Merge branch '3-promtail-as-root-user' into 'master'

modify non-root-user and non-root-group kyverno policies to include exception for promtail Closes platform-one/big-bang/apps/sandbox/promtail#3 and #3 See merge request platform-one/big-bang/bigbang!1691

Merge branch '3-promtail-as-root-user' into 'master'
c2555e5d · Ryan Garcia · 51b2c91b · eadd1043 · c2555e5d
Commit c2555e5d authored 2 years ago by Ryan Garcia
--- a/chart/templates/kyverno/policies/values.yaml
+++ b/chart/templates/kyverno/policies/values.yaml
@@ -182,7 +182,7 @@ policies:

  require-non-root-group:
    validationFailureAction: audit
-    {{- if or $deployRestic .Values.twistlock.enabled .Values.fluentbit.enabled }}
+    {{- if or $deployRestic .Values.twistlock.enabled .Values.fluentbit.enabled .Values.promtail.enabled }}
    exclude:
      any:
      {{- if $deployRestic }}
@@ -215,11 +215,22 @@ policies:
          names:
          - logging-fluent-bit*
      {{- end }}
+      {{- if .Values.promtail.enabled }}
+      # promtail requires access to journalctl as well as /var/log.  This would require modifications
+      # to the host operating system, creating a user, adding that user to the  systemd-journal user group 
+      # and then granting permissions recursively on /var/log.
+      # promtail requires access to /run/promtail for its buffering and persistent state.
+      - resources:
+          namespaces:
+          - logging
+          names:
+          - logging-promtail*
+      {{- end }}
    {{- end }}

  require-non-root-user:
    validationFailureAction: audit
-    {{- if or $deployRestic .Values.twistlock.enabled .Values.fluentbit.enabled }}
+    {{- if or $deployRestic .Values.twistlock.enabled .Values.fluentbit.enabled .Values.promtail.enabled }}
    exclude:
      any:
      {{- if $deployRestic }}
@@ -252,6 +263,17 @@ policies:
          names:
          - logging-fluent-bit*
      {{- end }}
+      {{- if .Values.promtail.enabled }}
+      # promtail requires access to journalctl as well as /var/log.  This would require modifications
+      # to the host operating system, creating a user, adding that user to the  systemd-journal user group 
+      # and then granting permissions recursively on /var/log.
+      # promtail requires access to /run/promtail for its buffering and persistent state.
+      - resources:
+          namespaces:
+          - logging
+          names:
+          - logging-promtail*
+      {{- end }}
    {{- end }}

  {{- if .Values.twistlock.enabled }}