-
Notifications
You must be signed in to change notification settings - Fork 238
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
b97d2b6
commit 75ef74f
Showing
1 changed file
with
124 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,124 @@ | ||
| --- | ||
| canonical: https://grafana.com/docs/alloy/latest/set-up/install/openshift/ | ||
| description: Learn how to deploy Grafana Alloy on OpenShift | ||
| menuTitle: OpenShift | ||
| title: Deploy Grafana Alloy on OpenShift | ||
| weight: 530 | ||
| --- | ||
|
|
||
| # Deploy {{% param "FULL_PRODUCT_NAME" %}} on OpenShift | ||
|
|
||
| You can deploy {{< param "PRODUCT_NAME" >}} on the Red Hat OpenShift Container Platform (OCP). | ||
|
|
||
| ## Before you begin | ||
|
|
||
| * These steps assume you have a working OCP environment. | ||
| * You can adapt the suggested policies and configuration to meet your specific needs and [security][] policies. | ||
|
|
||
| ## Configure RBAC | ||
|
|
||
| You must configure Role-Based Access Control (RBAC) to allow secure access to Kubernetes and OCP resources. | ||
|
|
||
| 1. Download the [rbac.yaml][] configuration file. This configuration file defines the OCP verbs and permissions for {{< param "PRODUCT_NAME" >}}. | ||
| 1. Review the `rbac.yaml` file and adapt as needed for your local environment. Refer to [Managing Role-based Access Control (RBAC)][rbac] topic in the OCP documentation for more information about updating and managing your RBAC configurations. | ||
|
|
||
| ## Run {{% param "PRODUCT_NAME" %}} as a non-root user | ||
|
|
||
| You must configure {{< param "PRODUCT_NAME" >}} to [run as a non-root user][nonroot]. | ||
| This ensures that {{< param "PRODUCT_NAME" >}} complies with your OCP security policies. | ||
|
|
||
| ## Apply security context constraints | ||
|
|
||
| OCP uses Security Context Constraints (SCC) to control Pod permissions. | ||
| Refer to [Managing security context constraints][scc] for more information about how you can define and enforce these permissions. | ||
| This ensures that the pods running {{< param "PRODUCT_NAME" >}} comply with OCP security policies. | ||
|
|
||
| {{< admonition type="note" >}} | ||
| The security context is only configured at the container level, not at the container and deployment level. | ||
| {{< /admonition >}} | ||
|
|
||
| You can apply the following SCCs when you deploy {{< param "PRODUCT_NAME" >}}. | ||
|
|
||
| {{< admonition type="note" >}} | ||
| Not all of these SCCs are required for each use case. | ||
| You can adapt the SCCs to meet your local requirements and needs. | ||
| {{< /admonition >}} | ||
|
|
||
| * `RunAsUser`: Specifies the user ID under which {{< param "PRODUCT_NAME" >}} runs. | ||
| You must configure this constraint to allow a non-root user ID. | ||
| * `SELinuxContext`: Configures the SELinux context for containers. | ||
| If you run {{< param "PRODUCT_NAME" >}} as root, you must configure this constraint to make sure that SELinux policies don't block {{< param "PRODUCT_NAME" >}}. | ||
| This SCC is generally not required to deploy {{< param "PRODUCT_NAME" >}} as a non-root user. | ||
| * `FSGroup`: Specifies the fsGroup IDs for file system access. | ||
| You must configure this constraint to give {{< param "PRODUCT_NAME" >}} group access to the files it needs. | ||
| * `Volumes`: Specifies the persistent volumes used for storage. | ||
| You must configure this constraint to give {{< param "PRODUCT_NAME" >}} access to the volumes it needs. | ||
|
|
||
| The following example shows a DaemonSet configuration that deploys {{< param "PRODUCT_NAME" >}} as a non-root user: | ||
|
|
||
| ```yaml | ||
| apiVersion: aapps/v1 | ||
| kind: DaemonSet | ||
| metadata: | ||
| name: alloy-logs | ||
| namespace: monitoring | ||
| spec: | ||
| replicas: 1 | ||
| selector: | ||
| matchLabels: | ||
| app: alloy-logs | ||
| template: | ||
| metadata: | ||
| lables: | ||
| app: alloy-logs | ||
| spec: | ||
| containers: | ||
| - name: alloy-logs | ||
| image: grafana/alloy:latest | ||
| ports: | ||
| - containerPort: 12345 | ||
| # The security context configuration | ||
| securityContext: | ||
| allowPrivilegeEscalation: false | ||
| runAsUser: 473 | ||
| runAsGroup: 473 | ||
| fsGroup: 1000 | ||
| volumes: | ||
| - name: log-volume | ||
| emptyDir: {} | ||
| ``` | ||
| The following example shows an SSC definition that deploys {{< param "PRODUCT_NAME" >}} as a non-root user: | ||
| ```yaml | ||
| kind: SecurityContextConstraints | ||
| apiVersion: security.openshift.io/v1 | ||
| metadata: | ||
| name: scc-alloy | ||
| runAsUser: | ||
| type: MustRunAs | ||
| uid: 473 | ||
| fsGroup: | ||
| type: MustRunAs | ||
| uid: 1000 | ||
| volumes: | ||
| - '*' | ||
| users: | ||
| - my-admin-user | ||
| groups: | ||
| - my-admin-group | ||
| ``` | ||
| Refer to [Deploy {{< param "FULL_PRODUCT_NAME" >}}][deploy] for more information about deploying {{< param "PRODUCT_NAME" >}} in your environment. | ||
| ## Next steps | ||
| * [Configure {{< param "PRODUCT_NAME" >}}][Configure] | ||
| [rbac.yaml]: https://github.com/grafana/alloy/blob/main/operations/helm/charts/alloy/templates/rbac.yaml | ||
| [rbac]: https://docs.openshift.com/container-platform/3.11/admin_guide/manage_rbac.html | ||
| [security]: https://grafana.com/docs/grafana-cloud/monitor-infrastructure/kubernetes-monitoring/configuration/troubleshooting/#openshift-support | ||
| [nonroot]: ../../../configure/nonroot/ | ||
| [scc]: https://docs.openshift.com/container-platform/latest/authentication/managing-security-context-constraints.html | ||
| [Configure]: ../../../configure/linux/ | ||
| [deploy]: ../../deploy/ |