1

I am trying to create a daemonset that will collect logs from all the pods in a node from a specific namespace. I am not sure how I would specify a namespace name.

I have a namespace logging in which i deploy the daemonset. I created a serviceccount as below 

apiVersion: v1
kind: ServiceAccount
metadata:
  name: fluent-bit
  namespace: logging

My cluster role looks like this 

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: fluent-bit-read
rules:
- apiGroups: [""]
  resources:
  - namespaces
  - pods
  verbs: ["get", "list", "watch"]

role binding 

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: fluent-bit-read
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: fluent-bit-read
subjects:
- kind: ServiceAccount
  name: fluent-bit
  namespace: logging

Right now the daemonset collects logs from the path /var/log/containers/*.log which currently has log files from containers running in all namespaces. Is there a way I could restrict this daemonset to just collect logs from namespaces i need ?

fledgling
  • 991
  • 4
  • 25
  • 48
  • Your question and title are unrelated. Fluentd/bit log collection is entirely unrelated to Kubernetes RBAC. – coderanger Mar 31 '20 at 22:54
  • fluentbit is running as a daemonset in kubernestes cluster i want to restrict this to read only logs from certain namespaces – fledgling Apr 01 '20 at 01:20
  • 1
    @vkr why does my answer do not answer your question? You should use a Role instead of ClusterRole as ClusterRole is cluster wide and cannot be namespaced. – Juliano Costa Apr 01 '20 at 14:16

3 Answers3

3

Here is what we have in k8s documentation (link).

A Role always sets permissions within a particular namespace; when you create a Role, you have to specify the namespace it belongs in.

ClusterRole, by contrast, is a non-namespaced resource. The resources have different names (Role and ClusterRole) because a Kubernetes object always has to be either namespaced or not namespaced; it can’t be both.

So, in your case you need to make use of a Role and a RoleBinding instead of a ClusterRole and ClusterRoleBinding.

Community
  • 1
  • 1
Juliano Costa
  • 2,175
  • 2
  • 18
  • 30
0

You'll have to adjust your Bit config to only read the log files you want. Or you could use routing rules if you prefer. This is not related to the Kubernetes API, Bit reads the logs directly off the disk via a bind mount.

coderanger
  • 52,400
  • 4
  • 52
  • 75
0

ClusterRole with RoleBinding

A RoleBinding can also reference a ClusterRole to grant the permissions defined in that ClusterRole to resources inside the RoleBinding's namespace.

This kind of reference lets you define a set of common roles across your cluster, then reuse them within multiple namespaces.

Create RoleBinding yaml

Use RoleBinding instead of ClusterRoleBinding

Create file with below content and save as rb.yaml

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: fluent-bit-read
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: fluent-bit-read
subjects:
- kind: ServiceAccount
  name: fluent-bit
  namespace: logging

Apply RoleBinding

Apply the yaml file

kubectl apply -rb.yaml -n [namespace]

Let say you want restrict daemonset on logging namespace

kubectl apply -rb.yaml -n logging

Reference

https://stackoverflow.com/a/60960500/21099211 by @Juliano Costa

https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole

ctr-27
  • 121
  • 1
  • 4