I installed FluentD on a Kubernetes cluster on AWS, and I had an issue with the security already in place on the cluster. It wasn't able to write in hostPath volumes.
After a quick search, I found a really good blog post that resumes all that we need to know about hostPath volumes and associated issues.
So if you have an issue with it, go check this link:
https://suraj.io/post/k8s-hostpat-nuke-nodes/
Solution to my problem
All that is written below is based on the blog post content.
Declare a PodSecurityPolicy and attach it to the ServiceAccount for my service.
PodSecurityPolicy
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: psp-hostpath
spec:
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
volumes:
- '*'
privileged: false # Don't allow privileged pods!
allowedHostPaths:
- pathPrefix: /abc
- pathPrefix: /def
Role
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: role-authorize-hostpath
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- psp-hostpath
RoleBinding
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rolebinding-hostpath-fluentd
roleRef:
kind: Role
name: role-authorize-hostpath
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: fluentd # Name of the ServiceAccount
namespace: fluentd
I hope it will help you as much as it helps me! 😃
Thanks Suraj Deshmukh for your blog post!
Don't hesitate to give some feedback to help me to improve my writing skills. Thanks!
Top comments (0)