Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Loki and promtail unable to start when using Istio and PodSecurityPolicies #2355

Closed
StevenReitsma opened this issue Jul 15, 2020 · 4 comments · Fixed by #2366 or #2379
Closed

Loki and promtail unable to start when using Istio and PodSecurityPolicies #2355

StevenReitsma opened this issue Jul 15, 2020 · 4 comments · Fixed by #2366 or #2379

Comments

@StevenReitsma
Copy link
Contributor

StevenReitsma commented Jul 15, 2020
edited
Loading

Describe the bug
We have a cluster where we use PodSecurityPolicies and Istio. The Loki and promtail helm charts (and maybe fluentbit as well, but we don't use it) support the creation of a PodSecurityPolicy. This PodSecurityPolicy does not include volume mounting of the projected and downwardAPI type, which are necessary for the Istio sidecar to function.

To Reproduce
Steps to reproduce the behavior:

  1. Enable PodSecurityPolicy plugin
  2. Deploy Istio (1.5.5)
  3. Deploy the Loki helm chart (1.5.0)
  4. Loki cannot start because it's missing downwardAPI and projected volume permissions for the Istio sidecar

Same goes for promtail.

Note that this is AFTER I added NET_BIND_SERVICE capability to the PSP which is necessary to make it work according to #2115. I think this should already be fixed in a new release right?

Expected behavior
Loki and promtail can start.

Environment:

  • Kubernetes 1.17.8 on Openstack
  • Helm

How to fix:
Add downwardAPI and projected to the list of volumes in the PSPs for Loki, promtail and maybe fluentbit.

I can make a PR if the maintainers agree that this change should be made.
@invidian
Copy link
Contributor

Maybe adding a variable for extra allowed volumes to PSP would be a solution here?

@StevenReitsma
Copy link
Contributor Author

StevenReitsma commented Jul 16, 2020
edited
Loading

That's also a possibility, although I don't immediately see any security implications for adding the projected and downwardAPI types as a default. The Prometheus operator (as an example) also does this.

@owen-d
Copy link
Member

owen-d commented Jul 16, 2020
edited
Loading

Thanks for the detailed writeup. Two things:

  • Yes, we removed the NET_BIND_SERVICE capability requirement as it was causing unnecessary difficulties.
  • This seems completely reasonable and we'd love a PR.

@StevenReitsma
Copy link
Contributor Author

Good to hear! I'll send a PR later today.

StevenReitsma added a commit to StevenReitsma/loki that referenced this issue Jul 16, 2020
@StevenReitsma
Add projected and downwardAPI volume types to PodSecurityPolicy (graf…
64f5079 
…ana#2355)
@StevenReitsma StevenReitsma mentioned this issue Jul 16, 2020
Merged
2 tasks
cyriltovena pushed a commit that referenced this issue Jul 17, 2020
@StevenReitsma
Add projected and downwardAPI volume types to PodSecurityPolicy (#2355)…
05b4525 
… (#2366)
@StevenReitsma StevenReitsma mentioned this issue Jul 20, 2020
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@StevenReitsma @owen-d @invidian