search

splunk / splunk-connect-for-kubernetes

Helm charts associated with kubernetes plug-ins
Apache License 2.0
344 stars 270 forks source link

splunk-connect Helm chart install failing on Google Cloud GKE configured with AutoPilot #828

Closed hectoralicea closed 1 year ago

hectoralicea commented 1 year ago

What happened: Unable to deploy helm chart

Getting the following error:

client.go:122: [debug] creating 7 resource(s)
W1207 14:29:19.137952  669744 warnings.go:70] Autopilot increased resource requests for DaemonSet splunk-connect/wd3-splunk-connect-splunk-kubernetes-logging to meet requirements. See http://g.co/gke/autopilot-resources.
Error: admission webhook "gkepolicy.common-webhooks.networking.gke.io" denied the request: GKE Warden rejected the request because it violates one or more policies:
  {
    "[denied by autogke-disallow-privilege]": [
      "container splunk-fluentd-k8s-logs is privileged; not allowed in Autopilot"
    ],
    "[denied by autogke-no-write-mode-hostpath]": [
      "hostPath volume varlog in container splunk-fluentd-k8s-logs is accessed in write mode; disallowed in Autopilot. Requested by user: 'svc-act-dv@wd3-kraken.iam.gserviceaccount.com', groups: 'system:authenticated'.",
      "hostPath volume varlogdest used in container splunk-fluentd-k8s-logs uses path /var/lib/docker/containers which is not allowed in Autopilot. Allowed path prefixes for hostPath volumes are: [/var/log/]. Requested by user: 'svc-act-dv@wd3-kraken.iam.gserviceaccount.com', groups: 'system:authenticated'.",
      "hostPath volume journallogpath used in container splunk-fluentd-k8s-logs uses path /run/log/journal which is not allowed in Autopilot. Allowed path prefixes for hostPath volumes are: [/var/log/]. Requested by user: 'svc-act-dv@wd3-kraken.iam.gserviceaccount.com', groups: 'system:authenticated'."
    ]
  }

helm.go:81: [debug] admission webhook "gkepolicy.common-webhooks.networking.gke.io" denied the request: GKE Warden rejected the request because it violates one or more policies: 
{
  "[denied by autogke-disallow-privilege]": [
    "container splunk-fluentd-k8s-logs is privileged; not allowed in Autopilot"
  ],
  "[denied by autogke-no-write-mode-hostpath]": [
    "hostPath volume varlog in container splunk-fluentd-k8s-logs is accessed in write mode; disallowed in Autopilot. Requested by user: 'svc-act-dv@wd3-kraken.iam.gserviceaccount.com', groups: 'system:authenticated'.",
    "hostPath volume varlogdest used in container splunk-fluentd-k8s-logs uses path /var/lib/docker/containers which is not allowed in Autopilot. Allowed path prefixes for hostPath volumes are: [/var/log/]. Requested by user: 'svc-act-dv@wd3-kraken.iam.gserviceaccount.com', groups: 'system:authenticated'.",
    "hostPath volume journallogpath used in container splunk-fluentd-k8s-logs uses path /run/log/journal which is not allowed in Autopilot. Allowed path prefixes for hostPath volumes are: [/var/log/]. Requested by user: 'svc-act-dv@wd3-kraken.iam.gserviceaccount.com', groups: 'system:authenticated'."
  ]
}

What you expected to happen: Should be able to deploy

How to reproduce it (as minimally and precisely as possible): helm upgrade wd3-splunk-connect splunk/splunk-connect-for-kubernetes --install --namespace splunk-connect --version 1.5.0 --debug --wait --timeout 20m -f splunk-connect-values.yml

Anything else we need to know?:

Environment:

hvaghani221 commented 1 year ago

GKE autopilot is not supported by SCK. All the supported distributions are listed in https://github.com/splunk/splunk-connect-for-kubernetes#what-does-splunk-connect-for-kubernetes-do.

You can switch to https://github.com/signalfx/splunk-otel-collector-chart. It supports GKE Autopilot.

Migration guide: https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/migration-from-sck.md Configuring for for GKE Autopilot: https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/advanced-configuration.md#gke-autopilot-support