Security Variables 🔗︎
Variable Name | Type | Required | Default | Description |
---|---|---|---|---|
roleBasedAccessControlCreate | bool | No | True | create RBAC resources |
podSecurityPolicyCreate | bool | No | False | create PSP resources |
serviceAccount | string | No | - | Set ServiceAccount |
securityContext | SecurityContext | No | {} | SecurityContext holds security configuration that will be applied to a container. |
podSecurityContext | PodSecurityContext | No | {} | PodSecurityContext holds pod-level security attributes and common container settings. Some |
Using RBAC Authorization 🔗︎
By default, RBAC is enabled.
Deploy with Kubernetes Manifests 🔗︎
Create logging
resource with RBAC 🔗︎
kubectl -n logging apply -f - <<"EOF"
apiVersion: logging.banzaicloud.io/v1beta1
kind: Logging
metadata:
name: default-logging-simple
spec:
fluentd:
security:
roleBasedAccessControlCreate: true
fluentbit:
security:
roleBasedAccessControlCreate: true
controlNamespace: logging
EOF
Deploy with Helm 🔗︎
helm upgrade --install --wait --create-namespace --namespace logging logging-demo banzaicloud-stable/logging-demo \
--set=loggingOperator.fluentd.security.roleBasedAccessControlCreate=True \
--set=loggingOperator.fluentbit.security.roleBasedAccessControlCreate=True
Example Manifest Generated by the operator 🔗︎
Fluentd Role & RoleBinding Output 🔗︎
- apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: logging-demo-nginx-logging-demo-logging-fluentd
namespace: logging
ownerReferences:
- apiVersion: logging.banzaicloud.io/v1beta1
controller: true
kind: Logging
rules:
- apiGroups:
- ""
resources:
- configmaps
- secrets
verbs:
- '*'
--
- apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
name: logging-demo-nginx-logging-demo-logging-fluentd
namespace: logging
ownerReferences:
- apiVersion: logging.banzaicloud.io/v1beta1
controller: true
kind: Logging
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: logging-demo-nginx-logging-demo-logging-fluentd
subjects:
- kind: ServiceAccount
name: logging-demo-nginx-logging-demo-logging-fluentd
namespace: logging
Fluentbit ClusterRole & ClusterRoleBinding Output 🔗︎
kind: ClusterRole
metadata:
annotations:
name: logging-demo-nginx-logging-demo-logging-fluentbit
ownerReferences:
- apiVersion: logging.banzaicloud.io/v1beta1
controller: true
kind: Logging
rules:
- apiGroups:
- ""
resources:
- pods
- namespaces
verbs:
- get
- list
- watch
---
kind: ClusterRoleBinding
metadata:
annotations:
name: logging-nginx-demo-nginx-logging-demo-logging-fluentbit
ownerReferences:
- apiVersion: logging.banzaicloud.io/v1beta1
controller: true
kind: Logging
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nginx-demo-nginx-logging-demo-logging-fluentbit
subjects:
- kind: ServiceAccount
name: nginx-demo-nginx-logging-demo-logging-fluentbit
namespace: logging
Service Account (SA) 🔗︎
Deploy with Kubernetes Manifests 🔗︎
Create logging
resource with Service Account 🔗︎
kubectl -n logging apply -f - <<"EOF"
apiVersion: logging.banzaicloud.io/v1beta1
kind: Logging
metadata:
name: default-logging-simple
spec:
fluentd:
security:
serviceAccount: fluentdUser1
fluentbit:
security:
serviceAccount: fluentbitUser1
controlNamespace: logging
EOF
Deploy with Helm 🔗︎
helm upgrade --install --wait --create-namespace --namespace logging logging-demo banzaicloud-stable/logging-demo \
--set=loggingOperator.fluentd.security.serviceAccount=fluentdUser1 \
--set=loggingOperator.fluentbit.security.serviceAccount=fluentbitUser1
Enabling Pod Security Policies (PSP) 🔗︎
This option depends on the roleBasedAccessControlCreate enabled status because the psp require rbac roles also.
Deploy with Kubernetes Manifests 🔗︎
Create logging
resource with PSP
kubectl -n logging apply -f - <<"EOF"
apiVersion: logging.banzaicloud.io/v1beta1
kind: Logging
metadata:
name: default-logging-simple
spec:
fluentd:
security:
podSecurityPolicyCreate: true
roleBasedAccessControlCreate: true
fluentbit:
security:
podSecurityPolicyCreate: true
roleBasedAccessControlCreate: true
controlNamespace: logging
EOF
Deploy with Helm 🔗︎
helm upgrade --install --wait --create-namespace --namespace logging logging-demo banzaicloud-stable/logging-demo \
--set=loggingOperator.fluentd.security.podSecurityPolicyCreate=True \
--set=loggingOperator.fluentd.security.roleBasedAccessControlCreate=True \
--set=loggingOperator.fluentbit.security.podSecurityPolicyCreate=True \
--set=loggingOperator.fluentbit.security.roleBasedAccessControlCreate=True
Example Manifest Generated by the operator 🔗︎
Fluentd PSP+Role Output 🔗︎
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: nginx-demo-nginx-logging-demo-logging-fluentd-psp
rules:
- apiGroups:
- policy
- extensions
resources:
- podsecuritypolicies
resourceNames:
- nginx-demo-nginx-logging-demo-logging-fluentd
verbs:
- use
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: nginx-demo-nginx-logging-demo-logging-fluentd
spec:
allowPrivilegeEscalation: false
fsGroup:
ranges:
- max: 101
min: 101
rule: MustRunAs
runAsUser:
ranges:
- max: 100
min: 100
rule: MustRunAs
seLinux:
rule: RunAsAny
supplementalGroups:
ranges:
- max: 101
min: 101
rule: MustRunAs
volumes:
- configMap
- emptyDir
- secret
- hostPath
- persistentVolumeClaim
Fluentbit PSP+ClusterRole Output 🔗︎
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: nginx-demo-nginx-logging-demo-logging-fluentbit-psp
rules:
- apiGroups:
- policy
resources:
- nginx-demo-nginx-logging-demo-logging-fluentbit
verbs:
- use
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: nginx-demo-nginx-logging-demo-logging-fluentbit
spec:
allowPrivilegeEscalation: false
allowedHostPaths:
- pathPrefix: /var/lib/docker/containers
readOnly: true
- pathPrefix: /var/log
readOnly: true
fsGroup:
rule: RunAsAny
readOnlyRootFilesystem: true
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- configMap
- emptyDir
- secret
- hostPath
Security Context 🔗︎
Deploy with Kubernetes Manifests 🔗︎
Create logging
resource with PSP 🔗︎
kubectl -n logging apply -f - <<"EOF"
apiVersion: logging.banzaicloud.io/v1beta1
kind: Logging
metadata:
name: default-logging-simple
spec:
fluentd:
security:
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
podSecurityContext:
fsGroup: 101
fluentbit:
security:
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
podSecurityContext:
fsGroup: 101
controlNamespace: logging
EOF
Deploy with Helm 🔗︎
helm upgrade --install --wait --create-namespace --namespace logging logging-demo banzaicloud-stable/logging-demo \
--set=loggingOperator.fluentd.security.securityContext.allowPrivilegeEscalation=False \
--set=loggingOperator.fluentd.security.securityContext.readOnlyRootFilesystem=False \
--set=loggingOperator.fluentd.security.podSecurityContext.fsGroup=101 \
--set=loggingOperator.fluentbit.security.securityContext.allowPrivilegeEscalation=False \
--set=loggingOperator.fluentbit.security.securityContext.readOnlyRootFilesystem=True \
--set=loggingOperator.fluentbit.security.podSecurityContext.fsGroup=101
Example Manifest Generated by the operator 🔗︎
apiVersion: v1
kind: Pod
metadata:
name: nginx-demo-nginx-logging-demo-logging-fluentd-0
namespace: logging
spec:
containers:
- image: banzaicloud/fluentd:v1.6.3-alpine-2
imagePullPolicy: IfNotPresent
name: fluentd
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
...
schedulerName: default-scheduler
securityContext:
fsGroup: 101
serviceAccount: nginx-demo-nginx-logging-demo-logging-fluentd
...