Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix installation on talos.dev #25

Merged
merged 1 commit into from
Feb 9, 2024
Merged

Fix installation on talos.dev #25

merged 1 commit into from
Feb 9, 2024

Conversation

gecube
Copy link
Contributor

@gecube gecube commented Jan 20, 2024

When installing on talos.dev the prometheus is not running.
The issue is using of PodSecurityConfiguration
There some labels must be present on NS monitoring
I fixed it
I am kindly asking to accept this PR.

@kingdonb kingdonb self-assigned this Jan 23, 2024
@kingdonb
Copy link
Member

I am not a talos user today, but I may be one tomorrow... I am interested in checking this out and understanding if we support talos appropriately today, thanks for reporting this @gecube 🥇

@gecube
Copy link
Contributor Author

gecube commented Feb 1, 2024

@kingdonb any chance that it would be accepted? I don't like hanging PRs and stale branches

@kingdonb
Copy link
Member

kingdonb commented Feb 2, 2024

@gecube Yes we discussed this at Bug Scrub yesterday, but I didn't get around to updating the issue here.

I think we should expand support for talos, and I'd like to begin testing it myself. Immediately!

It is going to take me at least one more day to get my local dev environment up. But if we have one more Talos user here who can chime in and commit to report issues like this when we spot them, who can validate this change makes sense, I'd be glad to merge it.

Only problem is I do not have write access here. @fluxcd/maintainers Do we have a policy about write access to example repos? I think maybe they would fall under website/community and I should have access already. Or the example repos ought to have a MAINTAINERS file of their own, and I'll apply to be maintainer for the various docs repos.

I don't think I should be core maintainer, I don't have the golang experience to merge PRs in any old repo, but I can help in any of these example repos (and I'd volunteer for this.)

stefanprodan
stefanprodan reviewed Feb 2, 2024
View reviewed changes
monitoring/controllers/kube-prometheus-stack/namespace.yaml Outdated
Comment on lines 8 to 9
pod-security.kubernetes.io/warn: baseline
pod-security.kubernetes.io/audit: baseline
Copy link
Member

@stefanprodan stefanprodan Feb 2, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These will issue events and will fill the audit log at every reconciliation, do we really need them?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought that "yes". I don't think that it will hurt anyway. So ... do you recommend me to remove these annotations?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think that it will hurt anyway.

I think it does, storing the audit log is expensive, and with baseline in there we just inflate the cost and storage.

Does Talos work without them?

kingdonb added a commit to kingdonb/flux2-monitoring-example that referenced this pull request Feb 7, 2024
@kingdonb
set enforce annotation
c98f9ea 
from fluxcd#25
(testing, do we need the others as well)

Signed-off-by: Kingdon P Barrett <[email protected]>
@kingdonb
Copy link
Member

kingdonb commented Feb 7, 2024

We're testing today in Bug Scrub:

  Warning  FailedCreate  7m28s                 daemonset-controller  Error creating: pods "kube-prometheus-stack-prometheus-node-exporter-lxl8c" is forbidden: violates PodSecurity "baseline:latest": host namespaces (hostNetwork=true, hostPID=true), hostPath volumes (volumes "proc", "sys", "root"), hostPort (container "node-exporter" uses hostPort 9100)
  Warning  FailedCreate  2m1s (x8 over 7m26s)  daemonset-controller  (combined from similar events): Error creating: pods "kube-prometheus-stack-prometheus-node-exporter-j25ff" is forbidden: violates PodSecurity "baseline:latest": host namespaces (hostNetwork=true, hostPID=true), hostPath volumes (volumes "proc", "sys", "root"), hostPort (container "node-exporter" uses hostPort 9100)

This is the daemonset which is not getting any pods fulfilled, preventing the HelmRelease from suceeding. All of the non daemonset pods are fine.

The talos pod security docs mention only the one label:

https://www.talos.dev/v1.6/kubernetes-guides/configuration/pod-security/

I've applied that one label and it does allow the HelmRelease to complete successfully, in my testing

@gecube
Copy link
Contributor Author

gecube commented Feb 9, 2024

@kingdonb @stefanprodan thanks for your comments and testing.
Fixed.

stefanprodan
stefanprodan approved these changes Feb 9, 2024
View reviewed changes
Copy link
Member

@stefanprodan stefanprodan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Thanks @gecube

@stefanprodan stefanprodan changed the title Fix installation on talos.dev according to https://www.talos.dev/v1.6… Fix installation on talos.dev Feb 9, 2024
@stefanprodan stefanprodan merged commit bcae1ef into fluxcd:main Feb 9, 2024
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stefanprodan stefanprodan stefanprodan approved these changes

Assignees

@kingdonb kingdonb

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@gecube @kingdonb @stefanprodan