Provided Service Account support (#186)

Pod Security Policies Support
RBAC Refactor

README.md

@@ -87,7 +87,7 @@ The detailed CRD documentation can be found [here](/docs/crds.md).
 ## Contents
 - Installation
   - [Deploy with Helm](./docs/deploy/README.md#deploy-logging-operator-with-helm)
-  - [Deploy with Kuberenetes Manifests](./docs/deploy/README.md#deploy-logging-operator-from-kubernetes-manifests)
+  - [Deploy with Kubernetes Manifests](./docs/deploy/README.md#deploy-logging-operator-from-kubernetes-manifests)
 - [Supported Plugins](#supported-plugins)
 - Examples
   - [S3 Output](./docs/example-s3.md)
@@ -96,6 +96,7 @@ The detailed CRD documentation can be found [here](/docs/crds.md).
   - [Nginx with Loki Output](./docs/example-loki-nginx.md)
   - [Nginx with Kafka Output](./docs/example-kafka-nginx.md)
 - [Monitoring](./docs/logging-operator-monitoring.md)
+- [Security](./docs/security/README.md)
 - [Troubleshooting](#troubleshooting)
 - [Contributing](#contributing)
 ---

api/v1beta1/common_types.go

@@ -36,3 +36,10 @@ type Metrics struct {
 type KubernetesStorage struct {
 	HostPath *corev1.HostPathVolumeSource `json:"host_path,omitempty"`
 }
+
+// Security defines Fluentd, Fluentbit deployment security properties
+type Security struct {
+	ServiceAccount               string `json:"serviceAccount,omitempty"`
+	RoleBasedAccessControlCreate *bool  `json:"roleBasedAccessControlCreate,omitempty"`
+	PodSecurityPolicyCreate      bool   `json:"podSecurityPolicyCreate,omitempty"`
+}

api/v1beta1/fluentbit_types.go

@@ -33,6 +33,7 @@ type FluentbitSpec struct {
 	Parser      string                      `json:"parser,omitempty"`
 	Tolerations []corev1.Toleration         `json:"tolerations,omitempty"`
 	Metrics     *Metrics                    `json:"metrics,omitempty"`
+	Security    *Security                   `json:"security,omitempty"`
 	PositionDB  *KubernetesStorage          `json:"position_db,omitempty"`
 }
 

api/v1beta1/fluentd_types.go

@@ -34,6 +34,7 @@ type FluentdSpec struct {
 	Tolerations         []corev1.Toleration              `json:"tolerations,omitempty"`
 	NodeSelector        map[string]string                `json:"nodeSelector,omitempty"`
 	Metrics             *Metrics                         `json:"metrics,omitempty"`
+	Security            *Security                        `json:"security,omitempty"`
 }
 
 // +kubebuilder:object:generate=true

api/v1beta1/logging_types.go

@@ -17,6 +17,7 @@ package v1beta1
 import (
 	"fmt"
 
+	"github.com/banzaicloud/logging-operator/pkg/util"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -77,14 +78,20 @@ func (l *Logging) SetDefaults() *Logging {
 			copy.Spec.FluentdSpec.Image.Repository = "banzaicloud/fluentd"
 		}
 		if copy.Spec.FluentdSpec.Image.Tag == "" {
-			copy.Spec.FluentdSpec.Image.Tag = "v1.6.3-alpine-1"
+			copy.Spec.FluentdSpec.Image.Tag = "v1.6.3-alpine-2"
 		}
 		if copy.Spec.FluentdSpec.Image.PullPolicy == "" {
 			copy.Spec.FluentdSpec.Image.PullPolicy = "IfNotPresent"
 		}
 		if copy.Spec.FluentdSpec.Annotations == nil {
 			copy.Spec.FluentdSpec.Annotations = make(map[string]string)
 		}
+		if copy.Spec.FluentdSpec.Security == nil {
+			copy.Spec.FluentdSpec.Security = &Security{}
+		}
+		if copy.Spec.FluentdSpec.Security.RoleBasedAccessControlCreate == nil {
+			copy.Spec.FluentdSpec.Security.RoleBasedAccessControlCreate = util.BoolPointer(true)
+		}
 		if copy.Spec.FluentdSpec.Metrics != nil {
 			if copy.Spec.FluentdSpec.Metrics.Path == "" {
 				copy.Spec.FluentdSpec.Metrics.Path = "/metrics"
@@ -181,6 +188,12 @@ func (l *Logging) SetDefaults() *Logging {
 			copy.Spec.FluentbitSpec.Annotations = make(map[string]string)
 		}
 
+		if copy.Spec.FluentbitSpec.Security == nil {
+			copy.Spec.FluentbitSpec.Security = &Security{}
+		}
+		if copy.Spec.FluentbitSpec.Security.RoleBasedAccessControlCreate == nil {
+			copy.Spec.FluentbitSpec.Security.RoleBasedAccessControlCreate = util.BoolPointer(true)
+		}
 		if copy.Spec.FluentbitSpec.Metrics != nil {
 			if copy.Spec.FluentbitSpec.Metrics.Path == "" {
 				copy.Spec.FluentbitSpec.Metrics.Path = "/api/v1/metrics/prometheus"

charts/logging-operator/templates/rbac.yaml

@@ -90,13 +90,22 @@ rules:
       - rolebindings
       - clusterroles
       - clusterrolebindings
+      - podsecuritypolicies
       - daemonsets
       - deployments
       - replicasets
       - statefulsets
       - jobs
     verbs:
       - "*"
+  - apiGroups:
+      - extensions
+      - policy
+    resources:
+      - podsecuritypolicies
+    verbs:
+      - list
+      - get
   {{- if .Values.rbac.psp.enabled }}
   - apiGroups:
       - extensions

charts/nginx-logging-demo/README.md

@@ -40,29 +40,35 @@ The command removes all the Kubernetes components associated with the chart and
 
 The following tables lists the configurable parameters of the nginx-logging-demo chart and their default values.
 
-|                          Parameter                        |                        Description                      |     Default    |
-| --------------------------------------------------------- | ------------------------------------------------------- | -------------- |
-| `image.repository`                                        | Container image repository                              | `nginx`        |
-| `image.tag`                                               | Container image tag                                     | `stable`       |
-| `image.pullPolicy`                                        | Container pull policy                                   | `IfNotPresent` |
-| `nameOverride`                                            | Override name of app                                    | ``             |
-| `fullnameOverride`                                        | Override full name of app                               | ``             |
-| `affinity`                                                | Node Affinity                                           | `{}`           |
-| `resources`                                               | CPU/Memory resource requests/limits                     | `{}`           |
-| `tolerations`                                             | Node Tolerations                                        | `[]`           |
-| `nodeSelector`                                            | Define which Nodes the Pods are scheduled on.           | `{}`           |
-| `loggingOperator.fluentd.metrics.serviceMonitor`          | Enable to create ServiceMonitor for Prometheus operator | `false`        |
-| `loggingOperator.fluentd.metrics.prometheusAnnotations`   | Add prometheus labes to fluent pods.                    | `false`        |
-| `loggingOperator.fluentd.metrics.port`                    | Metrics Port.                                           | ``             |
-| `loggingOperator.fluentd.metrics.path`                    | Metrics Path                                            | ``             |
-| `loggingOperator.fluentd.metrics.timeout`                 | Scrape timeout.                                         | ``             |
-| `loggingOperator.fluentd.metrics.interval`                | Scrape interval.                                        | ``             |
-| `loggingOperator.fluentbit.metrics.serviceMonitor`        | Enable to create ServiceMonitor for Prometheus operator | `false`        |
-| `loggingOperator.fluentbit.metrics.prometheusAnnotations` | Add prometheus labes to fluent pods.                    | `false`        |
-| `loggingOperator.fluentbit.metrics.port`                  | Metrics Port.                                           | ``             |
-| `loggingOperator.fluentbit.metrics.path`                  | Metrics Path                                            | ``             |
-| `loggingOperator.fluentbit.metrics.timeout`               | Scrape timeout.                                         | ``             |
-| `loggingOperator.fluentbit.metrics.interval`              | Scrape interval.                                        | ``             |
+|                          Parameter                                |                        Description                      |     Default    |
+| ---------------------------------------------------------         | ------------------------------------------------------- | -------------- |
+| `image.repository`                                                | Container image repository                              | `nginx`        |
+| `image.tag`                                                       | Container image tag                                     | `stable`       |
+| `image.pullPolicy`                                                | Container pull policy                                   | `IfNotPresent` |
+| `nameOverride`                                                    | Override name of app                                    | ``             |
+| `fullnameOverride`                                                | Override full name of app                               | ``             |
+| `affinity`                                                        | Node Affinity                                           | `{}`           |
+| `resources`                                                       | CPU/Memory resource requests/limits                     | `{}`           |
+| `tolerations`                                                     | Node Toleration                                         | `[]`           |
+| `nodeSelector`                                                    | Define which Nodes the Pods are scheduled on.           | `{}`           |
+| `loggingOperator.fluentd.metrics.serviceMonitor`                  | Enable to create ServiceMonitor for Prometheus operator | `false`        |
+| `loggingOperator.fluentd.metrics.prometheusAnnotations`           | Add prometheus labels to fluent pods.                   | `false`        |
+| `loggingOperator.fluentd.metrics.port`                            | Metrics Port.                                           | ``             |
+| `loggingOperator.fluentd.metrics.path`                            | Metrics Path                                            | ``             |
+| `loggingOperator.fluentd.metrics.timeout`                         | Scrape timeout.                                         | ``             |
+| `loggingOperator.fluentd.metrics.interval`                        | Scrape interval.                                        | ``             |
+| `loggingOperator.fluentbit.metrics.serviceMonitor`                | Enable to create ServiceMonitor for Prometheus operator | `false`        |
+| `loggingOperator.fluentbit.metrics.prometheusAnnotations`         | Add prometheus labels to fluent pods.                   | `false`        |
+| `loggingOperator.fluentbit.metrics.port`                          | Metrics Port.                                           | ``             |
+| `loggingOperator.fluentbit.metrics.path`                          | Metrics Path                                            | ``             |
+| `loggingOperator.fluentbit.metrics.timeout`                       | Scrape timeout.                                         | ``             |
+| `loggingOperator.fluentbit.metrics.interval`                      | Scrape interval.                                        | ``             |
+| `loggingOperator.fluentd.security.roleBasedAccessControlCreate`   | Enable fluentd RBAC                                     | `true`         |
+| `loggingOperator.fluentd.security.podSecurityPolicyCreate`        | Enable fluentd PSP                                      | `true`         |
+| `loggingOperator.fluentd.security.serviceAccount`                 | Set fluentd Service Account                             | ``             |
+| `loggingOperator.fluentbit.security.roleBasedAccessControlCreate` | Enable fluentbit RBAC                                   | `true`         |
+| `loggingOperator.fluentbit.security.podSecurityPolicyCreate`      | Enable fluentbit PSP                                    | `true`         |
+| `loggingOperator.fluentbit.security.serviceAccount`               | Set fluentbit Service Account                           | ``             |
 
 
 Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example:

config/crd/bases/logging.banzaicloud.io_loggings.yaml

@@ -119,6 +119,17 @@ spec:
                         to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'
                       type: object
                   type: object
+                security:
+                  description: Security defines Fluentd, Fluentbit deployment security
+                    properties
+                  properties:
+                    podSecurityPolicyCreate:
+                      type: boolean
+                    roleBasedAccessControlCreate:
+                      type: boolean
+                    serviceAccount:
+                      type: string
+                  type: object
                 targetHost:
                   type: string
                 targetPort:
@@ -372,6 +383,17 @@ spec:
                         to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'
                       type: object
                   type: object
+                security:
+                  description: Security defines Fluentd, Fluentbit deployment security
+                    properties
+                  properties:
+                    podSecurityPolicyCreate:
+                      type: boolean
+                    roleBasedAccessControlCreate:
+                      type: boolean
+                    serviceAccount:
+                      type: string
+                  type: object
                 tls:
                   description: FluentdTLS defines the TLS configs
                   properties:

docs/deploy/manifests/rbac.yaml

@@ -79,13 +79,15 @@ rules:
       - rolebindings
       - clusterroles
       - clusterrolebindings
+      - podsecuritypolicies
       - daemonsets
       - deployments
       - replicasets
       - statefulsets
       - jobs
     verbs:
       - "*"
+
 ---
 # Source: logging-operator/templates/rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1beta1

docs/example-es-nginx.md

@@ -11,10 +11,10 @@
     - [Deploy with Helm](#example-es-nginx.md#deploy-elasticsearch)
   - **Logging Operator**
     - [Deploy with Helm](#install-with-helm)
-    - [Deploy with Kuberenetes Manifests](./deploy/README.md#deploy-logging-operator-from-kubernetes-manifests)
+    - [Deploy with Kubernetes Manifests](./deploy/README.md#deploy-logging-operator-from-kubernetes-manifests)
    - **Demo Application**  
     - [Deploy with Helm](#nginx-app-and-logging-definition)
-    - [Deploy with Kuberenetes Manifests](#install-from-kubernetes-manifests)
+    - [Deploy with Kubernetes Manifests](#install-from-kubernetes-manifests)
 - **Validation**
     - [Cerebro Dashboard](#forward-cerebro-dashboard)
     - [Kibana Dashboard](#forward-kibana-dashboard)

docs/example-kafka-nginx.md

@@ -11,10 +11,10 @@
     - [Deploy with Helm](#deploy-kafka)
   - **Logging Operator**
     - [Deploy with Helm](#install-with-helm)
-    - [Deploy with Kuberenetes Manifests](./deploy/README.md#deploy-logging-operator-from-kubernetes-manifests)
+    - [Deploy with Kubernetes Manifests](./deploy/README.md#deploy-logging-operator-from-kubernetes-manifests)
    - **Demo Application**  
     - [Deploy with Helm](install-with-helm)
-    - [Deploy with Kuberenetes Manifests](#install-from-kubernetes-manifests)
+    - [Deploy with Kubernetes Manifests](#install-from-kubernetes-manifests)
 - **Validation**
     - [Kafkacat](#test-your-deployment-with-kafkacat)
 ---

docs/example-loki-nginx.md

@@ -11,10 +11,10 @@
     - [Deploy with Helm](#add-operator-chart-repository)
   - **Logging Operator**
     - [Deploy with Helm](#install-with-helm)
-    - [Deploy with Kuberenetes Manifests](./deploy/README.md#deploy-logging-operator-from-kubernetes-manifests)
+    - [Deploy with Kubernetes Manifests](./deploy/README.md#deploy-logging-operator-from-kubernetes-manifests)
    - **Demo Application**  
     - [Deploy with Helm](#nginx-app--logging-definition)
-    - [Deploy with Kuberenetes Manifests](#install-from-manifest)
+    - [Deploy with Kubernetes Manifests](#install-from-manifest)
 - **Validation**
     - [Grafana Dashboard](#grafana-dashboard)
 ---

docs/logging-operator-monitoring.md

@@ -11,12 +11,12 @@
     - [Deploy with Helm](#install-prometheus-operator-with-helm)
   - **Logging Operator**
     - [Deploy with Helm](#install-with-helm)
-    - [Deploy with Kuberenetes Manifests](./deploy/README.md#deploy-logging-operator-from-kubernetes-manifests)
+    - [Deploy with Kubernetes Manifests](./deploy/README.md#deploy-logging-operator-from-kubernetes-manifests)
   - **Minio**  
-    - [Deploy with Kuberenetes Manifests](#install-minio)
+    - [Deploy with Kubernetes Manifests](#install-minio)
    - **Demo Application**  
     - [Deploy with Helm](#deploy-demo-nginx-app--logging-definition-with-metrics)
-    - [Deploy with Kuberenetes Manifests](#install-from-manifest)
+    - [Deploy with Kubernetes Manifests](#install-from-manifest)
 - **Validation**
     - [Prometheus Dashboard](#prometheus)
     - [Minio Dashboard](#minio)