Running Fluentbit Daemonsets as non-root on Bottlerocket nodes #3527
Replies: 1 comment 1 reply
-
|
Can you explicitly mount the resource you need without making it root? Alternately, try using the Fluent Bit operator, which should avoid a lot of these troubles. |
Beta Was this translation helpful? Give feedback.
-
|
Hi there, Apologies from the late reply. I could mount the resources without making my container run as root but fluent-bit will not be able to read the host log files in that case. Currently I managed to overcome this limitation by running as non-root user but as a root group so that the pod is able to read the /var/log files. Pretty sure this is not the best way but I could not find a better way for this. Any recommendations would be much appreciated. Thank you! |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Trying to run fluentbit as a daemonset on AWS EKS cluster with bottlerocket nodes and they require root permissions in order to read the journalctl for kubelet logs as well as container logs in the /var/log directory.
However, going by bottlerocket security recommendations, containers should not be run as root user (UID=0) since bottlerocket currently does not support user namespaces.
https://github.com/bottlerocket-os/bottlerocket/blob/develop/SECURITY_GUIDANCE.md#do-not-run-containers-as-uid-0
Is there any way to overcome this limitation while maintaining the security posture?
Beta Was this translation helpful? Give feedback.
All reactions