Grafana loki grafana-agent-test-0 Privileged container is not allowed

[alkdese]

I have deployed grafana loki simple distributed 1.7.4 and I'm getting this error

create Pod grafana-agent-test-0 in StatefulSet grafana-agent-test failed error: admission webhook "validation.gatekeeper.sh" denied the request: [azurepolicy-k8sazurecontainernoprivilege-zzzzzzzzz] Privileged container is not allowed: config-reloader, securityContext: {"privileged": true, "runAsUser": 0}

looked through the values and doco https://grafana.com/docs/loki/latest/installation/simple-scalable-helm/ none of them mentions privileged containers why it is required.

Is there a workaround? I tend to believe if I disable 'monitoring.selfMonitoring.enable' but ideally I would like to avoid doing that.

[rfratto]

👋 This is something we've investigated a few times in the past, but don't have a clear answer on yet. We inherited runAsUser: 0 and privileged: true from Promtail. The understanding is that you at least need runAsUser: 0 to be guaranteed to be able to read logs which are mounted from the host. We're unsure if privileged: true is necessary, and haven't put time into testing logs without it yet.

The container mentioned in your log line (config-reloader), definitely doesn't need privileged, though; just the agent pods.

We don't maintain the Helm chart you're using, so I'm not sure if there's a way to easily disable privileged mode to check if everything still works.

[alkdese]

What helm chart would you recommend in that case? I have tried for now monitoring.selfMonitoring.enable=false seems worked. But I got another issue when I attempt to add Loki DataSource https://github.com/grafana/loki/issues/6729

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had any activity in the past 30 days. The next time this stale check runs, the stale label will be removed if there is new activity. The issue will be closed in 7 days if there is no new activity. Thank you for your contributions!