From 993f31513cb5dd90ca5cbfe93dc445da24dd7fba Mon Sep 17 00:00:00 2001 From: Ferenc HERNADI Date: Tue, 29 Oct 2019 09:34:48 +0100 Subject: [PATCH] Provided Service Account support (#186) Pod Security Policies Support RBAC Refactor --- README.md | 3 +- api/v1beta1/common_types.go | 7 + api/v1beta1/fluentbit_types.go | 1 + api/v1beta1/fluentd_types.go | 1 + api/v1beta1/logging_types.go | 15 +- api/v1beta1/zz_generated.deepcopy.go | 30 ++ charts/logging-operator/templates/rbac.yaml | 9 + charts/nginx-logging-demo/README.md | 52 +-- .../logging.banzaicloud.io_loggings.yaml | 22 ++ docs/deploy/manifests/rbac.yaml | 2 + docs/example-es-nginx.md | 4 +- docs/example-kafka-nginx.md | 4 +- docs/example-loki-nginx.md | 4 +- docs/logging-operator-monitoring.md | 6 +- docs/security/README.md | 297 ++++++++++++++++++ docs/security/manifests/deployment.yaml | 21 ++ docs/security/manifests/rbac.yaml | 104 ++++++ hack/test.sh | 1 + pkg/resources/fluentbit/daemonset.go | 2 +- pkg/resources/fluentbit/fluentbit.go | 28 +- pkg/resources/fluentbit/psp.go | 128 ++++++++ pkg/resources/fluentbit/rbac.go | 80 +++-- pkg/resources/fluentd/fluentd.go | 40 ++- pkg/resources/fluentd/psp.go | 114 +++++++ pkg/resources/fluentd/rbac.go | 86 +++-- pkg/resources/fluentd/statefulset.go | 3 +- pkg/resources/templates/templates.go | 18 ++ 27 files changed, 975 insertions(+), 107 deletions(-) create mode 100644 docs/security/README.md create mode 100644 docs/security/manifests/deployment.yaml create mode 100644 docs/security/manifests/rbac.yaml create mode 100644 pkg/resources/fluentbit/psp.go create mode 100644 pkg/resources/fluentd/psp.go diff --git a/README.md b/README.md index a63241f51..15163edcc 100644 --- a/README.md +++ b/README.md @@ -87,7 +87,7 @@ The detailed CRD documentation can be found [here](/docs/crds.md). ## Contents - Installation - [Deploy with Helm](./docs/deploy/README.md#deploy-logging-operator-with-helm) - - [Deploy with Kuberenetes Manifests](./docs/deploy/README.md#deploy-logging-operator-from-kubernetes-manifests) + - [Deploy with Kubernetes Manifests](./docs/deploy/README.md#deploy-logging-operator-from-kubernetes-manifests) - [Supported Plugins](#supported-plugins) - Examples - [S3 Output](./docs/example-s3.md) @@ -96,6 +96,7 @@ The detailed CRD documentation can be found [here](/docs/crds.md). - [Nginx with Loki Output](./docs/example-loki-nginx.md) - [Nginx with Kafka Output](./docs/example-kafka-nginx.md) - [Monitoring](./docs/logging-operator-monitoring.md) +- [Security](./docs/security/README.md) - [Troubleshooting](#troubleshooting) - [Contributing](#contributing) --- diff --git a/api/v1beta1/common_types.go b/api/v1beta1/common_types.go index a3a11f3ae..1ad322ab4 100644 --- a/api/v1beta1/common_types.go +++ b/api/v1beta1/common_types.go @@ -36,3 +36,10 @@ type Metrics struct { type KubernetesStorage struct { HostPath *corev1.HostPathVolumeSource `json:"host_path,omitempty"` } + +// Security defines Fluentd, Fluentbit deployment security properties +type Security struct { + ServiceAccount string `json:"serviceAccount,omitempty"` + RoleBasedAccessControlCreate *bool `json:"roleBasedAccessControlCreate,omitempty"` + PodSecurityPolicyCreate bool `json:"podSecurityPolicyCreate,omitempty"` +} diff --git a/api/v1beta1/fluentbit_types.go b/api/v1beta1/fluentbit_types.go index 4313202c8..4d9db0557 100644 --- a/api/v1beta1/fluentbit_types.go +++ b/api/v1beta1/fluentbit_types.go @@ -33,6 +33,7 @@ type FluentbitSpec struct { Parser string `json:"parser,omitempty"` Tolerations []corev1.Toleration `json:"tolerations,omitempty"` Metrics *Metrics `json:"metrics,omitempty"` + Security *Security `json:"security,omitempty"` PositionDB *KubernetesStorage `json:"position_db,omitempty"` } diff --git a/api/v1beta1/fluentd_types.go b/api/v1beta1/fluentd_types.go index dfb24105f..8a3f2ee9f 100644 --- a/api/v1beta1/fluentd_types.go +++ b/api/v1beta1/fluentd_types.go @@ -34,6 +34,7 @@ type FluentdSpec struct { Tolerations []corev1.Toleration `json:"tolerations,omitempty"` NodeSelector map[string]string `json:"nodeSelector,omitempty"` Metrics *Metrics `json:"metrics,omitempty"` + Security *Security `json:"security,omitempty"` } // +kubebuilder:object:generate=true diff --git a/api/v1beta1/logging_types.go b/api/v1beta1/logging_types.go index b27f32ee1..9920ed949 100644 --- a/api/v1beta1/logging_types.go +++ b/api/v1beta1/logging_types.go @@ -17,6 +17,7 @@ package v1beta1 import ( "fmt" + "github.com/banzaicloud/logging-operator/pkg/util" v1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -77,7 +78,7 @@ func (l *Logging) SetDefaults() *Logging { copy.Spec.FluentdSpec.Image.Repository = "banzaicloud/fluentd" } if copy.Spec.FluentdSpec.Image.Tag == "" { - copy.Spec.FluentdSpec.Image.Tag = "v1.6.3-alpine-1" + copy.Spec.FluentdSpec.Image.Tag = "v1.6.3-alpine-2" } if copy.Spec.FluentdSpec.Image.PullPolicy == "" { copy.Spec.FluentdSpec.Image.PullPolicy = "IfNotPresent" @@ -85,6 +86,12 @@ func (l *Logging) SetDefaults() *Logging { if copy.Spec.FluentdSpec.Annotations == nil { copy.Spec.FluentdSpec.Annotations = make(map[string]string) } + if copy.Spec.FluentdSpec.Security == nil { + copy.Spec.FluentdSpec.Security = &Security{} + } + if copy.Spec.FluentdSpec.Security.RoleBasedAccessControlCreate == nil { + copy.Spec.FluentdSpec.Security.RoleBasedAccessControlCreate = util.BoolPointer(true) + } if copy.Spec.FluentdSpec.Metrics != nil { if copy.Spec.FluentdSpec.Metrics.Path == "" { copy.Spec.FluentdSpec.Metrics.Path = "/metrics" @@ -181,6 +188,12 @@ func (l *Logging) SetDefaults() *Logging { copy.Spec.FluentbitSpec.Annotations = make(map[string]string) } + if copy.Spec.FluentbitSpec.Security == nil { + copy.Spec.FluentbitSpec.Security = &Security{} + } + if copy.Spec.FluentbitSpec.Security.RoleBasedAccessControlCreate == nil { + copy.Spec.FluentbitSpec.Security.RoleBasedAccessControlCreate = util.BoolPointer(true) + } if copy.Spec.FluentbitSpec.Metrics != nil { if copy.Spec.FluentbitSpec.Metrics.Path == "" { copy.Spec.FluentbitSpec.Metrics.Path = "/api/v1/metrics/prometheus" diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go index 9e22bb69c..cdd408654 100644 --- a/api/v1beta1/zz_generated.deepcopy.go +++ b/api/v1beta1/zz_generated.deepcopy.go @@ -342,6 +342,11 @@ func (in *FluentbitSpec) DeepCopyInto(out *FluentbitSpec) { *out = new(Metrics) **out = **in } + if in.Security != nil { + in, out := &in.Security, &out.Security + *out = new(Security) + (*in).DeepCopyInto(*out) + } if in.PositionDB != nil { in, out := &in.PositionDB, &out.PositionDB *out = new(KubernetesStorage) @@ -409,6 +414,11 @@ func (in *FluentdSpec) DeepCopyInto(out *FluentdSpec) { *out = new(Metrics) **out = **in } + if in.Security != nil { + in, out := &in.Security, &out.Security + *out = new(Security) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FluentdSpec. @@ -740,3 +750,23 @@ func (in *OutputStatus) DeepCopy() *OutputStatus { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Security) DeepCopyInto(out *Security) { + *out = *in + if in.RoleBasedAccessControlCreate != nil { + in, out := &in.RoleBasedAccessControlCreate, &out.RoleBasedAccessControlCreate + *out = new(bool) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Security. +func (in *Security) DeepCopy() *Security { + if in == nil { + return nil + } + out := new(Security) + in.DeepCopyInto(out) + return out +} diff --git a/charts/logging-operator/templates/rbac.yaml b/charts/logging-operator/templates/rbac.yaml index e89819e4f..db3444770 100644 --- a/charts/logging-operator/templates/rbac.yaml +++ b/charts/logging-operator/templates/rbac.yaml @@ -90,6 +90,7 @@ rules: - rolebindings - clusterroles - clusterrolebindings + - podsecuritypolicies - daemonsets - deployments - replicasets @@ -97,6 +98,14 @@ rules: - jobs verbs: - "*" + - apiGroups: + - extensions + - policy + resources: + - podsecuritypolicies + verbs: + - list + - get {{- if .Values.rbac.psp.enabled }} - apiGroups: - extensions diff --git a/charts/nginx-logging-demo/README.md b/charts/nginx-logging-demo/README.md index 1311c9ead..6c9ffa6c3 100644 --- a/charts/nginx-logging-demo/README.md +++ b/charts/nginx-logging-demo/README.md @@ -40,29 +40,35 @@ The command removes all the Kubernetes components associated with the chart and The following tables lists the configurable parameters of the nginx-logging-demo chart and their default values. -| Parameter | Description | Default | -| --------------------------------------------------------- | ------------------------------------------------------- | -------------- | -| `image.repository` | Container image repository | `nginx` | -| `image.tag` | Container image tag | `stable` | -| `image.pullPolicy` | Container pull policy | `IfNotPresent` | -| `nameOverride` | Override name of app | `` | -| `fullnameOverride` | Override full name of app | `` | -| `affinity` | Node Affinity | `{}` | -| `resources` | CPU/Memory resource requests/limits | `{}` | -| `tolerations` | Node Tolerations | `[]` | -| `nodeSelector` | Define which Nodes the Pods are scheduled on. | `{}` | -| `loggingOperator.fluentd.metrics.serviceMonitor` | Enable to create ServiceMonitor for Prometheus operator | `false` | -| `loggingOperator.fluentd.metrics.prometheusAnnotations` | Add prometheus labes to fluent pods. | `false` | -| `loggingOperator.fluentd.metrics.port` | Metrics Port. | `` | -| `loggingOperator.fluentd.metrics.path` | Metrics Path | `` | -| `loggingOperator.fluentd.metrics.timeout` | Scrape timeout. | `` | -| `loggingOperator.fluentd.metrics.interval` | Scrape interval. | `` | -| `loggingOperator.fluentbit.metrics.serviceMonitor` | Enable to create ServiceMonitor for Prometheus operator | `false` | -| `loggingOperator.fluentbit.metrics.prometheusAnnotations` | Add prometheus labes to fluent pods. | `false` | -| `loggingOperator.fluentbit.metrics.port` | Metrics Port. | `` | -| `loggingOperator.fluentbit.metrics.path` | Metrics Path | `` | -| `loggingOperator.fluentbit.metrics.timeout` | Scrape timeout. | `` | -| `loggingOperator.fluentbit.metrics.interval` | Scrape interval. | `` | +| Parameter | Description | Default | +| --------------------------------------------------------- | ------------------------------------------------------- | -------------- | +| `image.repository` | Container image repository | `nginx` | +| `image.tag` | Container image tag | `stable` | +| `image.pullPolicy` | Container pull policy | `IfNotPresent` | +| `nameOverride` | Override name of app | `` | +| `fullnameOverride` | Override full name of app | `` | +| `affinity` | Node Affinity | `{}` | +| `resources` | CPU/Memory resource requests/limits | `{}` | +| `tolerations` | Node Toleration | `[]` | +| `nodeSelector` | Define which Nodes the Pods are scheduled on. | `{}` | +| `loggingOperator.fluentd.metrics.serviceMonitor` | Enable to create ServiceMonitor for Prometheus operator | `false` | +| `loggingOperator.fluentd.metrics.prometheusAnnotations` | Add prometheus labels to fluent pods. | `false` | +| `loggingOperator.fluentd.metrics.port` | Metrics Port. | `` | +| `loggingOperator.fluentd.metrics.path` | Metrics Path | `` | +| `loggingOperator.fluentd.metrics.timeout` | Scrape timeout. | `` | +| `loggingOperator.fluentd.metrics.interval` | Scrape interval. | `` | +| `loggingOperator.fluentbit.metrics.serviceMonitor` | Enable to create ServiceMonitor for Prometheus operator | `false` | +| `loggingOperator.fluentbit.metrics.prometheusAnnotations` | Add prometheus labels to fluent pods. | `false` | +| `loggingOperator.fluentbit.metrics.port` | Metrics Port. | `` | +| `loggingOperator.fluentbit.metrics.path` | Metrics Path | `` | +| `loggingOperator.fluentbit.metrics.timeout` | Scrape timeout. | `` | +| `loggingOperator.fluentbit.metrics.interval` | Scrape interval. | `` | +| `loggingOperator.fluentd.security.roleBasedAccessControlCreate` | Enable fluentd RBAC | `true` | +| `loggingOperator.fluentd.security.podSecurityPolicyCreate` | Enable fluentd PSP | `true` | +| `loggingOperator.fluentd.security.serviceAccount` | Set fluentd Service Account | `` | +| `loggingOperator.fluentbit.security.roleBasedAccessControlCreate` | Enable fluentbit RBAC | `true` | +| `loggingOperator.fluentbit.security.podSecurityPolicyCreate` | Enable fluentbit PSP | `true` | +| `loggingOperator.fluentbit.security.serviceAccount` | Set fluentbit Service Account | `` | Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example: diff --git a/config/crd/bases/logging.banzaicloud.io_loggings.yaml b/config/crd/bases/logging.banzaicloud.io_loggings.yaml index 64eb011ec..b9bbc9530 100644 --- a/config/crd/bases/logging.banzaicloud.io_loggings.yaml +++ b/config/crd/bases/logging.banzaicloud.io_loggings.yaml @@ -119,6 +119,17 @@ spec: to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' type: object type: object + security: + description: Security defines Fluentd, Fluentbit deployment security + properties + properties: + podSecurityPolicyCreate: + type: boolean + roleBasedAccessControlCreate: + type: boolean + serviceAccount: + type: string + type: object targetHost: type: string targetPort: @@ -372,6 +383,17 @@ spec: to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' type: object type: object + security: + description: Security defines Fluentd, Fluentbit deployment security + properties + properties: + podSecurityPolicyCreate: + type: boolean + roleBasedAccessControlCreate: + type: boolean + serviceAccount: + type: string + type: object tls: description: FluentdTLS defines the TLS configs properties: diff --git a/docs/deploy/manifests/rbac.yaml b/docs/deploy/manifests/rbac.yaml index 6a2752105..3aac65018 100644 --- a/docs/deploy/manifests/rbac.yaml +++ b/docs/deploy/manifests/rbac.yaml @@ -79,6 +79,7 @@ rules: - rolebindings - clusterroles - clusterrolebindings + - podsecuritypolicies - daemonsets - deployments - replicasets @@ -86,6 +87,7 @@ rules: - jobs verbs: - "*" + --- # Source: logging-operator/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 diff --git a/docs/example-es-nginx.md b/docs/example-es-nginx.md index 79bb3a46f..08d96057d 100644 --- a/docs/example-es-nginx.md +++ b/docs/example-es-nginx.md @@ -11,10 +11,10 @@ - [Deploy with Helm](#example-es-nginx.md#deploy-elasticsearch) - **Logging Operator** - [Deploy with Helm](#install-with-helm) - - [Deploy with Kuberenetes Manifests](./deploy/README.md#deploy-logging-operator-from-kubernetes-manifests) + - [Deploy with Kubernetes Manifests](./deploy/README.md#deploy-logging-operator-from-kubernetes-manifests) - **Demo Application** - [Deploy with Helm](#nginx-app-and-logging-definition) - - [Deploy with Kuberenetes Manifests](#install-from-kubernetes-manifests) + - [Deploy with Kubernetes Manifests](#install-from-kubernetes-manifests) - **Validation** - [Cerebro Dashboard](#forward-cerebro-dashboard) - [Kibana Dashboard](#forward-kibana-dashboard) diff --git a/docs/example-kafka-nginx.md b/docs/example-kafka-nginx.md index cecdc2222..0b91972f7 100644 --- a/docs/example-kafka-nginx.md +++ b/docs/example-kafka-nginx.md @@ -11,10 +11,10 @@ - [Deploy with Helm](#deploy-kafka) - **Logging Operator** - [Deploy with Helm](#install-with-helm) - - [Deploy with Kuberenetes Manifests](./deploy/README.md#deploy-logging-operator-from-kubernetes-manifests) + - [Deploy with Kubernetes Manifests](./deploy/README.md#deploy-logging-operator-from-kubernetes-manifests) - **Demo Application** - [Deploy with Helm](install-with-helm) - - [Deploy with Kuberenetes Manifests](#install-from-kubernetes-manifests) + - [Deploy with Kubernetes Manifests](#install-from-kubernetes-manifests) - **Validation** - [Kafkacat](#test-your-deployment-with-kafkacat) --- diff --git a/docs/example-loki-nginx.md b/docs/example-loki-nginx.md index 9b2422c2e..56fbef78b 100644 --- a/docs/example-loki-nginx.md +++ b/docs/example-loki-nginx.md @@ -11,10 +11,10 @@ - [Deploy with Helm](#add-operator-chart-repository) - **Logging Operator** - [Deploy with Helm](#install-with-helm) - - [Deploy with Kuberenetes Manifests](./deploy/README.md#deploy-logging-operator-from-kubernetes-manifests) + - [Deploy with Kubernetes Manifests](./deploy/README.md#deploy-logging-operator-from-kubernetes-manifests) - **Demo Application** - [Deploy with Helm](#nginx-app--logging-definition) - - [Deploy with Kuberenetes Manifests](#install-from-manifest) + - [Deploy with Kubernetes Manifests](#install-from-manifest) - **Validation** - [Grafana Dashboard](#grafana-dashboard) --- diff --git a/docs/logging-operator-monitoring.md b/docs/logging-operator-monitoring.md index c3f6246c7..9a77c67da 100644 --- a/docs/logging-operator-monitoring.md +++ b/docs/logging-operator-monitoring.md @@ -11,12 +11,12 @@ - [Deploy with Helm](#install-prometheus-operator-with-helm) - **Logging Operator** - [Deploy with Helm](#install-with-helm) - - [Deploy with Kuberenetes Manifests](./deploy/README.md#deploy-logging-operator-from-kubernetes-manifests) + - [Deploy with Kubernetes Manifests](./deploy/README.md#deploy-logging-operator-from-kubernetes-manifests) - **Minio** - - [Deploy with Kuberenetes Manifests](#install-minio) + - [Deploy with Kubernetes Manifests](#install-minio) - **Demo Application** - [Deploy with Helm](#deploy-demo-nginx-app--logging-definition-with-metrics) - - [Deploy with Kuberenetes Manifests](#install-from-manifest) + - [Deploy with Kubernetes Manifests](#install-from-manifest) - **Validation** - [Prometheus Dashboard](#prometheus) - [Minio Dashboard](#minio) diff --git a/docs/security/README.md b/docs/security/README.md new file mode 100644 index 000000000..2ab30b85b --- /dev/null +++ b/docs/security/README.md @@ -0,0 +1,297 @@ +

+

+ +# Logging-operator && Security + +--- +## Contents +- **Using RBAC Authorization** + - [Deploy with Kubernetes Manifests](#deploy-with-kubernetes-manifests) + - [Deploy with Helm](#deploy-with-helm) + - [Output](#example-manifest-generated-by-the-operator) +- **Service Account** + - [Deploy with Kubernetes Manifests](#deploy-with-kubernetes-manifests-1) + - [Deploy with Helm](#deploy-with-helm-1) +- **Pod Security Policy** + - [Deploy with Kubernetes Manifests](#create-logging-resource-with-psp) + - [Deploy with Helm](#deploy-with-helm-2) + - [Output](#example-manifest-generated-by-the-operator-1) +--- + + +### Security Variables +| Variable Name | Type | Required | Default | Description | +|---|---|---|---|---| +| roleBasedAccessControlCreate | bool | No | True | create RBAC resources | +| podSecurityPolicyCreate | bool | No | False | create PSP resources | +| serviceAccount | string | No | - | Set ServiceAccount | + +## Using [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) Authorization +> By default the rbac is enabled. + +### Deploy with Kubernetes Manifests +#### Create `logging` resource with RBAC +```bash +cat < This option depends on the roleBasedAccessControlCreate enabled status because the psp require rbac roles also. + +### Deploy with Kubernetes Manifests +#### Create `logging` resource with PSP +```bash +cat <