Security

Security Variables

Variable NameTypeRequiredDefaultDescription
roleBasedAccessControlCreateboolNoTruecreate RBAC resources
podSecurityPolicyCreateboolNoFalsecreate PSP resources
serviceAccountstringNo-Set ServiceAccount
securityContextSecurityContextNo{}SecurityContext holds security configuration that will be applied to a container.
podSecurityContextPodSecurityContextNo{}PodSecurityContext holds pod-level security attributes and common container settings. Some

Using RBAC Authorization

By default, RBAC is enabled.

Deploy with Kubernetes Manifests

Create logging resource with RBAC

kubectl -n logging apply -f - <<"EOF"
apiVersion: logging.banzaicloud.io/v1beta1
kind: Logging
metadata:
  name: default-logging-simple
spec:
  fluentd:
    security:
      roleBasedAccessControlCreate: true
  fluentbit:
    security:
      roleBasedAccessControlCreate: true
  controlNamespace: logging
EOF

Example Manifest Generated by the operator

Fluentd Role & RoleBinding Output

- apiVersion: rbac.authorization.k8s.io/v1
  kind: Role
  metadata:
    name: logging-demo-nginx-logging-demo-logging-fluentd
    namespace: logging
    ownerReferences:
    - apiVersion: logging.banzaicloud.io/v1beta1
      controller: true
      kind: Logging
  rules:
  - apiGroups:
    - ""
    resources:
    - configmaps
    - secrets
    verbs:
    - '*'

--
- apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata:
    annotations:
    name: logging-demo-nginx-logging-demo-logging-fluentd
    namespace: logging
    ownerReferences:
    - apiVersion: logging.banzaicloud.io/v1beta1
      controller: true
      kind: Logging
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: Role
    name: logging-demo-nginx-logging-demo-logging-fluentd
  subjects:
  - kind: ServiceAccount
    name: logging-demo-nginx-logging-demo-logging-fluentd
    namespace: logging

Fluentbit ClusterRole & ClusterRoleBinding Output

kind: ClusterRole
metadata:
  annotations:
  name: logging-demo-nginx-logging-demo-logging-fluentbit
  ownerReferences:
  - apiVersion: logging.banzaicloud.io/v1beta1
    controller: true
    kind: Logging
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - namespaces
  verbs:
  - get
  - list
  - watch

---
kind: ClusterRoleBinding
metadata:
  annotations:
  name: logging-nginx-demo-nginx-logging-demo-logging-fluentbit
  ownerReferences:
  - apiVersion: logging.banzaicloud.io/v1beta1
    controller: true
    kind: Logging
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: nginx-demo-nginx-logging-demo-logging-fluentbit
subjects:
- kind: ServiceAccount
  name: nginx-demo-nginx-logging-demo-logging-fluentbit
  namespace: logging

Service Account (SA)

Deploy with Kubernetes Manifests

Create logging resource with Service Account

kubectl -n logging apply -f - <<"EOF"
apiVersion: logging.banzaicloud.io/v1beta1
kind: Logging
metadata:
  name: default-logging-simple
spec:
  fluentd:
    security:
      serviceAccount: fluentdUser1
  fluentbit:
    security:
      serviceAccount: fluentbitUser1
  controlNamespace: logging
EOF

Enabling Pod Security Policies (PSP)

This option depends on the roleBasedAccessControlCreate enabled status because the psp require rbac roles also.

Deploy with Kubernetes Manifests

Create logging resource with PSP

kubectl -n logging apply -f - <<"EOF"
apiVersion: logging.banzaicloud.io/v1beta1
kind: Logging
metadata:
  name: default-logging-simple
spec:
  fluentd:
    security:
      podSecurityPolicyCreate: true
      roleBasedAccessControlCreate: true
  fluentbit:
    security:
      podSecurityPolicyCreate: true
      roleBasedAccessControlCreate: true
  controlNamespace: logging
EOF

Example Manifest Generated by the operator

Fluentd PSP+Role Output

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: nginx-demo-nginx-logging-demo-logging-fluentd-psp
rules:
- apiGroups:
  - policy
  - extensions
  resources:
  - podsecuritypolicies
  resourceNames:
  - nginx-demo-nginx-logging-demo-logging-fluentd
  verbs:
  - use

---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: nginx-demo-nginx-logging-demo-logging-fluentd
spec:
  allowPrivilegeEscalation: false
  fsGroup:
    ranges:
    - max: 101
      min: 101
    rule: MustRunAs
  runAsUser:
    ranges:
    - max: 100
      min: 100
    rule: MustRunAs
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    ranges:
    - max: 101
      min: 101
    rule: MustRunAs
  volumes:
  - configMap
  - emptyDir
  - secret
  - hostPath
  - persistentVolumeClaim

Fluentbit PSP+ClusterRole Output

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: nginx-demo-nginx-logging-demo-logging-fluentbit-psp
rules:
- apiGroups:
  - policy
  resources:
  - nginx-demo-nginx-logging-demo-logging-fluentbit
  verbs:
  - use
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: nginx-demo-nginx-logging-demo-logging-fluentbit
spec:
  allowPrivilegeEscalation: false
  allowedHostPaths:
  - pathPrefix: /var/lib/docker/containers
    readOnly: true
  - pathPrefix: /var/log
    readOnly: true
  fsGroup:
    rule: RunAsAny
  readOnlyRootFilesystem: true
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - configMap
  - emptyDir
  - secret
  - hostPath

Security Context

Deploy with Kubernetes Manifests

Create logging resource with PSP

kubectl -n logging apply -f - <<"EOF"
apiVersion: logging.banzaicloud.io/v1beta1
kind: Logging
metadata:
  name: default-logging-simple
spec:
  fluentd:
    security:
      securityContext:
        allowPrivilegeEscalation: false
        readOnlyRootFilesystem: false
      podSecurityContext:
        fsGroup: 101
  fluentbit:
    security:
      securityContext:
        allowPrivilegeEscalation: false
        readOnlyRootFilesystem: true
      podSecurityContext:
        fsGroup: 101
  controlNamespace: logging
EOF

Example Manifest Generated by the operator

apiVersion: v1
kind: Pod
metadata:
  name: nginx-demo-nginx-logging-demo-logging-fluentd-0
  namespace: logging
spec:
  containers:
  - image: ghcr.io/kube-logging/fluentd:v1.15
    imagePullPolicy: IfNotPresent
    name: fluentd
    securityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: false
...
  schedulerName: default-scheduler
  securityContext:
    fsGroup: 101
  serviceAccount: nginx-demo-nginx-logging-demo-logging-fluentd
...
Last modified December 27, 2023: Version number bumps (00b4afd)