Merge pull request #2119 from kube-logging/copilot/fix-da90e475-f896-4ae8-af46-0cc6d4fe3890

csatib02 · web-flow · commit c224a45eca24 · 2025-10-07T09:59:04.000+02:00
fix: buffer-metrics-sidecar running as root user
diff --git a/images/node-exporter/Dockerfile b/images/node-exporter/Dockerfile
@@ -6,10 +6,14 @@ COPY --from=custom-runner /runner /
 
 USER root
 
-RUN mkdir -p /prometheus/node_exporter/textfile_collector
+RUN mkdir -p /prometheus/node_exporter/textfile_collector && \
+    chown -R nobody:nobody /prometheus
 
 COPY buffer-size.sh /prometheus/buffer-size.sh
-RUN chmod 0744 /prometheus/buffer-size.sh
+RUN chmod 0755 /prometheus/buffer-size.sh && \
+    chown nobody:nobody /prometheus/buffer-size.sh
+
+USER nobody:nobody
 
 WORKDIR /
 
diff --git a/pkg/resources/fluentbit/daemonset.go b/pkg/resources/fluentbit/daemonset.go
@@ -316,6 +316,16 @@ func (r *Reconciler) bufferMetricsSidecarContainer() *corev1.Container {
 		nodeExporterCmd := fmt.Sprintf("nodeexporter -> ./bin/node_exporter %v", strings.Join(args, " "))
 		bufferSizeCmd := "buffersize -> /prometheus/buffer-size.sh"
 
+		securityContext := &corev1.SecurityContext{
+			RunAsNonRoot:             util.BoolPointer(true),
+			RunAsUser:                util.IntPointer64(65534),
+			RunAsGroup:               util.IntPointer64(65534),
+			AllowPrivilegeEscalation: util.BoolPointer(false),
+			Capabilities: &corev1.Capabilities{
+				Drop: []corev1.Capability{"ALL"},
+			},
+		}
+
 		return &corev1.Container{
 			Name:            "buffer-metrics-sidecar",
 			Image:           r.fluentbitSpec.BufferVolumeImage.RepositoryWithTag(),
@@ -338,7 +348,7 @@ func (r *Reconciler) bufferMetricsSidecarContainer() *corev1.Container {
 				},
 			},
 			Resources:       r.fluentbitSpec.BufferVolumeResources,
-			SecurityContext: r.fluentbitSpec.Security.SecurityContext,
+			SecurityContext: securityContext,
 			LivenessProbe:   r.fluentbitSpec.BufferVolumeLivenessProbe,
 		}
 	}
diff --git a/pkg/resources/fluentd/statefulset.go b/pkg/resources/fluentd/statefulset.go
@@ -281,7 +281,7 @@ func generateVolumeMounts(spec *v1beta1.FluentdSpec) []corev1.VolumeMount {
 			MountPath: "/fluentd/tls/",
 		})
 	}
-	if isFluentdReadOnlyRootFilesystem(spec) {
+	if spec.Security.IsReadOnlyRootFilesystem() {
 		res = append(res, corev1.VolumeMount{
 			Name:      "tmp",
 			SubPath:   "fluentd",
@@ -311,7 +311,7 @@ func (r *Reconciler) generateVolume() (v []corev1.Volume) {
 		},
 	}
 
-	if isFluentdReadOnlyRootFilesystem(r.fluentdSpec) {
+	if r.fluentdSpec.Security.IsReadOnlyRootFilesystem() {
 		v = append(v, corev1.Volume{
 			Name:         "tmp",
 			VolumeSource: corev1.VolumeSource{EmptyDir: &corev1.EmptyDirVolumeSource{}},
@@ -359,7 +359,7 @@ func (r *Reconciler) generateVolume() (v []corev1.Volume) {
 }
 
 func (r *Reconciler) tmpDirHackContainer() *corev1.Container {
-	if isFluentdReadOnlyRootFilesystem(r.fluentdSpec) {
+	if r.fluentdSpec.Security.IsReadOnlyRootFilesystem() {
 		return &corev1.Container{
 			Command:         []string{"sh", "-c", "mkdir -p /mnt/tmp/fluentd/; chmod +t /mnt/tmp/fluentd"},
 			Image:           r.fluentdSpec.Image.RepositoryWithTag(),
@@ -412,6 +412,28 @@ func (r *Reconciler) bufferMetricsSidecarContainer() *corev1.Container {
 		nodeExporterCmd := fmt.Sprintf("nodeexporter -> ./bin/node_exporter %v", strings.Join(args, " "))
 		bufferSizeCmd := "buffersize -> /prometheus/buffer-size.sh"
 
+		securityContext := &corev1.SecurityContext{
+			RunAsNonRoot:             util.BoolPointer(true),
+			RunAsUser:                util.IntPointer64(65534),
+			RunAsGroup:               util.IntPointer64(65534),
+			AllowPrivilegeEscalation: util.BoolPointer(false),
+			Capabilities: &corev1.Capabilities{
+				Drop: []corev1.Capability{"ALL"},
+			},
+		}
+		// Allow override from fluentdSpec if SecurityContext is explicitly set
+		if r.fluentdSpec.Security.SecurityContext != nil {
+			// Check if RunAsUser or RunAsGroup is explicitly set to something other than the fluentd defaults
+			if r.fluentdSpec.Security.SecurityContext.RunAsUser != nil && *r.fluentdSpec.Security.SecurityContext.RunAsUser != 100 &&
+				r.fluentdSpec.Security.SecurityContext.RunAsGroup != nil && *r.fluentdSpec.Security.SecurityContext.RunAsGroup != 101 {
+				securityContext = r.fluentdSpec.Security.SecurityContext
+			}
+
+			if r.fluentdSpec.Security.IsReadOnlyRootFilesystem() {
+				r.Log.Info("ReadOnlyRootFilesystem is set, buffer-metrics-sidecar could fail!")
+			}
+		}
+
 		return &corev1.Container{
 			Name:            "buffer-metrics-sidecar",
 			Image:           r.fluentdSpec.BufferVolumeImage.RepositoryWithTag(),
@@ -434,7 +456,7 @@ func (r *Reconciler) bufferMetricsSidecarContainer() *corev1.Container {
 				},
 			},
 			Resources:       r.fluentdSpec.BufferVolumeResources,
-			SecurityContext: r.fluentdSpec.Security.SecurityContext,
+			SecurityContext: securityContext,
 			LivenessProbe:   r.fluentdSpec.BufferVolumeLivenessProbe,
 		}
 	}
@@ -514,11 +536,3 @@ func generateInitContainer(spec v1beta1.FluentdSpec) *corev1.Container {
 	}
 	return nil
 }
-
-func isFluentdReadOnlyRootFilesystem(spec *v1beta1.FluentdSpec) bool {
-	if spec.Security.SecurityContext.ReadOnlyRootFilesystem != nil {
-		return *spec.Security.SecurityContext.ReadOnlyRootFilesystem
-	}
-
-	return false
-}
diff --git a/pkg/resources/syslogng/statefulset.go b/pkg/resources/syslogng/statefulset.go
@@ -266,6 +266,16 @@ func (r *Reconciler) bufferMetricsSidecarContainer() *corev1.Container {
 		nodeExporterCmd := fmt.Sprintf("nodeexporter -> ./bin/node_exporter %v", strings.Join(args, " "))
 		bufferSizeCmd := "buffersize -> /prometheus/buffer-size.sh"
 
+		securityContext := &corev1.SecurityContext{
+			RunAsNonRoot:             util.BoolPointer(true),
+			RunAsUser:                util.IntPointer64(65534),
+			RunAsGroup:               util.IntPointer64(65534),
+			AllowPrivilegeEscalation: util.BoolPointer(false),
+			Capabilities: &corev1.Capabilities{
+				Drop: []corev1.Capability{"ALL"},
+			},
+		}
+
 		return &corev1.Container{
 			Name:            "buffer-metrics-sidecar",
 			Image:           r.syslogNGSpec.BufferVolumeMetricsImage.RepositoryWithTag(),
@@ -288,8 +298,9 @@ func (r *Reconciler) bufferMetricsSidecarContainer() *corev1.Container {
 					MountPath: BufferPath,
 				},
 			},
-			Resources:     r.syslogNGSpec.BufferVolumeMetricsResources,
-			LivenessProbe: r.syslogNGSpec.BufferVolumeMetricsLivenessProbe,
+			Resources:       r.syslogNGSpec.BufferVolumeMetricsResources,
+			SecurityContext: securityContext,
+			LivenessProbe:   r.syslogNGSpec.BufferVolumeMetricsLivenessProbe,
 		}
 	}
 	return nil
diff --git a/pkg/sdk/logging/api/v1beta1/common_types.go b/pkg/sdk/logging/api/v1beta1/common_types.go
@@ -159,6 +159,14 @@ type Security struct {
 	CreateOpenShiftSCC      *bool                      `json:"createOpenShiftSCC,omitempty"`
 }
 
+func (s *Security) IsReadOnlyRootFilesystem() bool {
+	if s.SecurityContext.ReadOnlyRootFilesystem != nil {
+		return *s.SecurityContext.ReadOnlyRootFilesystem
+	}
+
+	return false
+}
+
 // ReadinessDefaultCheck Enable default readiness checks
 type ReadinessDefaultCheck struct {
 	// Enable default Readiness check it'll fail if the buffer volume free space exceeds the `readinessDefaultThreshold` percentage (90%).
