alloy update to 2.0.16-bb.2

99322f0b · BB_AUTO_MR_TOKEN · Michael Martin · 937011cb · 99322f0b · 99322f0b
Commit 99322f0b authored 1 week ago by BB_AUTO_MR_TOKEN Committed by Michael Martin 1 week ago
--- a/chart/templates/kyverno-policies/values.yaml
+++ b/chart/templates/kyverno-policies/values.yaml
@@ -379,7 +379,7 @@ policies:
      excludeContainers:
        - init-chmod-data
    {{- end }}
-    {{- if or $deployNodeAgent .Values.twistlock.enabled .Values.fluentbit.enabled .Values.promtail.enabled .Values.neuvector.enabled }}
+    {{- if or $deployNodeAgent .Values.twistlock.enabled .Values.fluentbit.enabled .Values.promtail.enabled .Values.neuvector.enabled .Values.addons.alloy.enabled }}
    exclude:
      any:
      - resources:
@@ -454,6 +454,16 @@ policies:
          names:
          - mattermost-*
      {{- end }}
+      {{- if .Values.addons.alloy.enabled }}
+      # Alloy requires access to journalctl as well as /var/log.  This would require modifications
+      # to the host operating system, creating a user, adding that user to the systemd-journal user group
+      # and then granting permissions recursively on /var/log.
+      - resources:
+          namespaces:
+          - alloy
+          names:
+          - alloy-alloy-logs*
+      {{- end }}
    {{- end }}


@@ -471,7 +481,7 @@ policies:
      excludeContainers:
        - init-chmod-data
    {{- end }}
-    {{- if or $deployNodeAgent .Values.twistlock.enabled .Values.fluentbit.enabled .Values.promtail.enabled .Values.neuvector.enabled }}
+    {{- if or $deployNodeAgent .Values.twistlock.enabled .Values.fluentbit.enabled .Values.promtail.enabled .Values.neuvector.enabled .Values.addons.alloy.enabled }}
    exclude:
      any:
      - resources:
@@ -544,6 +554,16 @@ policies:
          - neuvector-controller-pod-*
          - neuvector-cert-upgrader-job-*
      {{- end }}
+      {{- if .Values.addons.alloy.enabled }}
+      # Alloy requires access to journalctl as well as /var/log.  This would require modifications
+      # to the host operating system, creating a user, adding that user to the systemd-journal user group
+      # and then granting permissions recursively on /var/log.
+      - resources:
+          namespaces:
+          - alloy
+          names:
+          - alloy-alloy-logs*
+      {{- end }}
    {{- end }}

  require-non-root-user:
@@ -565,7 +585,7 @@ policies:
      - resources:
          namespaces:
          - kube-system
-    {{- if or $deployNodeAgent .Values.twistlock.enabled .Values.fluentbit.enabled .Values.promtail.enabled .Values.kiali.enabled .Values.neuvector.enabled}}
+    {{- if or $deployNodeAgent .Values.twistlock.enabled .Values.fluentbit.enabled .Values.promtail.enabled .Values.kiali.enabled .Values.neuvector.enabled .Values.addons.alloy.enabled }}
      {{- if .Values.kiali.enabled }}
      # Kiali needs exception for operator to deploy Kiali server
      - resources:
@@ -613,7 +633,7 @@ policies:
      {{- end }}
      {{- if .Values.fluentbit.enabled }}
      # Fluentbit requires access to journalctl as well as /var/log.  This would require modifications
-      # to the host operating system, creating a user, adding that user to the  systemd-journal user group
+      # to the host operating system, creating a user, adding that user to the systemd-journal user group
      # and then granting permissions recursively on /var/log.
      - resources:
          namespaces:
@@ -623,7 +643,7 @@ policies:
      {{- end }}
      {{- if .Values.promtail.enabled }}
      # promtail requires access to journalctl as well as /var/log.  This would require modifications
-      # to the host operating system, creating a user, adding that user to the  systemd-journal user group
+      # to the host operating system, creating a user, adding that user to the systemd-journal user group
      # and then granting permissions recursively on /var/log.
      # promtail requires access to /run/promtail for its buffering and persistent state.
      - resources:
@@ -632,6 +652,16 @@ policies:
          names:
          - promtail-promtail*
      {{- end }}
+      {{- if .Values.addons.alloy.enabled }}
+      # Alloy requires access to journalctl as well as /var/log.  This would require modifications
+      # to the host operating system, creating a user, adding that user to the systemd-journal user group
+      # and then granting permissions recursively on /var/log.
+      - resources:
+          namespaces:
+          - alloy
+          names:
+          - alloy-alloy-logs*
+      {{- end }}
    {{- end }}

  {{- if .Values.twistlock.enabled }}
@@ -706,7 +736,7 @@ policies:
    {{- end }}
  restrict-host-path-mount:
    validationFailureAction: Enforce
-    {{- if or .Values.fluentbit.enabled .Values.monitoring.enabled .Values.promtail.enabled .Values.twistlock.enabled .Values.neuvector.enabled $deployNodeAgent }}
+    {{- if or .Values.fluentbit.enabled .Values.monitoring.enabled .Values.promtail.enabled .Values.twistlock.enabled .Values.neuvector.enabled .Values.addons.alloy.enabled $deployNodeAgent }}
    exclude:
      any:
      {{- if .Values.fluentbit.enabled }}
@@ -780,6 +810,16 @@ policies:
          - neuvector-cert-upgrader-job-*
          - neuvector-controller-pod*
      {{- end }}
+      {{- if .Values.addons.alloy.enabled }}
+      # Alloy mounts the following hostPaths:
+      # - `/var/log`: to tail node logs (e.g. journal) and pod logs
+      # - `/var/lib/docker/containers`: to tail container logs
+      - resources:
+          namespaces:
+          - alloy
+          names:
+          - alloy-alloy-logs*
+      {{- end }}
      {{- if $deployNodeAgent }}
      # Velero.  The node agent backup tool requires root user access to the host's runtime pod directory which is
      # mounted inside velero/node agent pods.  Since the host's pod runtime directory may expose sensitive information,
@@ -902,7 +942,7 @@ policies:
      {{- end }}
  {{- end }}

-  {{- if or .Values.fluentbit.enabled .Values.monitoring.enabled .Values.promtail.enabled .Values.twistlock.enabled .Values.neuvector.enabled $deployNodeAgent }}
+  {{- if or .Values.fluentbit.enabled .Values.monitoring.enabled .Values.promtail.enabled .Values.twistlock.enabled .Values.neuvector.enabled .Values.addons.alloy.enabled $deployNodeAgent }}
  restrict-volume-types:
    exclude:
      any:
@@ -957,6 +997,16 @@ policies:
          - neuvector-enforcer-pod*
          - neuvector-controller-pod*
      {{- end }}
+      {{- if .Values.addons.alloy.enabled }}
+      # Alloy mounts the following hostPaths:
+      # - `/var/log`: to tail node logs (e.g. journal) and pod logs
+      # - `/var/lib/docker/containers`: to tail container logs
+      - resources:
+          namespaces:
+          - alloy
+          names:
+          - alloy-alloy-logs*
+      {{- end }}
      {{- if $deployNodeAgent }}
      # Velero.  The node agent backup tool requires root user access to the host's runtime pod directory which is
      # mounted inside velero/node agent pods.

--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -2234,12 +2234,12 @@ addons:

    git:
      repo: https://repo1.dso.mil/big-bang/product/packages/alloy.git
-      tag: "2.0.16-bb.1"
+      tag: "2.0.16-bb.2"
      path: "./chart"
    helmRepo:
      repoName: "registry1"
      chartName: "k8s-monitoring"
-      tag: "2.0.16-bb.1"
+      tag: "2.0.16-bb.2"

    values: {}