beyla icon indicating copy to clipboard operation
beyla copied to clipboard
verified publisher icon grafana

Document how to allow unprivileged deployment in OpenShift

Open mariomac opened this issue 1 year ago • 3 comments

See instructions here: https://github.com/grafana/beyla/issues/1077#issuecomment-2262291007

mariomac avatar Aug 02 '24 09:08 mariomac

It looks like we don't have any OpenShift setup documentation. Is this something we'd like to add?

grafsean avatar Oct 08 '24 09:10 grafsean

@grafsean yeah, I think it's something we should do to help any potential OpenStack user.

mariomac avatar Oct 09 '24 08:10 mariomac

I was able to deploy Beyla in OKD (an open-source Kubernetes distribution that serves as the upstream of Red Hat OpenShift) using the following configuration:

Helm chart version: 1.7.3 Beyla version: 2.0.3 Kubernetes version: v1.25.0-2786+eab9cc98fe4c00-dirty Linux distribution: NAME="Fedora Linux" VERSION="37.20230218.3.0 (CoreOS)" Kernel version: 6.1.11-200.fc37.x86_64 OS/Arch: linux/amd64

File: cluster-role-binding.yaml

{{- if eq .Values.global.compatibility.openshift.adaptSecurityContext "force" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ include "beyla.fullname" . }}-openshift
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ include "beyla.fullname" . }}-openshift
subjects:
- kind: ServiceAccount
  name: {{ include "beyla.fullname" . }}
  namespace: {{ .Release.Namespace }}
{{- end }}

File: cluster-role.yaml

{{- if eq .Values.global.compatibility.openshift.adaptSecurityContext "force" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ include "beyla.fullname" . }}-openshift
rules:
- apiGroups:
  - security.openshift.io
  resources:
  - securitycontextconstraints
  resourceNames:
  - {{ include "beyla.fullname" . }}
  verbs:
  - use
{{- end }}

File: scc.yaml

{{- if eq .Values.global.compatibility.openshift.adaptSecurityContext "force" }}
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  name: {{ include "beyla.fullname" . }}
allowHostDirVolumePlugin: true
allowHostNetwork: true
allowHostPID: true
allowHostPorts: true
allowPrivilegedContainer: false
allowedCapabilities:
  - BPF
  - SYS_PTRACE
  - NET_RAW
  - CHECKPOINT_RESTORE
  - DAC_READ_SEARCH
  - PERFMON
  - SYS_ADMIN
  - NET_ADMIN
readOnlyRootFilesystem: true
runAsUser:
  type: MustRunAs
  uid: 0
seLinuxContext:
  type: RunAsAny
fsGroup:
  type: RunAsAny
supplementalGroups:
  type: RunAsAny
{{- end }}

File: values.yaml

global:
  compatibility:
    openshift:
      adaptSecurityContext: force

beyla:
  enabled: true
  service:
    enabled: true
    annotations:
      prometheus.io/scrape: "true"
      prometheus.io/path: "/internal/metrics"
      prometheus.io/port: "8080"
  config:
    data:
      attributes:
        kubernetes:
          enable: true
      routes:
        unmatched: heuristic
      network:
        enable: true
      ebpf:
        enable_context_propagation: true
      discovery:
        services:
          - k8s_pod_labels:
              grafana.com/beyla-instrumentation: "enabled"
      internal_metrics:
        exporter: prometheus
        prometheus:
          port: 8080
          path: /internal/metrics
  privileged: false
  extraCapabilities:
    - SYS_ADMIN
    - NET_ADMIN
  volumes:
    - name: cgroup
      hostPath:
        path: /sys/fs/cgroup
    - name: security
      hostPath:
        path: /sys/kernel/security
  volumeMounts:
    - name: cgroup
      mountPath: /sys/fs/cgroup
    - name: security
      mountPath: /sys/kernel/security

beyimjan avatar Apr 11 '25 09:04 beyimjan