search

fluent / helm-charts

Helm Charts for Fluentd and Fluent Bit
Apache License 2.0
382 stars 458 forks source link

[Question] How to configure hostnetwork in daemonset for openshift? #235

Open parera10 opened 2 years ago

parera10 commented 2 years ago

I'm trying to configure hostnetwork (in order to enable Use_kubelet option) on a daemonset on openshift but it can run pods because something is wrong with scc. I get this error:

Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed, spec.containers[0].securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used, spec.containers[0].securityContext.containers[0].hostPort: Invalid value: 2020: Host ports are not allowed to be used, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "twistlock-scc": Forbidden: not usable by user or serviceaccount, provider fluent-bit: .spec.securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount, provider "trident": Forbidden: not usable by user or serviceaccount]

This is my config section:

kind: DaemonSet

serviceAccount:
  create: true

rbac:
  create: true
  nodeAccess: true

openShift:
  enabled: true
  securityContextConstraints:
    create: true

hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet

securityContext:
  privileged: true

I'm setting securityContext with privileged in order to access container logs. If I left default values, fluent-bit is not able to acces to /var/log/containers/*.log

Checking SCC created by chart I see that: allowHostNetwork: false I'm not pretty sure if this property should be 'true' in this case or I'm missing other step in the configuration.

sanasz91mdev commented 2 years ago

I am also getting same error @parera10 . When deploying on openshift via the helm chart i am receiving errors:

Error creating: pods "fluent-bit-" is forbidden: unable to validate against any security context constraint: [spec.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[2]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[3]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, provider "core-dump-admin-privileged": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "redis-enterprise-scc": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "elasticsearch-scc": Forbidden

i have already applied the required permissions:

kubectl create -f https://raw.githubusercontent.com/fluent/fluent-bit-kubernetes-logging/master/fluent-bit-openshift-security-context-constraints.yaml

What else am i missing?