Security
Security Variables
| Variable Name | Type | Required | Default | Description |
|---|---|---|---|---|
| roleBasedAccessControlCreate | bool | No | True | create RBAC resources |
| podSecurityPolicyCreate | bool | No | False | create PSP resources |
| serviceAccount | string | No | - | Set ServiceAccount |
| securityContext | SecurityContext | No | {} | SecurityContext holds security configuration that will be applied to a container. |
| podSecurityContext | PodSecurityContext | No | {} | PodSecurityContext holds pod-level security attributes and common container settings. Some |
Using RBAC Authorization
By default, RBAC is enabled.
Deploy with Kubernetes Manifests
Create logging resource with RBAC
kubectl -n logging apply -f - <<"EOF"
apiVersion: logging.banzaicloud.io/v1beta1
kind: Logging
metadata:
name: default-logging-simple
spec:
fluentd:
security:
roleBasedAccessControlCreate: true
fluentbit:
security:
roleBasedAccessControlCreate: true
controlNamespace: logging
EOF
Example Manifest Generated by the operator
Fluentd Role & RoleBinding Output
- apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: logging-demo-nginx-logging-demo-logging-fluentd
namespace: logging
ownerReferences:
- apiVersion: logging.banzaicloud.io/v1beta1
controller: true
kind: Logging
rules:
- apiGroups:
- ""
resources:
- configmaps
- secrets
verbs:
- '*'
--
- apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
name: logging-demo-nginx-logging-demo-logging-fluentd
namespace: logging
ownerReferences:
- apiVersion: logging.banzaicloud.io/v1beta1
controller: true
kind: Logging
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: logging-demo-nginx-logging-demo-logging-fluentd
subjects:
- kind: ServiceAccount
name: logging-demo-nginx-logging-demo-logging-fluentd
namespace: logging
Fluentbit ClusterRole & ClusterRoleBinding Output
kind: ClusterRole
metadata:
annotations:
name: logging-demo-nginx-logging-demo-logging-fluentbit
ownerReferences:
- apiVersion: logging.banzaicloud.io/v1beta1
controller: true
kind: Logging
rules:
- apiGroups:
- ""
resources:
- pods
- namespaces
verbs:
- get
- list
- watch
---
kind: ClusterRoleBinding
metadata:
annotations:
name: logging-nginx-demo-nginx-logging-demo-logging-fluentbit
ownerReferences:
- apiVersion: logging.banzaicloud.io/v1beta1
controller: true
kind: Logging
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nginx-demo-nginx-logging-demo-logging-fluentbit
subjects:
- kind: ServiceAccount
name: nginx-demo-nginx-logging-demo-logging-fluentbit
namespace: logging
Service Account (SA)
Deploy with Kubernetes Manifests
Create logging resource with Service Account
kubectl -n logging apply -f - <<"EOF"
apiVersion: logging.banzaicloud.io/v1beta1
kind: Logging
metadata:
name: default-logging-simple
spec:
fluentd:
security:
serviceAccount: fluentdUser1
fluentbit:
security:
serviceAccount: fluentbitUser1
controlNamespace: logging
EOF
Enabling Pod Security Policies (PSP)
This option depends on the roleBasedAccessControlCreate enabled status because the psp require rbac roles also.
Deploy with Kubernetes Manifests
Create logging resource with PSP
kubectl -n logging apply -f - <<"EOF"
apiVersion: logging.banzaicloud.io/v1beta1
kind: Logging
metadata:
name: default-logging-simple
spec:
fluentd:
security:
podSecurityPolicyCreate: true
roleBasedAccessControlCreate: true
fluentbit:
security:
podSecurityPolicyCreate: true
roleBasedAccessControlCreate: true
controlNamespace: logging
EOF
Example Manifest Generated by the operator
Fluentd PSP+Role Output
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: nginx-demo-nginx-logging-demo-logging-fluentd-psp
rules:
- apiGroups:
- policy
- extensions
resources:
- podsecuritypolicies
resourceNames:
- nginx-demo-nginx-logging-demo-logging-fluentd
verbs:
- use
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: nginx-demo-nginx-logging-demo-logging-fluentd
spec:
allowPrivilegeEscalation: false
fsGroup:
ranges:
- max: 101
min: 101
rule: MustRunAs
runAsUser:
ranges:
- max: 100
min: 100
rule: MustRunAs
seLinux:
rule: RunAsAny
supplementalGroups:
ranges:
- max: 101
min: 101
rule: MustRunAs
volumes:
- configMap
- emptyDir
- secret
- hostPath
- persistentVolumeClaim
Fluentbit PSP+ClusterRole Output
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: nginx-demo-nginx-logging-demo-logging-fluentbit-psp
rules:
- apiGroups:
- policy
resources:
- nginx-demo-nginx-logging-demo-logging-fluentbit
verbs:
- use
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: nginx-demo-nginx-logging-demo-logging-fluentbit
spec:
allowPrivilegeEscalation: false
allowedHostPaths:
- pathPrefix: /var/lib/docker/containers
readOnly: true
- pathPrefix: /var/log
readOnly: true
fsGroup:
rule: RunAsAny
readOnlyRootFilesystem: true
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- configMap
- emptyDir
- secret
- hostPath
Security Context
Deploy with Kubernetes Manifests
Create logging resource with PSP
kubectl -n logging apply -f - <<"EOF"
apiVersion: logging.banzaicloud.io/v1beta1
kind: Logging
metadata:
name: default-logging-simple
spec:
fluentd:
security:
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
podSecurityContext:
fsGroup: 101
fluentbit:
security:
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
podSecurityContext:
fsGroup: 101
controlNamespace: logging
EOF
Example Manifest Generated by the operator
apiVersion: v1
kind: Pod
metadata:
name: nginx-demo-nginx-logging-demo-logging-fluentd-0
namespace: logging
spec:
containers:
- image: ghcr.io/kube-logging/fluentd:v1.15
imagePullPolicy: IfNotPresent
name: fluentd
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
...
schedulerName: default-scheduler
securityContext:
fsGroup: 101
serviceAccount: nginx-demo-nginx-logging-demo-logging-fluentd
...
Last modified July 24, 2023: Merge pull request #167 from kube-logging/link-fixes-230714 (1dda279)