Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Documentation for restricted securityContext #1264

Open
jawnsy opened this issue Nov 18, 2022 · 1 comment · May be fixed by #1278
Open

Documentation for restricted securityContext #1264

jawnsy opened this issue Nov 18, 2022 · 1 comment · May be fixed by #1278
Labels
area:collector Issues for deploying collector help wanted Extra attention is needed

Comments

@jawnsy
Copy link
Contributor

jawnsy commented Nov 18, 2022
edited
Loading

Hello there,

Thanks so much for this great operator! The otel-collector sidecar and deployment seem to work fine with some more restrictive securityContext settings, and I'd like to propose adding documentation to describe how to implement this, as these changes would be especially relevant for people running in a restricted environment, such as OpenShift.

Since changing the defaults would be a breaking change, the safest option would be a doc-only change describing how this can be done. However, I think using more restrictive defaults would be a nice future change.

I'm happy to open a PR to add these docs, if you would be amenable. Please point me to the appropriate place to document this and any tests that I should update.

Thanks for considering this!

These are the settings I'm using for sidecars:

apiVersion: opentelemetry.io/v1alpha1
kind: OpenTelemetryCollector
spec:
  mode: sidecar
  securityContext:
    runAsUser: 10001 # we use this in our environment, but should omit this for better compatibility with OpenShift, in which case clusters will inherit from the image USER
    runAsNonRoot: true
    allowPrivilegeEscalation: false
    readOnlyRootFilesystem: true
    seccompProfile:
      type: RuntimeDefault
    capabilities:
      drop:
      - ALL

And these are the settings I'm using for the deployment:

apiVersion: opentelemetry.io/v1alpha1
kind: OpenTelemetryCollector
spec:
  mode: deployment
  securityContext:
    runAsUser: 10001
    runAsNonRoot: true
    allowPrivilegeEscalation: false
    readOnlyRootFilesystem: true
    seccompProfile:
      type: RuntimeDefault
    capabilities:
      drop:
      - ALL
  podSecurityContext:
    runAsUser: 10001
    runAsNonRoot: true
    seccompProfile:
      type: RuntimeDefault

See also:
@pavolloffay pavolloffay added area:collector Issues for deploying collector help wanted Extra attention is needed labels Nov 21, 2022
@pavolloffay
Copy link
Member

@jawnsy thanks for getting back to us and contributing.

The only docs we have right now is the root readme or https://github.com/open-telemetry/opentelemetry-operator/blob/main/apis/v1alpha1/opentelemetrycollector_types.go#L74.

PR is highly appreciated ❤️

@jawnsy jawnsy linked a pull request Nov 24, 2022 that will close this issue
Open
@skhalash skhalash mentioned this issue Dec 1, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area:collector Issues for deploying collector help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore: document minimal security context settings jawnsy/opentelemetry-operator
2 participants
@jawnsy @pavolloffay