Security
Security Variables
| Variable Name | Type | Required | Default | Description |
|---|---|---|---|---|
| roleBasedAccessControlCreate | bool | No | True | create RBAC resources |
| serviceAccount | string | No | - | Set ServiceAccount |
| securityContext | SecurityContext | No | {} | SecurityContext holds security configuration that will be applied to a container. |
| podSecurityContext | PodSecurityContext | No | {} | PodSecurityContext holds pod-level security attributes and common container settings. Some |
Using RBAC Authorization
By default, RBAC is enabled.
Deploy with Kubernetes Manifests
Create logging resource with RBAC
kubectl -n logging apply -f - <<"EOF"
apiVersion: logging.banzaicloud.io/v1beta1
kind: Logging
metadata:
name: default-logging-simple
spec:
fluentd:
security:
roleBasedAccessControlCreate: true
fluentbit:
security:
roleBasedAccessControlCreate: true
controlNamespace: logging
EOF
Example Manifest Generated by the operator
Fluentd Role & RoleBinding Output
- apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: logging-demo-nginx-logging-demo-logging-fluentd
namespace: logging
ownerReferences:
- apiVersion: logging.banzaicloud.io/v1beta1
controller: true
kind: Logging
rules:
- apiGroups:
- ""
resources:
- configmaps
- secrets
verbs:
- '*'
--
- apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
name: logging-demo-nginx-logging-demo-logging-fluentd
namespace: logging
ownerReferences:
- apiVersion: logging.banzaicloud.io/v1beta1
controller: true
kind: Logging
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: logging-demo-nginx-logging-demo-logging-fluentd
subjects:
- kind: ServiceAccount
name: logging-demo-nginx-logging-demo-logging-fluentd
namespace: logging
Fluentbit ClusterRole & ClusterRoleBinding Output
kind: ClusterRole
metadata:
annotations:
name: logging-demo-nginx-logging-demo-logging-fluentbit
ownerReferences:
- apiVersion: logging.banzaicloud.io/v1beta1
controller: true
kind: Logging
rules:
- apiGroups:
- ""
resources:
- pods
- namespaces
verbs:
- get
- list
- watch
---
kind: ClusterRoleBinding
metadata:
annotations:
name: logging-nginx-demo-nginx-logging-demo-logging-fluentbit
ownerReferences:
- apiVersion: logging.banzaicloud.io/v1beta1
controller: true
kind: Logging
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nginx-demo-nginx-logging-demo-logging-fluentbit
subjects:
- kind: ServiceAccount
name: nginx-demo-nginx-logging-demo-logging-fluentbit
namespace: logging
Service Account (SA)
Deploy with Kubernetes Manifests
Create logging resource with Service Account
kubectl -n logging apply -f - <<"EOF"
apiVersion: logging.banzaicloud.io/v1beta1
kind: Logging
metadata:
name: default-logging-simple
spec:
fluentd:
security:
serviceAccount: fluentdUser1
fluentbit:
security:
serviceAccount: fluentbitUser1
controlNamespace: logging
EOF
Security Context
Deploy with Kubernetes Manifests
Create logging resource with PSP
kubectl -n logging apply -f - <<"EOF"
apiVersion: logging.banzaicloud.io/v1beta1
kind: Logging
metadata:
name: default-logging-simple
spec:
fluentd:
security:
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
podSecurityContext:
fsGroup: 101
fluentbit:
security:
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
podSecurityContext:
fsGroup: 101
controlNamespace: logging
EOF
Example Manifest Generated by the operator
apiVersion: v1
kind: Pod
metadata:
name: nginx-demo-nginx-logging-demo-logging-fluentd-0
namespace: logging
spec:
containers:
- image: ghcr.io/kube-logging/fluentd:v1.15
imagePullPolicy: IfNotPresent
name: fluentd
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
...
schedulerName: default-scheduler
securityContext:
fsGroup: 101
serviceAccount: nginx-demo-nginx-logging-demo-logging-fluentd
...
Last modified June 3, 2024: [4.6] Blog link fix (cc4602a)