Cluster Logging (log forwarding) fails to deploy with restricted PodSecurityPolicy in Rancher v2.2
This document (000020224) is provided subject to the disclaimer at the end of this document.
Situation
Issue
Attempting to enable Cluster Logging (log forwarding) in a Rancher v2.2 cluster, where the restricted PodSecurityPolicy (PSP) is configured on the cluster, fails with the rancher-logging-fluentd and rancher-logging-log-aggregator Deployments failing to create Pods.
The rancher-logging-fluentd Deployment fails to validate against the restricted PSP, with an error of the following format in events:
Error creating: pods "rancher-logging-fluentd-" is forbidden: unable to validate against any pod security policy: [spec.volumes[0]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.volumes[2]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.volumes[3]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.volumes[4]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.volumes[5]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.volumes[6]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.volumes[10]: Invalid value: "hostPath": hostPath volumes are not allowed to be used]The rancher-logging-log-aggregator Deployment fails to validate against the restricted PSP, with and error of the following format in events:
Error creating: pods "rancher-logging-log-aggregator-" is forbidden: unable to validate against any pod security policy: [spec.volumes[0]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed]Pre-requisites
- A cluster managed by Rancher v2.2
- Cluster Logging enabled
- PodSecurityPolicy enabled in the cluster and the restricted PSP configured at the cluster level
Root Cause
The logging system-charts in Rancher v2.2 are not compatible with the restricted PodSecurityPolicy. As a result where the restricted PSP is configured, cluster logging will fail to deploy successfully.
Workaround
To workaround this issue, the following Role and RoleBinding can be applied to the cluster, by copying these to a file and applying with kubectl --config <cluster kubeconfig> apply -f <file>.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: default-psp-role
namespace: cattle-logging
rules:
- apiGroups:
- extensions
resourceNames:
- default-psp
resources:
- podsecuritypolicies
verbs:
- use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: default-psp-rolebinding
namespace: cattle-logging
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: default-psp-role
subjects:
- kind: Group
name: system:serviceaccounts:cattle-logging
apiGroup: rbac.authorization.k8s.ioResolution
An update to ensure the logging system-charts are compatible with the restricted PodSecurityPolicy and is available in Rancher v2.3.0 and above.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000020224
- Creation Date: 06-May-2021
- Modified Date:06-May-2021
-
- SUSE Rancher
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
Run SAP
SUSE for Public Cloud
Security
