helm-charts icon indicating copy to clipboard operation
helm-charts copied to clipboard

Published 20 hours ago verified publisher icon fluent

Why are clusterroles needed?

Open ppaslan opened this issue 1 year ago • 1 comments

Hi,

I am thinking of using FluentD in a secure cluster to consume messages from kafka and ship them to elasticsearch after some parsing and i am a bit curious why this clusterrole is needed, why does fluentd need to get/list/watch pods and namespaces?

{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ include "fluentd.fullname" . }}
  labels:
    {{- include "fluentd.labels" . | nindent 4 }}
rules:
  - apiGroups:
      - ""
    resources:
      - pods
      - namespaces
    verbs:
      - get
      - list
      - watch
  {{- if and .Values.podSecurityPolicy.enabled (semverCompare "<1.25-0" .Capabilities.KubeVersion.GitVersion) }}
  - apiGroups:
      - policy
    resourceNames:
      - {{ include "fluentd.fullname" . }}
    resources:
      - podsecuritypolicies
    verbs:
      - use
  {{- end }}
{{- end -}}

ppaslan avatar Aug 11 '23 09:08 ppaslan

https://docs.fluentbit.io/manual/pipeline/filters/kubernetes - see under Query Kubernetes API Server to obtain extra metadata for the POD in question...

SamuraiPrinciple avatar Oct 09 '23 13:10 SamuraiPrinciple