[Fluent-Bit] Improve Openshift support, allow to use existing SCCs (#380

) * Improve Openshift support, allow to use existing SCCs - Add ability to provide existing SecurityContextConstraints name instead of create new one - Add ability to add annotations for SecrutiryContextConstraints resource, created with the chart - Add common labels for SecurityContextConstraints - Improve variables naming - Bump up chart version Signed-off-by: Kirill Thirteen <[email protected]> * fix openshift SCC template Signed-off-by: Kirill Thirteen <[email protected]> * fixes according to suggestions Signed-off-by: Kirill Thirteen <[email protected]> * fluent-bit: enable creation of SCC by default, while running in OpenShift Signed-off-by: Kirill Thirteen <[email protected]> --------- Signed-off-by: Kirill Thirteen <[email protected]> Signed-off-by: Kirill Thirteen <[email protected]> Co-authored-by: Kirill Thirteen <[email protected]>
fluent · Jul 5, 2023 · 5b70817 · 5b70817
1 parent 36ce963
commit 5b70817
Show file tree

Hide file tree

Showing 5 changed files with 31 additions and 13 deletions.
diff --git a/charts/fluent-bit/Chart.yaml b/charts/fluent-bit/Chart.yaml
@@ -5,7 +5,7 @@ keywords:
   - logging
   - fluent-bit
   - fluentd
-version: 0.34.1
+version: 0.34.2
 appVersion: 2.1.6
 icon: https://raw.githubusercontent.com/cncf/artwork/master/projects/fluentd/fluentbit/icon/fluentbit-icon-color.svg
 home: https://fluentbit.io/
@@ -22,5 +22,5 @@ maintainers:
     email: [email protected]
 annotations:
   artifacthub.io/changes: |
-    - kind: fixed
-      description: "Removed duplicated volumeMounts key in reloader container."
+    - kind: added
+      description: "Added support for using an existing SecurityContextConstraints for OpenShift."
diff --git a/charts/fluent-bit/templates/_helpers.tpl b/charts/fluent-bit/templates/_helpers.tpl
@@ -125,3 +125,14 @@ autoscaling/v2beta2
 autoscaling/v2
 {{- end -}}
 {{- end -}}
+
+{{/*
+Create the name of OpenShift SecurityContextConstraints to use
+*/}}
+{{- define "fluent-bit.openShiftSccName" -}}
+{{- if not .Values.openShift.securityContextConstraints.create -}}
+{{- printf "%s" .Values.openShift.securityContextConstraints.existingName -}}
+{{- else -}}
+{{- printf "%s" default (include "fluent-bit.fullname" .) .Values.openShift.securityContextConstraints.name -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/fluent-bit/templates/clusterrole.yaml b/charts/fluent-bit/templates/clusterrole.yaml
@@ -29,13 +29,13 @@ rules:
     verbs:
       - use
   {{- end }}
-  {{- if and .Values.openShift.enabled .Values.openShift.securityContextConstraints.create }}
+  {{- if .Values.openShift.enabled }}
   - apiGroups:
       - security.openshift.io
     resources:
       - securitycontextconstraints
     resourceNames:
-      - {{ include "fluent-bit.fullname" . }}
+      - {{ include "fluent-bit.openShiftSccName" . }}
     verbs:
       - use
   {{- end }}

diff --git a/charts/fluent-bit/templates/scc.yaml b/charts/fluent-bit/templates/scc.yaml
@@ -2,11 +2,13 @@
 apiVersion: security.openshift.io/v1
 kind: SecurityContextConstraints
 metadata:
-  name: {{ include "fluent-bit.fullname" . }}
-{{- if .Values.openShift.securityContextConstraints.annotations }}
+  name: {{ include "fluent-bit.openShiftSccName" . }}
+  labels:
+    {{- include "fluent-bit.labels" . | nindent 4 }}
+  {{- with .Values.openShift.securityContextConstraints.annotations }}
   annotations:
-    {{- toYaml .Values.openShift.securityContextConstraints.annotations | nindent 4 }}
-{{- end }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 allowPrivilegedContainer: true
 allowPrivilegeEscalation: true
 allowHostDirVolumePlugin: true
@@ -18,10 +20,10 @@ allowHostPorts: false
 allowHostPID: false
 allowedCapabilities: []
 forbiddenSysctls:
-- "*"
+  - "*"
 readOnlyRootFilesystem: false
 requiredDropCapabilities:
-- MKNOD
+  - MKNOD
 runAsUser:
   type: RunAsAny
 seLinuxContext:
@@ -30,8 +32,10 @@ supplementalGroups:
   type: RunAsAny
 volumes:
   - configMap
+  - downwardAPI
   - emptyDir
   - hostPath
   - persistentVolumeClaim
+  - projected
   - secret
 {{- end }}
diff --git a/charts/fluent-bit/values.yaml b/charts/fluent-bit/values.yaml
@@ -45,13 +45,16 @@ podSecurityPolicy:
   create: false
   annotations: {}
 
+# OpenShift-specific configuration
 openShift:
-  # Sets Openshift support
   enabled: false
-  # Creates SCC for Fluent-bit when Openshift support is enabled
   securityContextConstraints:
+    # Create SCC for Fluent-bit and allow use it
     create: true
+    name: ""
     annotations: {}
+    # Use existing SCC in cluster, rather then create new one
+    existingName: ""
 
 podSecurityContext: {}
 #   fsGroup: 2000