elk-kubernetes icon indicating copy to clipboard operation
elk-kubernetes copied to clipboard

Published 20 hours ago verified publisher icon kayrus

Added RBAC policies for deployment

Open eugene-chow opened this issue 8 years ago • 17 comments

eugene-chow avatar Apr 24 '17 02:04 eugene-chow

@kayrus Thanks for making EFK work on k8s :)

eugene-chow avatar Apr 24 '17 02:04 eugene-chow

@eugene-chow didn't you miss a role for es-master?

kayrus avatar Apr 24 '17 10:04 kayrus

I built the RBAC rules based on the error messages. es-master didn't malfunction in my deployment so I thought it didn't need to talk to kube-apiserver. Can you advise?

eugene-chow avatar Apr 24 '17 10:04 eugene-chow

@eugene-chow how many masters do you have?

kayrus avatar Apr 24 '17 10:04 kayrus

3 masters

eugene-chow avatar Apr 24 '17 14:04 eugene-chow

They definitely have to communicate to api-server. How do they do this without rbac? Or did I miss something? Sorry, I don't have a test cluster with RBAC right now.

kayrus avatar Apr 24 '17 15:04 kayrus

Let me check tomorrow. It might be spitting out errors.

On 24 Apr 2017, at 23:30, kayrus [email protected] wrote:

They definitely have to communicate to api-server. How do they do this without rbac? Or did I miss something? Sorry, I don't have a test cluster with RBAC right now.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/kayrus/elk-kubernetes/pull/12#issuecomment-296707240, or mute the thread https://github.com/notifications/unsubscribe-auth/AJjUqCo3femAjJCSzdw5IYYmdcricIgZks5rzL_4gaJpZM4NFofX.

eugene-chow avatar Apr 24 '17 15:04 eugene-chow

es-master is not producing any errors. But if you say that it needs to talk to kube-apiserver, I believe its RBAC should be the same as those for es-data and es-client. Do you have an idea of which API endpoints it reads?

eugene-chow avatar Apr 25 '17 01:04 eugene-chow

@kayrus what's your advice?

eugene-chow avatar Apr 27 '17 07:04 eugene-chow

Not really. I have to test this feature myself and if it's ok - I'll merge it.

kayrus avatar Apr 27 '17 08:04 kayrus

Sorry for the delay. I have a question, why did you remove namespaces from the manifests? https://github.com/eugene-chow/elk-kubernetes/commit/1d4d8e070982e188023fa087aa232a85c3c3edb9

kubectl complains on namespace:

The ClusterRoleBinding "kubernetes-events-printer" is invalid: subjects[0].namespace: Required value

You have to define them for ClusterRoleBinding, but skip for RoleBinding

kayrus avatar Jun 16 '17 14:06 kayrus

Namespace assignment is in the deploy.sh script so there's no need to specify it in the manifest.

A ClusterRoleBinding applies a Role/ClusterRole to the whole cluster. Specifying the namespace has no effect. I'm not certain why kubernetes-events-printer complains about the namespace. Never had that before.

eugene-chow avatar Jun 19 '17 00:06 eugene-chow

@eugene-chow which kubernetes version do you use? I tested on 1.6.4.

kayrus avatar Jun 19 '17 09:06 kayrus

I last tested it on 1.5.4. i do have a 1.6.4 cluster but I haven’t yet attempted to deploy ELK. the RBAC should be exactly the same if not similar.

On 19 Jun 2017, at 17:19, kayrus [email protected] wrote:

@eugene-chow https://github.com/eugene-chow which kubernetes version do you use? I tested on 1.6.4.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/kayrus/elk-kubernetes/pull/12#issuecomment-309385011, or mute the thread https://github.com/notifications/unsubscribe-auth/AJjUqPOHMa5FYWkxLiHjG1HQYmqacjLeks5sFj0FgaJpZM4NFofX.

eugene-chow avatar Jun 19 '17 09:06 eugene-chow

@eugene-chow I assume ClusterRoleBinding requires the namespace definition even when you use --namespace %namespace% parameter for kubedns, since you have to specify which service account and from which namespace should be used.

kayrus avatar Jun 19 '17 09:06 kayrus

Now that you mention it, I recall that the namespace is needed when you tie the ClusterRole to a ServiceAccount in the ClusterRoleBinding.

On 19 Jun 2017, at 17:32, kayrus [email protected] wrote:

@eugene-chow https://github.com/eugene-chow I assume ClusterRoleBinding requires the namespace definition even when you use --namespace %namespace% parameter for kubedns, since you have to specify which service account and from which namespace should be used.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/kayrus/elk-kubernetes/pull/12#issuecomment-309388309, or mute the thread https://github.com/notifications/unsubscribe-auth/AJjUqE03XHbnLC-yOAWRnDBroReMuT7eks5sFkBGgaJpZM4NFofX.

eugene-chow avatar Jun 19 '17 13:06 eugene-chow

It's also worth to introduce podsecuritypolicy for this. I have some kind of draft, maybe you can introduce it in this PR:

apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
  name: permissive-elk
spec:
  # Four below are for elasticsearch and ingress
  privileged: true
  # this is only for ingress
  hostNetwork: true
  allowedCapabilities:
  - IPC_LOCK
# this is not necessary for newer k8s versions and pod-anti-affinity
  hostPorts:
  - max: 28652
    min: 28652
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  volumes:
  - '*'

kayrus avatar Sep 11 '17 16:09 kayrus