Enable security context in kubernetes

Sensu Go
1
  1. What have you already tried? Please include links to gists and/or code blocks (if relatively small)

Try to deploy sensu in kubernetes with security context.

  1. Tell us about your setup, this should include OS, version of Sensu, version of Sensu components (redis, rabbitmq), plugin versions (if applicable), anything special about your setup such as an airgapped network or strict ACLs
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: sensu-agent
  namespace: sensu
  labels:
    app.kubernetes.io/name: sensu-agent
spec:
  replicas: 1
  template:
    metadata:
      name: sensu-agent
      labels:
        app.kubernetes.io/name: sensu-agent
    spec:
      serviceAccountName: sensuagent
      securityContext:
        runAsUser: 1000
        runAsGroup: 1000
      containers:
        - name: sensu-agent
          image: "sensu/sensu:5.19.0"
          command: [ "sensu-agent" ]
          args: [ "start", "--api-host", "0.0.0.0", "--namespace", "$(SENSU_NAMESPACE)", "--subscriptions", "$(SENSU_SUBSCRIPTIONS)", "--backend-url", "$(SENSU_BACKEND_URL)", "--log-level", "$(SENSU_LOGLEVEL)", "--trusted-ca-file /certs-ca/sensu-ca.pem", "--statsd-disable", "--deregister", "--annotations $(ORIGIN)"]
          ports:
            - name: api
              containerPort: 3031
              protocol: TCP
          livenessProbe:
            httpGet:
              path: /healthz
              port: 3031
            initialDelaySeconds: 30
            timeoutSeconds: 5
          volumeMounts:
              - mountPath: "/certs-ca"
                name: sensu-ca-pem
                readOnly: true
          env:
            - name: SENSU_BACKEND_URL
              value: wss://sensu-api.example.com:8081
            - name: SENSU_SUBSCRIPTIONS
              value: kubernetes
            - name: SENSU_NAMESPACE
              value: default
            - name: SENSU_LOGLEVEL
              value: debug
            - name: ORIGIN=kubernetes"

Log Error:
{“component”:“agent”,“error”:“error creating agent: could not create directory for api queue (/var/cache/sensu/sensu-agent): mkdir /var/cache/sensu: permission denied”,“level”:“fatal”,“msg”:“error executing sensu-agent”,“time”:“2020-04-09T08:22:15Z”}

  1. Is there a Github issue related to your issue? No
  2. Is there anything else that can help us effectively help you? i dont know yet.
1 Like
2

The error you’re getting looks like an error you’d see in a non-container context if the Sensu agent was run as the wrong user, or if the Sensu directories were created with the wrong permissions.

Do you get the same error if you run this without setting the serviceAccountName and securityContext?

I’m not aware if we’ve documented how to configure these securityContext settings for our Docker container, but in a traditional multi-user Linux context, the Sensu services expect to be run as the sensu user (not root), and this same user should own the Sensu directories (e.g. the cache directory, which is /var/cache/sensu/sensu-agent by default).

I hope this helps!

3

Sorry, but i check in sensu/sensu:5.19.0 image and I cannot find any sensu user:

$ docker run -ti --rm sensu/sensu:5.19.0 sh
/ # sensuctl version
sensuctl version 5.19.0, build 58a0a4e37825ae4af5ab1827454af2e47421a917, built 2020-03-30T20:20:35Z
/ # grep sensu /etc/passwd
/ # ls -l /var/cache
total 8
drwxr-xr-x    2 root     root          4096 Jan 23 16:14 apk
drwxr-xr-x    1 root     root          4096 Mar 30 20:23 misc

In security context in Kubernetes I need to use the same user ID configured in Dockerfile.
I tried to find the Dockerfile in sensu-go repository, but I cannot find it.
It need to have USER inside.
Could you check it for me?