Enable security context in kubernetes

  1. What have you already tried? Please include links to gists and/or code blocks (if relatively small)

Try to deploy sensu in kubernetes with security context.

  1. Tell us about your setup, this should include OS, version of Sensu, version of Sensu components (redis, rabbitmq), plugin versions (if applicable), anything special about your setup such as an airgapped network or strict ACLs
apiVersion: extensions/v1beta1
kind: Deployment
  name: sensu-agent
  namespace: sensu
    app.kubernetes.io/name: sensu-agent
  replicas: 1
      name: sensu-agent
        app.kubernetes.io/name: sensu-agent
      serviceAccountName: sensuagent
        runAsUser: 1000
        runAsGroup: 1000
        - name: sensu-agent
          image: "sensu/sensu:5.19.0"
          command: [ "sensu-agent" ]
          args: [ "start", "--api-host", "", "--namespace", "$(SENSU_NAMESPACE)", "--subscriptions", "$(SENSU_SUBSCRIPTIONS)", "--backend-url", "$(SENSU_BACKEND_URL)", "--log-level", "$(SENSU_LOGLEVEL)", "--trusted-ca-file /certs-ca/sensu-ca.pem", "--statsd-disable", "--deregister", "--annotations $(ORIGIN)"]
            - name: api
              containerPort: 3031
              protocol: TCP
              path: /healthz
              port: 3031
            initialDelaySeconds: 30
            timeoutSeconds: 5
              - mountPath: "/certs-ca"
                name: sensu-ca-pem
                readOnly: true
            - name: SENSU_BACKEND_URL
              value: wss://sensu-api.example.com:8081
            - name: SENSU_SUBSCRIPTIONS
              value: kubernetes
            - name: SENSU_NAMESPACE
              value: default
            - name: SENSU_LOGLEVEL
              value: debug
            - name: ORIGIN=kubernetes"

Log Error:
{“component”:“agent”,“error”:“error creating agent: could not create directory for api queue (/var/cache/sensu/sensu-agent): mkdir /var/cache/sensu: permission denied”,“level”:“fatal”,“msg”:“error executing sensu-agent”,“time”:“2020-04-09T08:22:15Z”}

  1. Is there a Github issue related to your issue? No
  2. Is there anything else that can help us effectively help you? i dont know yet.
1 Like

The error you’re getting looks like an error you’d see in a non-container context if the Sensu agent was run as the wrong user, or if the Sensu directories were created with the wrong permissions.

Do you get the same error if you run this without setting the serviceAccountName and securityContext?

I’m not aware if we’ve documented how to configure these securityContext settings for our Docker container, but in a traditional multi-user Linux context, the Sensu services expect to be run as the sensu user (not root), and this same user should own the Sensu directories (e.g. the cache directory, which is /var/cache/sensu/sensu-agent by default).

I hope this helps!

Sorry, but i check in sensu/sensu:5.19.0 image and I cannot find any sensu user:

$ docker run -ti --rm sensu/sensu:5.19.0 sh
/ # sensuctl version
sensuctl version 5.19.0, build 58a0a4e37825ae4af5ab1827454af2e47421a917, built 2020-03-30T20:20:35Z
/ # grep sensu /etc/passwd
/ # ls -l /var/cache
total 8
drwxr-xr-x    2 root     root          4096 Jan 23 16:14 apk
drwxr-xr-x    1 root     root          4096 Mar 30 20:23 misc

In security context in Kubernetes I need to use the same user ID configured in Dockerfile.
I tried to find the Dockerfile in sensu-go repository, but I cannot find it.
It need to have USER inside.
Could you check it for me?