Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-03-16 06:47:30 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/fluentd] Make forwarder daemon user run as root. (#2323)

Browse Source 
* [bitnami/fluentd] Make forwarder daemon user run as root.

* Update bitnami/fluentd/README.md

Co-Authored-By: irizzant <i.rizzante@gmail.com>

* Update bitnami/fluentd/README.md

Co-Authored-By: irizzant <i.rizzante@gmail.com>

* Update bitnami/fluentd/README.md

Co-Authored-By: irizzant <i.rizzante@gmail.com>

* [bitnami/fluentd] Update components versions

Signed-off-by: Bitnami Containers <containers@bitnami.com>

Co-authored-by: irizzant <i.rizzante@gmail.com>
Co-authored-by: Bitnami Containers <containers@bitnami.com>
This commit is contained in:
Javier J. Salmerón-García
2020-04-16 18:33:44 +02:00
committed by GitHub
parent 02f6f20580
commit f5f5a1c03a
5 changed files with 29 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
bitnami/fluentd/Chart.yaml
View File

@@ -1,6 +1,6 @@
apiVersion: v1
name: fluentd
version: 0.5.4
version: 1.0.0
appVersion: 1.10.2
description: Fluentd is an open source data collector for unified logging layer
keywords:

15
bitnami/fluentd/README.md
View File

@@ -51,7 +51,7 @@ The command removes all the Kubernetes components associated with the chart and
The following tables lists the configurable parameters of the kibana chart and their default values.
| Parameter | Description | Default |
| ----------------------------------------------- | -------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------- |
|-------------------------------------------------|----------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------|
| `global.imageRegistry` | Global Docker image registry | `nil` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
| `image.registry` | Fluentd image registry | `docker.io` |
@@ -62,7 +62,9 @@ The following tables lists the configurable parameters of the kibana chart and t
| `nameOverride` | String to partially override fluentd.fullname template with a string (will prepend the release name) | `nil` |
| `fullnameOverride` | String to fully override fluentd.fullname template with a string | `nil` |
| `clusterDomain` | Kubernetes DNS domain name to use | `cluster.local` |
| `forwarder.enabled` | Enable Fluentd aggregator | `true` |
| `forwarder.enabled` | Enable Fluentd forwarder | `true` |
| `forwarder.daemonUser` | Fluentd forwarder daemon system user | `root` |
| `forwarder.daemonGroup` | Fluentd forwarder daemon system group | `root` |
| `forwarder.securityContext.enabled` | Enable security context for forwarder pods | `true` |
| `forwarder.securityContext.fsGroup` | Group ID for forwarder's containers filesystem | `0` |
| `forwarder.securityContext.runAsUser` | User ID for forwarder's containers | `0` |
@@ -152,7 +154,6 @@ The following tables lists the configurable parameters of the kibana chart and t
| `tls.serverCertificate` | Server certificate | Server certificate content |
| `tls.serverKey` | Server Key | Server private key content |
| `tls.existingSecret` | Existing secret with certificate content | `nil` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
```console
@@ -283,3 +284,11 @@ aggregator.extraEnv[0].value=your-ip-here
aggregator.extraEnv[1].name=ELASTICSEARCH_PORT
aggregator.extraEnv[1].value=your-port-here
```
### Notable changes
## 1.0.0
In this version of the chart the Fluentd forwarder daemon system user will be root by default. This is done to ensure that mounted host paths are readable by the forwarder. For more context, check this [support case](https://github.com/bitnami/charts/issues/1905).
No issues are expected in the upgrade process. However, please ensure that you add extra security measures in your cluster as you will be running root containers. If you want the daemon to be run as a user different from root, you can change the `forwarder.daemonUser` and `forwarder.daemonGroup` values. In this case make sure that the user you choose has sufficient permissions to read log files under `/var/lib/docker/containers` directory.

4
bitnami/fluentd/templates/forwarder-daemonset.yaml
View File

@@ -45,6 +45,10 @@ spec:
value: {{ .Values.forwarder.configFile }}
- name: FLUENTD_OPT
value: {{ .Values.forwarder.extraArgs | quote }}
- name: FLUENTD_DAEMON_USER
value: {{ .Values.forwarder.daemonUser | quote }}
- name: FLUEND_DAEMON_GROUP
value: {{ .Values.forwarder.daemonGroup | quote }}
{{- if .Values.forwarder.extraEnv }}
{{- toYaml .Values.forwarder.extraEnv | nindent 12 }}
{{- end }}

7
bitnami/fluentd/values-production.yaml
View File

@@ -13,7 +13,7 @@ global: {}
image:
registry: docker.io
repository: bitnami/fluentd
tag: 1.10.2-debian-10-r0
tag: 1.10.2-debian-10-r2
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
@@ -45,6 +45,11 @@ forwarder:
##
enabled: true
## Forwarder daemon user and group (set to root by default because it reads from host paths)
##
daemonUser: root
daemonGroup: root
## K8s Security Context for forwarder pods
## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
##

7
bitnami/fluentd/values.yaml
View File

@@ -13,7 +13,7 @@ global: {}
image:
registry: docker.io
repository: bitnami/fluentd
tag: 1.10.2-debian-10-r0
tag: 1.10.2-debian-10-r2
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
@@ -45,6 +45,11 @@ forwarder:
##
enabled: true
## Forwarder daemon user and group (set to root by default because it reads from host paths)
##
daemonUser: root
daemonGroup: root
## K8s Security Context for forwarder pods
## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
##