I had issues deploying this chart in openshift 4.12. The error is permission denied in node filesystem:
[2024/03/26 19:52:25] [ info] [sp] stream processor started 42[2024/03/26 19:52:30] [error] [input:tail:tail.0] read error, check permissions: /var/log/containers/*demo*.log 43[2024/03/26 19:52:30] [ warn] [input:tail:tail.0] error scanning path: /var/log/containers/*demo*.log
As I see, there is no default Security Context defined in values. I don't know why it is defined that way. From my understanding SCC is not enough to grant permissions for the pods to access node file system, as it is only a constraint, not a request. Here is some doc
Browsing, I found several users with the same problem. In some solutions I found this CS is added to make it work:
I first place I don't know if this is compliant with least privilegie principle.
Applying this SC, I see that this fail because of the SCC in this line.
In my case I got this error:
provider fluent-bit: .containers[0].seLinuxOptions.level: Invalid value: "": must be s0:c37,c24, provider fluent-bit: .containers[0].seLinuxOptions.type: Invalid value: "spc_t": must be ,
I made it work changing SCC to this value:
seLinuxContext:
type: RunAsAny
In a deployment is important to check if the sa is actually associated to the scc deployed by the chart, as it can match with a previous one.
If it is possible for you check it and post your comments.
Hello community,
I had issues deploying this chart in openshift 4.12. The error is permission denied in node filesystem:
[2024/03/26 19:52:25] [ info] [sp] stream processor started 42[2024/03/26 19:52:30] [error] [input:tail:tail.0] read error, check permissions: /var/log/containers/*demo*.log 43[2024/03/26 19:52:30] [ warn] [input:tail:tail.0] error scanning path: /var/log/containers/*demo*.log
As I see, there is no default Security Context defined in values. I don't know why it is defined that way. From my understanding SCC is not enough to grant permissions for the pods to access node file system, as it is only a constraint, not a request. Here is some doc
Browsing, I found several users with the same problem. In some solutions I found this CS is added to make it work:
I first place I don't know if this is compliant with least privilegie principle.
Applying this SC, I see that this fail because of the SCC in this line.
In my case I got this error:
provider fluent-bit: .containers[0].seLinuxOptions.level: Invalid value: "": must be s0:c37,c24, provider fluent-bit: .containers[0].seLinuxOptions.type: Invalid value: "spc_t": must be ,
I made it work changing SCC to this value:
In a deployment is important to check if the sa is actually associated to the scc deployed by the chart, as it can match with a previous one.
If it is possible for you check it and post your comments.
Thank you in advance.