From 763025845fe3aaf3f2137fc013a77ea48904f5c0 Mon Sep 17 00:00:00 2001 From: Ryan Bonham Date: Mon, 25 Mar 2019 12:34:04 -0500 Subject: [PATCH 1/5] Fix liveness/readyness probes, they can not be empty {} --- production/helm/templates/promtail/daemonset.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/production/helm/templates/promtail/daemonset.yaml b/production/helm/templates/promtail/daemonset.yaml index a3bdd627e9..f913536189 100644 --- a/production/helm/templates/promtail/daemonset.yaml +++ b/production/helm/templates/promtail/daemonset.yaml @@ -57,10 +57,14 @@ spec: name: http-metrics securityContext: {{- toYaml .Values.promtail.securityContext | nindent 12 }} + {{- if .Values.promtail.livenessProbe }} livenessProbe: {{- toYaml .Values.promtail.livenessProbe | nindent 12 }} + {{- end }} + {{- if .Values.promtail.livenessProbe }} readinessProbe: {{- toYaml .Values.promtail.readinessProbe | nindent 12 }} + {{- end }} resources: {{- toYaml .Values.promtail.resources | nindent 12 }} nodeSelector: From 0cdbf3689e8031bec745ef3ce28477ff492bf49e Mon Sep 17 00:00:00 2001 From: Ryan Bonham Date: Mon, 25 Mar 2019 13:50:41 -0500 Subject: [PATCH 2/5] range is not a valid option for seLinux --- production/helm/templates/loki/podsecuritypolicy.yaml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/production/helm/templates/loki/podsecuritypolicy.yaml b/production/helm/templates/loki/podsecuritypolicy.yaml index a5ef5c3f27..02e1e8615d 100644 --- a/production/helm/templates/loki/podsecuritypolicy.yaml +++ b/production/helm/templates/loki/podsecuritypolicy.yaml @@ -23,10 +23,7 @@ spec: runAsUser: rule: 'MustRunAsNonRoot' seLinux: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 + rule: 'RunAsAny' supplementalGroups: rule: 'MustRunAs' ranges: From aaa476368475303eb04d4ecff3e76332cd9b567c Mon Sep 17 00:00:00 2001 From: Ryan Bonham Date: Mon, 25 Mar 2019 14:01:06 -0500 Subject: [PATCH 3/5] Fix security context remove fsGroup --- production/helm/values.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/production/helm/values.yaml b/production/helm/values.yaml index ee7df7a807..1dd0d3b87d 100644 --- a/production/helm/values.yaml +++ b/production/helm/values.yaml @@ -51,7 +51,6 @@ loki: # memory: 128Mi securityContext: - fsGroup: 10001 readOnlyRootFilesystem: true runAsGroup: 10001 runAsNonRoot: true @@ -180,7 +179,6 @@ promtail: # memory: 128Mi securityContext: - fsGroup: 0 readOnlyRootFilesystem: true runAsGroup: 0 runAsUser: 0 From 0d8cd062ffc62cdbb7429d5827ecb22adcf92a91 Mon Sep 17 00:00:00 2001 From: Ryan Bonham Date: Mon, 25 Mar 2019 15:11:48 -0500 Subject: [PATCH 4/5] Change Loki's Pod and Conainter Security Policies. --- production/helm/templates/loki/deployment.yaml | 4 +++- production/helm/values.yaml | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/production/helm/templates/loki/deployment.yaml b/production/helm/templates/loki/deployment.yaml index c221489b17..e357708e13 100644 --- a/production/helm/templates/loki/deployment.yaml +++ b/production/helm/templates/loki/deployment.yaml @@ -37,6 +37,8 @@ spec: serviceAccountName: {{ template "loki.serviceAccountName" . }} {{- if .Values.loki.priorityClassName }} priorityClassName: {{ .Values.loki.priorityClassName }} + securityContext: + {{- toYaml .Values.loki.securityContext | nindent 8 }} {{- end }} containers: - name: {{ .Chart.Name }} @@ -61,7 +63,7 @@ spec: resources: {{- toYaml .Values.loki.resources | nindent 12 }} securityContext: - {{- toYaml .Values.loki.securityContext | nindent 12 }} + readOnlyRootFilesystem: true nodeSelector: {{- toYaml .Values.loki.nodeSelector | nindent 8 }} affinity: diff --git a/production/helm/values.yaml b/production/helm/values.yaml index 1dd0d3b87d..b18e0044d4 100644 --- a/production/helm/values.yaml +++ b/production/helm/values.yaml @@ -51,7 +51,7 @@ loki: # memory: 128Mi securityContext: - readOnlyRootFilesystem: true + fsGroup: 10001 runAsGroup: 10001 runAsNonRoot: true runAsUser: 10001 From 4c5d6ea206940041af225b8d5bd885fe383760ef Mon Sep 17 00:00:00 2001 From: Ryan Bonham Date: Mon, 25 Mar 2019 15:26:14 -0500 Subject: [PATCH 5/5] Dropping liveness/readiness probe from promtail helm template as there is not health checks currently.. Can add back once something exist and we can do so without if statements.. --- production/helm/templates/promtail/daemonset.yaml | 8 -------- production/helm/values.yaml | 4 ---- 2 files changed, 12 deletions(-) diff --git a/production/helm/templates/promtail/daemonset.yaml b/production/helm/templates/promtail/daemonset.yaml index f913536189..ca9464651e 100644 --- a/production/helm/templates/promtail/daemonset.yaml +++ b/production/helm/templates/promtail/daemonset.yaml @@ -57,14 +57,6 @@ spec: name: http-metrics securityContext: {{- toYaml .Values.promtail.securityContext | nindent 12 }} - {{- if .Values.promtail.livenessProbe }} - livenessProbe: - {{- toYaml .Values.promtail.livenessProbe | nindent 12 }} - {{- end }} - {{- if .Values.promtail.livenessProbe }} - readinessProbe: - {{- toYaml .Values.promtail.readinessProbe | nindent 12 }} - {{- end }} resources: {{- toYaml .Values.promtail.resources | nindent 12 }} nodeSelector: diff --git a/production/helm/values.yaml b/production/helm/values.yaml index b18e0044d4..199fbb881f 100644 --- a/production/helm/values.yaml +++ b/production/helm/values.yaml @@ -166,10 +166,6 @@ promtail: mountPath: /var/lib/docker/containers readOnly: true - readinessProbe: null - - livenessProbe: null - resources: {} # limits: # cpu: 200m