Running Fluentbit Daemonsets as non-root on Bottlerocket nodes #3527
Unanswered
yuzhengchua
asked this question in
Q&A
Replies: 1 comment 1 reply
-
Can you explicitly mount the resource you need without making it root? Alternately, try using the Fluent Bit operator, which should avoid a lot of these troubles. |
Beta Was this translation helpful? Give feedback.
1 reply
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Trying to run fluentbit as a daemonset on AWS EKS cluster with bottlerocket nodes and they require root permissions in order to read the journalctl for kubelet logs as well as container logs in the /var/log directory.
However, going by bottlerocket security recommendations, containers should not be run as root user (UID=0) since bottlerocket currently does not support user namespaces.
https://github.com/bottlerocket-os/bottlerocket/blob/develop/SECURITY_GUIDANCE.md#do-not-run-containers-as-uid-0
Is there any way to overcome this limitation while maintaining the security posture?
Beta Was this translation helpful? Give feedback.
All reactions