From 8297a6ba5a9432e21f6c2d8564a3c25f85f6f442 Mon Sep 17 00:00:00 2001
From: entlein <einentlein@gmail.com>
Date: Fri, 2 Sep 2022 19:43:45 +0200
Subject: [PATCH] restoring to its previous level of brokenness, now disabled
 by default on all cluster types

---
 .../manifests/deploy-rancher-logging.j2       | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/roles/rke2/templates/manifests/deploy-rancher-logging.j2 b/roles/rke2/templates/manifests/deploy-rancher-logging.j2
index 45b1d64..03a6e61 100644
--- a/roles/rke2/templates/manifests/deploy-rancher-logging.j2
+++ b/roles/rke2/templates/manifests/deploy-rancher-logging.j2
@@ -3,7 +3,7 @@
 kind: Namespace
 apiVersion: v1
 metadata:
-  name: kube-system
+  name: cattle-logging-system
 
 ---
 
@@ -16,11 +16,11 @@ spec:
   repo: {{ item.value.repo | default("https://charts.rancher.io") }}
   chart: rancher-logging-crd
   version: {{ item.value.version | default("3.15.0") }}
-  targetNamespace: kube-system
+  targetNamespace: cattle-logging-system
 
 
 ---
- #CreateContainerConfigError (container has runAsNonRoot and image has non-numeric user (fluent), cannot verify user is non-root (pod: "rancher-logging-root-fluentd-0_cattle-logging-system(abba9ac8-72a3-469e-b4e3-f04d942ade09)", container: fluentd))
+
 apiVersion: helm.cattle.io/v1
 kind: HelmChart
 metadata:
@@ -30,7 +30,7 @@ spec:
   repo: {{ item.value.repo | default("https://charts.rancher.io") }}
   chart: rancher-logging
   version: {{ item.value.version | default("3.15.0") }}
-  targetNamespace: kube-system
+  targetNamespace: cattle-logging-system
   valuesContent: |-
     createCustomResource: true
     global:
@@ -39,11 +39,14 @@ spec:
     additionalLoggingSources:
       rke2:
         enabled: true
-    debug: true
+    podSecurityContext:
+      runAsNonRoot: true
+      runAsUser: 1000
+    SecurityContext:
+      runAsNonRoot: true
+      runAsUser: 1000
 
-# Moving it into kube-system as a last resort cause there it can run unrestricted, this might not work due to network, lets try
 # Need for fluentd statefulset the Security Context RunasUser
-# when running it runAsUser it needs perms /usr/lib/ruby/2.7.0/logger/log_device.rb:103:in `initialize': Permission denied @ rb_sysopen - /fluentd/log/out (Errno::EACCES)
 ---
 
 apiVersion: helm.cattle.io/v1
@@ -55,7 +58,7 @@ spec:
   repo: {{ item.value.repo | default("https://grafana.github.io/helm-charts") }}
   chart: loki
   version: {{ item.value.lokiversion | default("2.11.1") }}
-  targetNamespace: kube-system
+  targetNamespace: cattle-logging-system
 
 
 
-- 
GitLab