Security Variables 🔗︎

Variable Name Type Required Default Description
roleBasedAccessControlCreate bool No True create RBAC resources
podSecurityPolicyCreate bool No False create PSP resources
serviceAccount string No - Set ServiceAccount
securityContext SecurityContext No {} SecurityContext holds security configuration that will be applied to a container.
podSecurityContext PodSecurityContext No {} PodSecurityContext holds pod-level security attributes and common container settings. Some

Using RBAC Authorization 🔗︎

By default, RBAC is enabled.

Deploy with Kubernetes Manifests 🔗︎

Create logging resource with RBAC 🔗︎

kubectl -n logging apply -f - <<"EOF"
apiVersion: logging.banzaicloud.io/v1beta1
kind: Logging
metadata:
  name: default-logging-simple
spec:
  fluentd:
    security:
      roleBasedAccessControlCreate: true
  fluentbit:
    security:
      roleBasedAccessControlCreate: true
  controlNamespace: logging
EOF

Deploy with Helm 🔗︎

 helm upgrade --install --wait --create-namespace --namespace logging logging-demo banzaicloud-stable/logging-demo \
    --set=loggingOperator.fluentd.security.roleBasedAccessControlCreate=True \
    --set=loggingOperator.fluentbit.security.roleBasedAccessControlCreate=True

Example Manifest Generated by the operator 🔗︎

Fluentd Role & RoleBinding Output 🔗︎

- apiVersion: rbac.authorization.k8s.io/v1
  kind: Role
  metadata:
    name: logging-demo-nginx-logging-demo-logging-fluentd
    namespace: logging
    ownerReferences:
    - apiVersion: logging.banzaicloud.io/v1beta1
      controller: true
      kind: Logging
  rules:
  - apiGroups:
    - ""
    resources:
    - configmaps
    - secrets
    verbs:
    - '*'

--
- apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata:
    annotations:
    name: logging-demo-nginx-logging-demo-logging-fluentd
    namespace: logging
    ownerReferences:
    - apiVersion: logging.banzaicloud.io/v1beta1
      controller: true
      kind: Logging
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: Role
    name: logging-demo-nginx-logging-demo-logging-fluentd
  subjects:
  - kind: ServiceAccount
    name: logging-demo-nginx-logging-demo-logging-fluentd
    namespace: logging

Fluentbit ClusterRole & ClusterRoleBinding Output 🔗︎

kind: ClusterRole
metadata:
  annotations:
  name: logging-demo-nginx-logging-demo-logging-fluentbit
  ownerReferences:
  - apiVersion: logging.banzaicloud.io/v1beta1
    controller: true
    kind: Logging
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - namespaces
  verbs:
  - get
  - list
  - watch

---
kind: ClusterRoleBinding
metadata:
  annotations:
  name: logging-nginx-demo-nginx-logging-demo-logging-fluentbit
  ownerReferences:
  - apiVersion: logging.banzaicloud.io/v1beta1
    controller: true
    kind: Logging
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: nginx-demo-nginx-logging-demo-logging-fluentbit
subjects:
- kind: ServiceAccount
  name: nginx-demo-nginx-logging-demo-logging-fluentbit
  namespace: logging

Service Account (SA) 🔗︎

Deploy with Kubernetes Manifests 🔗︎

Create logging resource with Service Account 🔗︎

kubectl -n logging apply -f - <<"EOF"
apiVersion: logging.banzaicloud.io/v1beta1
kind: Logging
metadata:
  name: default-logging-simple
spec:
  fluentd:
    security:
      serviceAccount: fluentdUser1
  fluentbit:
    security:
      serviceAccount: fluentbitUser1
  controlNamespace: logging
EOF

Deploy with Helm 🔗︎

 helm upgrade --install --wait --create-namespace --namespace logging logging-demo banzaicloud-stable/logging-demo \
    --set=loggingOperator.fluentd.security.serviceAccount=fluentdUser1 \
    --set=loggingOperator.fluentbit.security.serviceAccount=fluentbitUser1

Enabling Pod Security Policies (PSP) 🔗︎

This option depends on the roleBasedAccessControlCreate enabled status because the psp require rbac roles also.

Deploy with Kubernetes Manifests 🔗︎

Create logging resource with PSP

kubectl -n logging apply -f - <<"EOF"
apiVersion: logging.banzaicloud.io/v1beta1
kind: Logging
metadata:
  name: default-logging-simple
spec:
  fluentd:
    security:
      podSecurityPolicyCreate: true
      roleBasedAccessControlCreate: true
  fluentbit:
    security:
      podSecurityPolicyCreate: true
      roleBasedAccessControlCreate: true
  controlNamespace: logging
EOF

Deploy with Helm 🔗︎

 helm upgrade --install --wait --create-namespace --namespace logging logging-demo banzaicloud-stable/logging-demo \
    --set=loggingOperator.fluentd.security.podSecurityPolicyCreate=True \
    --set=loggingOperator.fluentd.security.roleBasedAccessControlCreate=True \
    --set=loggingOperator.fluentbit.security.podSecurityPolicyCreate=True \
    --set=loggingOperator.fluentbit.security.roleBasedAccessControlCreate=True

Example Manifest Generated by the operator 🔗︎

Fluentd PSP+Role Output 🔗︎

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: nginx-demo-nginx-logging-demo-logging-fluentd-psp
rules:
- apiGroups:
  - policy
  - extensions
  resources:
  - podsecuritypolicies
  resourceNames:
  - nginx-demo-nginx-logging-demo-logging-fluentd
  verbs:
  - use

---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: nginx-demo-nginx-logging-demo-logging-fluentd
spec:
  allowPrivilegeEscalation: false
  fsGroup:
    ranges:
    - max: 101
      min: 101
    rule: MustRunAs
  runAsUser:
    ranges:
    - max: 100
      min: 100
    rule: MustRunAs
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    ranges:
    - max: 101
      min: 101
    rule: MustRunAs
  volumes:
  - configMap
  - emptyDir
  - secret
  - hostPath
  - persistentVolumeClaim

Fluentbit PSP+ClusterRole Output 🔗︎

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: nginx-demo-nginx-logging-demo-logging-fluentbit-psp
rules:
- apiGroups:
  - policy
  resources:
  - nginx-demo-nginx-logging-demo-logging-fluentbit
  verbs:
  - use
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: nginx-demo-nginx-logging-demo-logging-fluentbit
spec:
  allowPrivilegeEscalation: false
  allowedHostPaths:
  - pathPrefix: /var/lib/docker/containers
    readOnly: true
  - pathPrefix: /var/log
    readOnly: true
  fsGroup:
    rule: RunAsAny
  readOnlyRootFilesystem: true
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - configMap
  - emptyDir
  - secret
  - hostPath

Security Context 🔗︎

Deploy with Kubernetes Manifests 🔗︎

Create logging resource with PSP 🔗︎

kubectl -n logging apply -f - <<"EOF"
apiVersion: logging.banzaicloud.io/v1beta1
kind: Logging
metadata:
  name: default-logging-simple
spec:
  fluentd:
    security:
      securityContext:
        allowPrivilegeEscalation: false
        readOnlyRootFilesystem: false
      podSecurityContext:
        fsGroup: 101
  fluentbit:
    security:
      securityContext:
        allowPrivilegeEscalation: false
        readOnlyRootFilesystem: true
      podSecurityContext:
        fsGroup: 101
  controlNamespace: logging
EOF

Deploy with Helm 🔗︎

 helm upgrade --install --wait --create-namespace --namespace logging logging-demo banzaicloud-stable/logging-demo \
    --set=loggingOperator.fluentd.security.securityContext.allowPrivilegeEscalation=False \
    --set=loggingOperator.fluentd.security.securityContext.readOnlyRootFilesystem=False \
    --set=loggingOperator.fluentd.security.podSecurityContext.fsGroup=101 \
    --set=loggingOperator.fluentbit.security.securityContext.allowPrivilegeEscalation=False \
    --set=loggingOperator.fluentbit.security.securityContext.readOnlyRootFilesystem=True \
    --set=loggingOperator.fluentbit.security.podSecurityContext.fsGroup=101

Example Manifest Generated by the operator 🔗︎

apiVersion: v1
kind: Pod
metadata:
  name: nginx-demo-nginx-logging-demo-logging-fluentd-0
  namespace: logging
spec:
  containers:
  - image: banzaicloud/fluentd:v1.6.3-alpine-2
    imagePullPolicy: IfNotPresent
    name: fluentd
    securityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: false
...
  schedulerName: default-scheduler
  securityContext:
    fsGroup: 101
  serviceAccount: nginx-demo-nginx-logging-demo-logging-fluentd
...