:
    ranges:
    - max: 101
      min: 101
    rule: MustRunAs
  runAsUser:
    ranges:
    - max: 100
      min: 100
    rule: MustRunAs
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    ranges:
    - max: 101
      min: 101
    rule: MustRunAs
  volumes:
  - configMap
  - emptyDir
  - secret
  - hostPath
  - persistentVolumeClaim

Fluentbit PSP+ClusterRole Output 🔗︎

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: nginx-demo-nginx-logging-demo-logging-fluentbit-psp
rules:
- apiGroups:
  - policy
  resources:
  - nginx-demo-nginx-logging-demo-logging-fluentbit
  verbs:
  - use
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: nginx-demo-nginx-logging-demo-logging-fluentbit
spec:
  allowPrivilegeEscalation: false
  allowedHostPaths:
  - pathPrefix: /var/lib/docker/containers
    readOnly: true
  - pathPrefix: /var/log
    readOnly: true
  fsGroup:
    rule: RunAsAny
  readOnlyRootFilesystem: true
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - configMap
  - emptyDir
  - secret
  - hostPath

Security Context 🔗︎

Deploy with Kubernetes Manifests 🔗︎

Create logging resource with PSP 🔗︎

kubectl -n logging apply -f - <<"EOF"
apiVersion: logging.banzaicloud.io/v1beta1
kind: Logging
metadata:
  name: default-logging-simple
spec:
  fluentd:
    security:
      securityContext:
        allowPrivilegeEscalation: false
        readOnlyRootFilesystem: false
      podSecurityContext:
        fsGroup: 101
  fluentbit:
    security:
      securityContext:
        allowPrivilegeEscalation: false
        readOnlyRootFilesystem: true
      podSecurityContext:
        fsGroup: 101
  controlNamespace: logging
EOF

Deploy with Helm 🔗︎

 helm upgrade --install --wait --create-namespace --namespace logging logging-demo banzaicloud-stable/logging-demo \
    --set=loggingOperator.fluentd.security.securityContext.allowPrivilegeEscalation=False \
    --set=loggingOperator.fluentd.security.securityContext.readOnlyRootFilesystem=False \
    --set=loggingOperator.fluentd.security.podSecurityContext.fsGroup=101 \
    --set=loggingOperator.fluentbit.security.securityContext.allowPrivilegeEscalation=False \
    --set=loggingOperator.fluentbit.security.securityContext.readOnlyRootFilesystem=True \
    --set=loggingOperator.fluentbit.security.podSecurityContext.fsGroup=101

Example Manifest Generated by the operator 🔗︎

apiVersion: v1
kind: Pod
metadata:
  name: nginx-demo-nginx-logging-demo-logging-fluentd-0
  namespace: logging
spec:
  containers:
  - image: banzaicloud/fluentd:v1.6.3-alpine-2
    imagePullPolicy: IfNotPresent
    name: fluentd
    securityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: false
...
  schedulerName: default-scheduler
  securityContext:
    fsGroup: 101
  serviceAccount: nginx-demo-nginx-logging-demo-logging-fluentd
...