Allow setting security context on containers

signalfx · Feb 5, 2025 · 5e3db36 · 5e3db36
1 parent 8dfbe93
commit 5e3db36
Show file tree

Hide file tree

Showing 11 changed files with 136 additions and 9 deletions.
diff --git a/.chloggen/add-container-security-context-option-cluster-receiver.yaml b/.chloggen/add-container-security-context-option-cluster-receiver.yaml
@@ -0,0 +1,8 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+# The name of the component, or a single word describing the area of concern, (e.g. agent, clusterReceiver, gateway, operator, chart, other)
+component: clusterReceiver
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Add an option to set the security context for the container.
+# One or more tracking issues related to the change
+issues: []
diff --git a/.chloggen/add-container-security-context-option-gateway.yaml b/.chloggen/add-container-security-context-option-gateway.yaml
@@ -0,0 +1,8 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+# The name of the component, or a single word describing the area of concern, (e.g. agent, clusterReceiver, gateway, operator, chart, other)
+component: gateway
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Add an option to set the security context for the container.
+# One or more tracking issues related to the change
+issues: []
diff --git a/.chloggen/add-init-container-security-context-options-agent.yaml b/.chloggen/add-init-container-security-context-options-agent.yaml
@@ -0,0 +1,8 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+# The name of the component, or a single word describing the area of concern, (e.g. agent, clusterReceiver, gateway, operator, chart, other)
+component: agent
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Add fields to set the security context for the init containers.
+# One or more tracking issues related to the change
+issues: []
diff --git a/.chloggen/deprecate-security-context-option-cluster-receiver.yaml b/.chloggen/deprecate-security-context-option-cluster-receiver.yaml
@@ -0,0 +1,8 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: deprecation
+# The name of the component, or a single word describing the area of concern, (e.g. agent, clusterReceiver, gateway, operator, chart, other)
+component: clusterReceiver
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Deprecate the `securityContext` field in favor of the `podSecurityContext`.
+# One or more tracking issues related to the change
+issues: []
diff --git a/.chloggen/deprecate-security-context-option-gateway.yaml b/.chloggen/deprecate-security-context-option-gateway.yaml
@@ -0,0 +1,8 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: deprecation
+# The name of the component, or a single word describing the area of concern, (e.g. agent, clusterReceiver, gateway, operator, chart, other)
+component: gateway
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Deprecate the `securityContext` field in favor of the `podSecurityContext`.
+# One or more tracking issues related to the change
+issues: []
diff --git a/helm-charts/splunk-otel-collector/templates/NOTES.txt b/helm-charts/splunk-otel-collector/templates/NOTES.txt
@@ -81,3 +81,9 @@ Splunk OpenTelemetry Collector is installed and configured to send data to Splun
   - Status: Instrumentation language maturity varies. See `operator.instrumentation.spec` and documentation for utilized instrumentation details.
   - Splunk Support: We offer full support for Splunk distributions and best-effort support for native OpenTelemetry distributions of auto-instrumentation libraries.
 {{- end }}
+{{- if not (eq (toString .Values.gateway.securityContext) "<nil>") }}
+[WARNING] "gateway.securityContext" parameter is deprecated. Please use "gateway.podSecurityContext" instead.
+{{ end }}
+{{- if not (eq (toString .Values.clusterReceiver.securityContext) "<nil>") }}
+[WARNING] "clusterReceiver.securityContext" parameter is deprecated. Please use "clusterReceiver.podSecurityContext" instead.
+{{ end }}
diff --git a/helm-charts/splunk-otel-collector/templates/daemonset.yaml b/helm-charts/splunk-otel-collector/templates/daemonset.yaml
@@ -78,6 +78,10 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.agent.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       {{- if and (eq (include "splunk-otel-collector.logsEnabled" .) "true") (not .Values.isWindows) (not $agent.skipInitContainers) }}
       initContainers:
         {{- if and (eq .Values.logsEngine "fluentd") (not (eq .Values.distribution "gke/autopilot")) }}
@@ -115,7 +119,7 @@ spec:
           imagePullPolicy: {{ .Values.image.otelcol.pullPolicy }}
           command: ["/migratecheckpoint"]
           securityContext:
-            runAsUser: 0
+            {{- toYaml $agent.initContainers.migrateCheckpoint.securityContext | nindent 12 }}
           env:
           - name: CONTAINER_LOG_PATH_FLUENTD
             value: "{{ .Values.fluentd.config.posFilePrefix }}-containers.log.pos"
@@ -178,7 +182,7 @@ spec:
           setfacl -n -Rm d:m::rx,m::rx,d:g:{{ $agent.securityContext.runAsGroup | default 999 }}:rx,g:{{ $agent.securityContext.runAsGroup | default 999 }}:rx {{ .Values.splunkPlatform.sendingQueue.persistentQueue.storagePath }}/agent;
           {{- end }}']
           securityContext:
-            runAsUser: 0
+            {{- toYaml $agent.initContainers.patchLogDirs.securityContext | nindent 12 }}
           resources:
             {{- toYaml $agent.resources | nindent 12 }}
           volumeMounts:

diff --git a/helm-charts/splunk-otel-collector/templates/deployment-cluster-receiver.yaml b/helm-charts/splunk-otel-collector/templates/deployment-cluster-receiver.yaml
@@ -81,9 +81,10 @@ spec:
         ` }}
         {{- $clusterReceiver.affinity | mustMergeOverwrite (fromYaml $clusterReceiverPodAntiAffinity) | toYaml | nindent 8 }}
       {{- end }}
-      {{- if $clusterReceiver.securityContext }}
+      {{- $podSecurityContext := $clusterReceiver.podSecurityContext | default $clusterReceiver.securityContext }}
+      {{- if $podSecurityContext }}
       securityContext:
-        {{- include "splunk-otel-collector.securityContext" (dict "isWindows" .Values.isWindows "securityContext" $clusterReceiver.securityContext) | nindent 8 }}
+        {{- include "splunk-otel-collector.securityContext" (dict "isWindows" .Values.isWindows "securityContext" $podSecurityContext) | nindent 8 }}
       {{- end }}
       {{- if eq (include "splunk-otel-collector.distribution" .) "eks/fargate" }}
       initContainers:
@@ -127,6 +128,10 @@ spec:
         {{- if .Values.clusterReceiver.featureGates }}
         - --feature-gates={{ .Values.clusterReceiver.featureGates }}
         {{- end }}
+        {{- with .Values.clusterReceiver.containerSecurityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         image: {{ template "splunk-otel-collector.image.otelcol" . }}
         imagePullPolicy: {{ .Values.image.otelcol.pullPolicy }}
         env:

diff --git a/helm-charts/splunk-otel-collector/templates/deployment-gateway.yaml b/helm-charts/splunk-otel-collector/templates/deployment-gateway.yaml
@@ -61,9 +61,10 @@ spec:
       affinity:
         {{- toYaml $gateway.affinity | nindent 8 }}
       {{- end }}
-      {{- if $gateway.securityContext }}
+      {{- $podSecurityContext := $gateway.podSecurityContext | default $gateway.securityContext }}
+      {{- if $podSecurityContext }}
       securityContext:
-        {{- include "splunk-otel-collector.securityContext" (dict "isWindows" .Values.isWindows "securityContext" $gateway.securityContext) | nindent 8 }}
+        {{- include "splunk-otel-collector.securityContext" (dict "isWindows" .Values.isWindows "securityContext" $podSecurityContext) | nindent 8 }}
       {{- end }}
       containers:
       - name: otel-collector
@@ -80,6 +81,10 @@ spec:
         {{- if .Values.gateway.featureGates }}
         - --feature-gates={{ .Values.gateway.featureGates }}
         {{- end }}
+        {{- with .Values.gateway.containerSecurityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         image: {{ template "splunk-otel-collector.image.otelcol" . }}
         imagePullPolicy: {{ .Values.image.otelcol.pullPolicy }}
         env:

diff --git a/helm-charts/splunk-otel-collector/values.schema.json b/helm-charts/splunk-otel-collector/values.schema.json
@@ -577,9 +577,36 @@
             }
           }
         },
+        "podSecurityContext": {
+          "type": "object"
+        },
         "securityContext": {
           "type": "object"
         },
+        "initContainers":{
+          "type": "object",
+          "additionalProperties": false,
+          "properties": {
+            "migrateCheckpoint": {
+              "type": "object",
+              "additionalProperties": false,
+              "properties": {
+                "securityContext": {
+                  "type": "object"
+                }
+              }
+            },
+            "patchLogDirs": {
+              "type": "object",
+              "additionalProperties": false,
+              "properties": {
+                "securityContext": {
+                  "type": "object"
+                }
+              }
+            }
+          }
+        },
         "updateStrategy": {
             "type": "string",
             "enum": [
@@ -731,6 +758,13 @@
           "type": "object"
         },
         "securityContext": {
+          "description": "[DEPRECATED] Use podSecurityContext instead.",
+          "type": "object"
+        },
+        "podSecurityContext": {
+          "type": "object"
+        },
+        "containerSecurityContext": {
           "type": "object"
         },
         "terminationGracePeriodSeconds": {
@@ -1348,6 +1382,13 @@
           "type": "object"
         },
         "securityContext": {
+          "description": "[DEPRECATED] Use podSecurityContext instead.",
+          "type": "object"
+        },
+        "podSecurityContext": {
+          "type": "object"
+        },
+        "containerSecurityContext": {
           "type": "object"
         },
         "terminationGracePeriodSeconds": {

diff --git a/helm-charts/splunk-otel-collector/values.yaml b/helm-charts/splunk-otel-collector/values.yaml
@@ -383,17 +383,37 @@ agent:
       # This value is being used as a source for default memory_limiter processor configurations
       memory: 500Mi
 
+  # Security context set on the otel-collector-agent pod
+  podSecurityContext: {}
+
+  # Security context applied to the agent otel-collector container.
   # To collect container logs and journald logs, it will run the agent as a root user.
   # To run it as non root user, uncomment below `securityContext` options.
   # Setting runAsUser and runAsGroup to a non root user enables an init container that patches group
   # permissions of container logs directories on the host filesystem to make logs readable by this non root user.
   # Please note that on uninstallation of the chart, the permissions added to the
   # host log directories for given uid/gid are not reverted.
-
   securityContext: {}
   #   runAsUser: 20000
   #   runAsGroup: 20000
 
+  # Configs applied to the conditional init containers.
+  # All the init containers are applied only when log collection is enabled.
+  initContainers:
+    # Init container that migrates log checkpoints from https://github.com/splunk/splunk-connect-for-kubernetes
+    # to the new checkpoint format used by the OpenTelemetry Collector.
+    # Disabled on GKE Autopilot clusters.
+    migrateCheckpoint:
+      securityContext:
+        runAsUser: 0
+    # Init container that patches group permissions of container logs directories on the host filesystem
+    # to make logs readable by the non root user.
+    # Only enabled when runAsUser and runAsGroup are set to a non root user in agent.securityContext.
+    # Disabled on GKE Autopilot clusters.
+    patchLogDirs:
+      securityContext:
+        runAsUser: 0
+
   # Specifies DaemonSet update strategy.
   # Possible values: "OnDelete" and "RollingUpdate".
   updateStrategy: RollingUpdate
@@ -475,10 +495,13 @@ clusterReceiver:
   affinity: {}
 
   # Pod configurations
-  securityContext: {}
+  podSecurityContext: {}
   terminationGracePeriodSeconds: 600
   priorityClassName: ""
 
+  # Security context applied to the otel-collector container in the cluster receiver deployment.
+  containerSecurityContext: {}
+
   # k8s cluster receiver collector annotations
   annotations: {}
   podAnnotations: {}
@@ -1138,10 +1161,13 @@ gateway:
   affinity: {}
 
   # Pod configurations
-  securityContext: {}
+  podSecurityContext: {}
   terminationGracePeriodSeconds: 600
   priorityClassName: ""
 
+  # Security context applied to the otel-collector container in the gateway deployment.
+  containerSecurityContext: {}
+
   # OTel collector annotations
   annotations: {}
   podAnnotations: {}