Added RBAC policies for deployment

[eugene-chow]

No description provided.

[eugene-chow]

@kayrus Thanks for making EFK work on k8s :)

[kayrus]

Namespace logging or monitoring?

[eugene-chow]

sorry. forgot to remove the namespace directive

[kayrus]

Can you add the same for es5/deploy.sh?

I.e. create a ../rbac symlink and add eval "${KUBECTL} apply -f rbac"

I have plans to merge es5 and es2.x, but it still requires more testing.

[eugene-chow]

Done. I also took the liberty to update the undeploy.sh scripts and add the serviceAccount directive to the manifests which I missed out earlier.

Btw, the RBAC manifests were meant for ES2. ES5 is missing the k8s-events-printer.yaml and es-fluentd-ds.yaml manifests present in ES2. Is the ES5 deployment ready for use? I tried it a few weeks back but it didn't run properly.

[kayrus]

ES5 is ready to be used, but there is no proper webui yet.
I use it with kibana5 and x-pack so far.

[eugene-chow]

ok. i'll test it again soon. for now, the rbac rules may not work properly with ES5

[kayrus]

@eugene-chow didn't you miss a role for es-master?

[eugene-chow]

I built the RBAC rules based on the error messages. es-master didn't malfunction in my deployment so I thought it didn't need to talk to kube-apiserver. Can you advise?

[kayrus]

@eugene-chow how many masters do you have?

[eugene-chow]

3 masters

[kayrus]

They definitely have to communicate to api-server. How do they do this without rbac? Or did I miss something?
Sorry, I don't have a test cluster with RBAC right now.

[eugene-chow]

Let me check tomorrow. It might be spitting out errors.

…

On 24 Apr 2017, at 23:30, kayrus ***@***.***> wrote: They definitely have to communicate to api-server. How do they do this without rbac? Or did I miss something? Sorry, I don't have a test cluster with RBAC right now. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#12 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AJjUqCo3femAjJCSzdw5IYYmdcricIgZks5rzL_4gaJpZM4NFofX>.

[eugene-chow]

es-master is not producing any errors. But if you say that it needs to talk to kube-apiserver, I believe its RBAC should be the same as those for es-data and es-client. Do you have an idea of which API endpoints it reads?

[eugene-chow]

@kayrus what's your advice?

[kayrus]

Not really. I have to test this feature myself and if it's ok - I'll merge it.

[kayrus]

Sorry for the delay. I have a question, why did you remove namespaces from the manifests? eugene-chow@1d4d8e0

kubectl complains on namespace:

The ClusterRoleBinding "kubernetes-events-printer" is invalid: subjects[0].namespace: Required value

You have to define them for ClusterRoleBinding, but skip for RoleBinding

[eugene-chow]

Namespace assignment is in the deploy.sh script so there's no need to specify it in the manifest.

A ClusterRoleBinding applies a Role/ClusterRole to the whole cluster. Specifying the namespace has no effect. I'm not certain why kubernetes-events-printer complains about the namespace. Never had that before.

[kayrus]

@eugene-chow which kubernetes version do you use? I tested on 1.6.4.

[eugene-chow]

I last tested it on 1.5.4. i do have a 1.6.4 cluster but I haven’t yet attempted to deploy ELK. the RBAC should be exactly the same if not similar.

…

On 19 Jun 2017, at 17:19, kayrus ***@***.***> wrote: @eugene-chow <https://github.com/eugene-chow> which kubernetes version do you use? I tested on 1.6.4. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#12 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AJjUqPOHMa5FYWkxLiHjG1HQYmqacjLeks5sFj0FgaJpZM4NFofX>.

[kayrus]

@eugene-chow I assume ClusterRoleBinding requires the namespace definition even when you use --namespace %namespace% parameter for kubedns, since you have to specify which service account and from which namespace should be used.

[eugene-chow]

Now that you mention it, I recall that the namespace is needed when you tie the ClusterRole to a ServiceAccount in the ClusterRoleBinding.

…

On 19 Jun 2017, at 17:32, kayrus ***@***.***> wrote: @eugene-chow <https://github.com/eugene-chow> I assume ClusterRoleBinding requires the namespace definition even when you use --namespace %namespace% parameter for kubedns, since you have to specify which service account and from which namespace should be used. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#12 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AJjUqE03XHbnLC-yOAWRnDBroReMuT7eks5sFkBGgaJpZM4NFofX>.

[kayrus]

It's also worth to introduce podsecuritypolicy for this. I have some kind of draft, maybe you can introduce it in this PR:

apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
  name: permissive-elk
spec:
  # Four below are for elasticsearch and ingress
  privileged: true
  # this is only for ingress
  hostNetwork: true
  allowedCapabilities:
  - IPC_LOCK
# this is not necessary for newer k8s versions and pod-anti-affinity
  hostPorts:
  - max: 28652
    min: 28652
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  volumes:
  - '*'