Fluent-bit Chart does not work in openshift 4.12

[Pela2silveira]

Hello community,

I had issues deploying this chart in openshift 4.12. The error is permission denied in node filesystem: [2024/03/26 19:52:25] [ info] [sp] stream processor started 42[2024/03/26 19:52:30] [error] [input:tail:tail.0] read error, check permissions: /var/log/containers/*demo*.log 43[2024/03/26 19:52:30] [ warn] [input:tail:tail.0] error scanning path: /var/log/containers/*demo*.log

As I see, there is no default Security Context defined in values. I don't know why it is defined that way. From my understanding SCC is not enough to grant permissions for the pods to access node file system, as it is only a constraint, not a request. Here is some doc

Browsing, I found several users with the same problem. In some solutions I found this CS is added to make it work:

securityContext:
  runAsUser: 0
  seLinuxOptions:
    type: spc_t
  readOnlyRootFilesystem: true
  allowPrivilegeEscalation: false

I first place I don't know if this is compliant with least privilegie principle.

Applying this SC, I see that this fail because of the SCC in this line.

In my case I got this error: provider fluent-bit: .containers[0].seLinuxOptions.level: Invalid value: "": must be s0:c37,c24, provider fluent-bit: .containers[0].seLinuxOptions.type: Invalid value: "spc_t": must be ,

I made it work changing SCC to this value:

seLinuxContext:
  type: RunAsAny

In a deployment is important to check if the sa is actually associated to the scc deployed by the chart, as it can match with a previous one.

If it is possible for you check it and post your comments.

Thank you in advance.

[captainpro-eng]

@Pela2silveira have u try this?

securityContext:
    privileged: true