DEV Community

loading...

Kubernetes - Give rights for HostPath volumes to services

Maxime Guilbert
Just a dev who touches a lot of things and wants to share his experiences. (or just want to note somewhere things to don't forget)
・1 min read

I installed FluentD on a Kubernetes cluster on AWS, and I had an issue with the security already in place on the cluster. It wasn't able to write in hostPath volumes.


After a quick search, I found a really good blog post that resumes all that we need to know about hostPath volumes and associated issues.

So if you have an issue with it, go check this link:
https://suraj.io/post/k8s-hostpat-nuke-nodes/


Solution to my problem

All that is written below is based on the blog post content.

Declare a PodSecurityPolicy and attach it to the ServiceAccount for my service.

PodSecurityPolicy

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: psp-hostpath
spec:
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  volumes:
  - '*'
  privileged: false  # Don't allow privileged pods!
  allowedHostPaths:
  - pathPrefix: /abc
  - pathPrefix: /def
Enter fullscreen mode Exit fullscreen mode

Role

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: role-authorize-hostpath
rules:
- apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs:     ['use']
  resourceNames:
  - psp-hostpath
Enter fullscreen mode Exit fullscreen mode

RoleBinding

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: rolebinding-hostpath-fluentd
roleRef:
  kind: Role
  name: role-authorize-hostpath
  apiGroup: rbac.authorization.k8s.io
subjects:
  - kind: ServiceAccount
    name: fluentd       # Name of the ServiceAccount 
    namespace: fluentd
Enter fullscreen mode Exit fullscreen mode

I hope it will help you as much as it helps me! 😃


Thanks Suraj Deshmukh for your blog post!

Don't hesitate to give some feedback to help me to improve my writing skills. Thanks!

Discussion (0)

Forem Open with the Forem app