helm-charts icon indicating copy to clipboard operation
helm-charts copied to clipboard

Published 20 hours ago verified publisher icon fluent

Fluentbit - hostPath eks 1.25

Open quadrinho opened this issue 2 years ago • 5 comments

Hello,

i am trying to install the fluentbit chart 0.36.0 on EKS 1.25 but i recieve this error:

Error creating: pods "fluent-bit-mobile54-dev-czbkm" is forbidden: violates PodSecurity "restricted:v1.24": restricted volume types (volumes "varlog", "varlibdockercontainers", "etcmachineid" use restricted volume type "hostPath")

It seems it is not possible to mount hostPath on Kubernetes 1.25.

How can i solve the problem?

quadrinho avatar Jul 17 '23 12:07 quadrinho

@quadrinho you may not have the proper IAM permissions from EKS side, are you able to deploy any other DaemonSets?

agup006 avatar Jul 19 '23 05:07 agup006

Hello @agup006,

Yes i can deploy other daemonset in the cluster.

The problem is that the hostPath volumes are not allowed anymore in kubernetes 1.25 and so also in eks 1.25.

Can you help me on this?

Thanks!

quadrinho avatar Jul 19 '23 05:07 quadrinho

hmm I'm not sure that's true as I'm using 1.25 and chart with no problems, Adding @patrick-stephens @celalettin1286 in case they know the answer

agup006 avatar Jul 19 '23 05:07 agup006

Yeah, you have to allow host paths in your cluster. It would be the same for any hostPath mount - you can verify this fairly easily.

I'm not sure the specific requirement for EKS, for Openshift it needs to be part of the SCC. I suspect you need to migrate your PSP to a PSS or set one up: https://docs.aws.amazon.com/eks/latest/userguide/pod-security-policy-removal-faq.html

patrick-stephens avatar Jul 19 '23 09:07 patrick-stephens

Hi!

This seems to be due to the PSA label enforced for the namespace where fluent-bit is installed into. To check pod-security.kubernetes.io mode and level labes for this namespace, just try:

kubectl get ns <YOUR_NAMESPACE> --show-labels

This will show an output like:

NAME    STATUS   AGE    LABELS
foo   Active   42d   kubernetes.io/metadata.name=foo,name=foo,pod-security.kubernetes.io/enforce=restricted

If this is the case, you can refer to PSS documentation on how to enforce PSS using namespace labels https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels/

Probably the solution for you is to relax the PSA level enforced for this namespace, but bare in mind why restricted level was enforced.

aleonsan avatar Jan 30 '24 14:01 aleonsan