Comments (5)
bdalpe
commented on August 15, 2024
@kenmoini this PR might be of interest to you: #166 In fact, it was created specifically for dealing with a customer deploying the Leader on OpenShift.
The second item is that setting the CRIBL_VOLUME_DIR environment variable to a PVC that is writable by the UID, this removes any need for writing to /opt/cribl
NB: There's no reason for running any Cribl container as privileged.
from helm-charts.
kenmoini
commented on August 15, 2024
@bdalpe Ok that is excellent and good to know - I've figured out a way to deploy to OpenShift with a namespaced user who is only admin of the cribl-stream namespace, without any additional RBAC. Namely just need to disable creating the RBAC and set the CRIBL_VOLUME_DIR env var:
helm install ls-leader cribl/logstream-leader \
--set "config.groups={pcilogs,system-metrics}" \
--set config.token="ABCDEF01-1234-5678-ABCD-ABCDEF012345" \
--set config.adminPassword="adminPasswordHere" \
--set config.license="<license key>" \ # or delete for demo
-n cribl-stream
helm install ls-wg-pci cribl/logstream-workergroup \
--set config.host="ls-leader-internal" \
--set config.tag="pcilogs" \
--set config.token="ABCDEF01-1234-5678-ABCD-ABCDEF012345" \
--set rbac.create="false" \
--set env.CRIBL_VOLUME_DIR=/tmp/cribl \
--set service.annotations."metallb\.universe\.tf/address-pool=lab-pool" \
-n cribl-stream
helm install ls-wg-system-metrics cribl/logstream-workergroup \
--set config.host="ls-leader-internal" \
--set config.tag="system-metrics" \
--set config.token="ABCDEF01-1234-5678-ABCD-ABCDEF012345" \
--set rbac.create="false" \
--set env.CRIBL_VOLUME_DIR=/tmp/cribl \
--set service.annotations."metallb\.universe\.tf/address-pool=lab-pool" \
-n cribl-streamSo since it works with a random UID/GID like how OpenShift deploys by default, I think the best solution would just to be that we add some additional documentation around the value modifications needed to deploy to OpenShift - whatcha think?
from helm-charts.
wa77z
commented on August 15, 2024
As of OpenShift 4.14 it seems pod security admission is in an enforced mode. This causes all pods to define their scc. Which permissions should the SCC have to run cribl as non-root? We also allowed the namespace to run from the GUID range defined in the pod, and allowed access to our storage class, however the pods still fail to start.
from helm-charts.
bdalpe
commented on August 15, 2024
@wa77z do you have any logs or events from OpenShift showing the reason for the pod failing to start?
from helm-charts.
wa77z
commented on August 15, 2024
@wa77z do you have any logs or events from OpenShift showing the reason for the pod failing to start?
Error creating: pods "cribl-edge-" is forbidden: unable to validate against any security context constraint
from helm-charts.
Related Issues (20)
- Sign Releases
- Add emphemeral-storage limits
- Edge RBAC extraRules has incorrect yaml syntax
- Strategy implemented in wrong spec HOT 1
- podSecurityContext non-existent in logstream-leader chart
- securityContext not set on logstream-leader Pod
- resources config on logstream-leader chart too deep
- Custom .gitignore file
- Support `extraVolumes` for Cribl workergroups helm charts HOT 6
- Remove `:` in role & rolebinding names HOT 5
- Allow `get namespace` in Edge chart
- 404 link to Docs
- Make EKS Add-on ready HOT 2
- Separate logstream-leader service and service-internal annotations HOT 1
- Support for OpenShift Routes HOT 3
- Reduce ClusterRole{Bindings}s to namespaced Role{Bindings}s in logstream-workergroup HOT 3
- Hardcoded transport `tcp` comms to the leader node HOT 5
- Cribl leader TLS value should be a list not a dictionary HOT 1
- Static PVC name leader-config-claim - can't deploy multiple Leaders in the same namespace HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from helm-charts.