Fluentd Secuiry Context Break #48
Description
initContainers:
- name: "{{ .Release.Name }}-set-fluentd-persistence-ownership"
image: "{{ tpl (include \"nexus-iq-server-ha.busyboxImage\" .) $}}"
command: [ "sh", "-c", "chown -R 1001:1001 /opt/bitnami/fluentd/logs/nexus-iq-server" ]
volumeMounts:
- mountPath: "/opt/bitnami/fluentd/logs/nexus-iq-server"
name: "iq-server-pod-volume"
subPath: log
Seems a breaking change was introduced with fluentd. The code above form your values file, does not work. The container is trying to chown a directory that gas these permissions "rdrwx------ 1000:1000". The init container would need the proper security context to perform this chown, "1000:1000" However, and maybe I am missing somthing, I do not think this chown is necessary. The Fluentd chart lets you change the security context for all its pods/containers. I was able to get fluentd working with the following values. So Fluentd has access to read the logs and forward them on, without needing root or the chown commands.
fluentd:
aggregator:
enabled: true
containerSecurityContext:
enabled: true
runAsUser: 1000
runAsGroup: 1000
podSecurityContext:
enabled: true
fsGroup: 1000
initContainers: null # need to null out the upstream
sidecar_forwarder:
daemonUser: nexus
daemonGroup: nexus
securityContext:
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true