Im trying to deploy the Splunk Otel collector helm chart into our k8s cluster.
The problem is that we have some internal security policies and containers can´t run as root or have access to the root fyle system. for example this error when I run it without security context: "Readonly root file system is required for container ". Or this other error: " container is not dropping all required capabilities. Container must drop all of ["NET_RAW"] or "ALL"
So I created this security context for this:
securityContext:
capabilities:
drop:
- NET_RAW
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 20000
runAsGroup: 20000
allowPrivilegeEscalation: false
According to the chart, You can add a security context as indicated here
This will create a init container that will grant access to files and directories needed for the container.
"Setting runAsUser and runAsGroup to a non root user enables an init container that patches group permissions of container logs directories on the host filesystem to make logs readable by this non root user."
The problem or the "trap" comes now...because of the init container has no permission on the root fylesystem, the deployment fails and it´s unable to start.
How can I fix this so that this daemonset can run successfully with the init container being able to run? you can check daemonset.yaml inside the chart so you can see how init container works.
Log error of init container:
ownership of '/var/addon/splunk/otel_pos/receiver_journald_docker' retained as 20000:20000 ownership of '/var/addon/splunk/otel_pos/receiver_filelog_' retained as 20000:20000 ownership of '/var/addon/splunk/otel_pos/receiver_journald_kubelet' retained as 20000:20000 ownership of '/var/addon/splunk/otel_pos' retained as 20000:20000 mode of '/var/addon/splunk/otel_pos' retained as 2775 (rwxrwsr-x) setfacl: /var/log/pods/monitoringapps_spc-test-08-splunk-otel-collector-agent-5c9fm_d51656c3-007e-4018-bba5-c1154cd6610d/patch-log-dirs/6.log: Operation not permitted setfacl: /var/log/pods/monitoringapps_spc-test-08-splunk-otel-collector-agent-5c9fm_d51656c3-007e-4018-bba5-c1154cd6610d/patch-log-dirs/5.log: Operation not permitted setfacl: /var/log/pods/monitoringapps_spc-test-08-splunk-otel-collector-agent-5c9fm_d51656c3-007e-4018-bba5-c1154cd6610d/migrate-checkpoint/0.log: Operation not permitted
