From e59d7d5e2736dbedd15be5c7e1e5e76e25b2cad3 Mon Sep 17 00:00:00 2001 From: gsmith-sas <65406958+gsmith-sas@users.noreply.github.com> Date: Thu, 19 Dec 2024 15:11:50 -0500 Subject: [PATCH] Cleanup based on code review comments --- CHANGELOG.md | 2 +- logging/bin/deploy_fluentbit_azmonitor.sh | 26 +++++++++++----------- logging/bin/deploy_fluentbit_opensearch.sh | 21 ++++++++--------- 3 files changed, 25 insertions(+), 24 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9c71b5ae..f4c64e2b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,7 +7,7 @@ maintain state information for the log collector has moved to a hostPath volume has been added to handle migrating any existing state information and make adjustments to file ownership/permissions. NOTE: This initContainer runs under as `root` user but only runs briefly during the initial deployment process. * [SECURITY] Runtime security controls for all Fluent Bit pods (inc. both log collecting and Kubernetes event -collecting) have been tightened. Changes include: adding seecompProfile; and disallowing privileged containers, +collecting) have been tightened. Changes include: adding seccompProfile; and disallowing privileged containers, privilege escalation and write access to the root filesystem. * [SECURITY] On OpenShift, all Fluent Bit pods now use custom SCC objects to support changes described above. * [CHANGE] Improved handling of long log messages and those from some Crunchy Data pods diff --git a/logging/bin/deploy_fluentbit_azmonitor.sh b/logging/bin/deploy_fluentbit_azmonitor.sh index f5ae35ab..33ec9ab7 100755 --- a/logging/bin/deploy_fluentbit_azmonitor.sh +++ b/logging/bin/deploy_fluentbit_azmonitor.sh @@ -67,7 +67,7 @@ if [ "$(kubectl -n $LOG_NS get secret connection-info-azmonitor -o name 2>/dev/n if [ "$AZMONITOR_CUSTOMER_ID" != "NotProvided" ] && [ "$AZMONITOR_SHARED_KEY" != "NotProvided" ]; then log_info "Creating secret [connection-info-azmonitor] in [$LOG_NS] namespace to hold Azure connection information." - kubectl -n $LOG_NS create secret generic connection-info-azmonitor --from-literal=customer_id=$AZMONITOR_CUSTOMER_ID --from-literal=shared_key=$AZMONITOR_SHARED_KEY + kubectl -n "$LOG_NS" create secret generic connection-info-azmonitor --from-literal=customer_id="$AZMONITOR_CUSTOMER_ID" --from-literal=shared_key="$AZMONITOR_SHARED_KEY" else log_error "Unable to create secret [$LOG_NS/connection-info-azmonitor] because missing required information: [AZMONITOR_CUSTOMER_ID: $AZMONITOR_CUSTOMER_ID ; AZMONITOR_SHARED_KEY: $AZMONITOR_SHARED_KEY]." log_error "You must provide this information via environment variables or create the secret [connection-info-azmonitor] before running this script." @@ -75,14 +75,14 @@ if [ "$(kubectl -n $LOG_NS get secret connection-info-azmonitor -o name 2>/dev/n fi else log_info "Obtaining connection information from existing secret [$LOG_NS/connection-info-azmonitor]" - export AZMONITOR_CUSTOMER_ID=$(kubectl -n $LOG_NS get secret connection-info-azmonitor -o=jsonpath="{.data.customer_id}" |base64 --decode) - export AZMONITOR_SHARED_KEY=$(kubectl -n $LOG_NS get secret connection-info-azmonitor -o=jsonpath="{.data.shared_key}" |base64 --decode) + export AZMONITOR_CUSTOMER_ID=$(kubectl -n "$LOG_NS" get secret connection-info-azmonitor -o=jsonpath="{.data.customer_id}" |base64 --decode) + export AZMONITOR_SHARED_KEY=$(kubectl -n "$LOG_NS" get secret connection-info-azmonitor -o=jsonpath="{.data.shared_key}" |base64 --decode) fi # Check for an existing Helm release of stable/fluent-bit if helm3ReleaseExists fbaz $LOG_NS; then log_info "Removing an existing release of deprecated stable/fluent-bit Helm chart from from the [$LOG_NS] namespace [$(date)]" - helm $helmDebug delete -n $LOG_NS fbaz + helm $helmDebug delete -n "$LOG_NS" fbaz if [ $(kubectl get servicemonitors -A |grep fluent-bit-v2 -c) -ge 1 ]; then log_debug "Updated serviceMonitor [fluent-bit-v2] appears to be deployed." @@ -103,11 +103,11 @@ else fi # Create ConfigMap containing Fluent Bit configuration -kubectl -n $LOG_NS apply -f $FB_CONFIGMAP +kubectl -n "$LOG_NS" apply -f $FB_CONFIGMAP # Create ConfigMap containing Viya-customized parsers (delete it first) -kubectl -n $LOG_NS delete configmap fbaz-viya-parsers --ignore-not-found -kubectl -n $LOG_NS create configmap fbaz-viya-parsers --from-file=logging/fb/viya-parsers.conf +kubectl -n "$LOG_NS" delete configmap fbaz-viya-parsers --ignore-not-found +kubectl -n "$LOG_NS" create configmap fbaz-viya-parsers --from-file=logging/fb/viya-parsers.conf TRACING_ENABLE="${TRACING_ENABLE:-false}" if [ "$TRACING_ENABLE" == "true" ]; then @@ -147,13 +147,13 @@ fi MON_NS="${MON_NS:-monitoring}" # Create ConfigMap containing Kubernetes container runtime log format -kubectl -n $LOG_NS delete configmap fbaz-env-vars --ignore-not-found -kubectl -n $LOG_NS create configmap fbaz-env-vars \ +kubectl -n "$LOG_NS" delete configmap fbaz-env-vars --ignore-not-found +kubectl -n "$LOG_NS" create configmap fbaz-env-vars \ --from-literal=KUBERNETES_RUNTIME_LOGFMT=$KUBERNETES_RUNTIME_LOGFMT \ --from-literal=LOG_MULTILINE_PARSER="${LOG_MULTILINE_PARSER}" \ --from-literal=MON_NS="${MON_NS}" -kubectl -n $LOG_NS label configmap fbaz-env-vars managed-by=v4m-es-script +kubectl -n "$LOG_NS" label configmap fbaz-env-vars managed-by=v4m-es-script # Check to see if we are upgrading from earlier version requiring root access if [ "$( kubectl -n $LOG_NS get configmap fbaz-dbmigrate-script -o name --ignore-not-found)" != "configmap/fbaz-dbmigrate-script" ]; then @@ -162,9 +162,9 @@ if [ "$( kubectl -n $LOG_NS get configmap fbaz-dbmigrate-script -o name --ignore fi # Create ConfigMap containing Fluent Bit database migration script -kubectl -n $LOG_NS delete configmap fbaz-dbmigrate-script --ignore-not-found -kubectl -n $LOG_NS create configmap fbaz-dbmigrate-script --from-file logging/fb/migrate_fbstate_db.sh -kubectl -n $LOG_NS label configmap fbaz-dbmigrate-script managed-by=v4m-es-script +kubectl -n "$LOG_NS" delete configmap fbaz-dbmigrate-script --ignore-not-found +kubectl -n "$LOG_NS" create configmap fbaz-dbmigrate-script --from-file logging/fb/migrate_fbstate_db.sh +kubectl -n "$LOG_NS" label configmap fbaz-dbmigrate-script managed-by=v4m-es-script ## Get Helm Chart Name diff --git a/logging/bin/deploy_fluentbit_opensearch.sh b/logging/bin/deploy_fluentbit_opensearch.sh index 65dbd127..b511a332 100755 --- a/logging/bin/deploy_fluentbit_opensearch.sh +++ b/logging/bin/deploy_fluentbit_opensearch.sh @@ -55,7 +55,7 @@ helm2ReleaseCheck fb-$LOG_NS # Check for an existing Helm release of stable/fluent-bit if helm3ReleaseExists fb $LOG_NS; then log_verbose "Removing an existing release of deprecated stable/fluent-bit Helm chart from from the [$LOG_NS] namespace [$(date)]" - helm $helmDebug delete -n $LOG_NS fb + helm $helmDebug delete -n "$LOG_NS" fb if [ $(kubectl get servicemonitors -A |grep fluent-bit-v2 -c) -ge 1 ]; then log_debug "Updated serviceMonitor [fluent-bit-v2] appears to be deployed." @@ -107,11 +107,11 @@ else fi # Create ConfigMap containing Fluent Bit configuration -kubectl -n $LOG_NS apply -f $FB_CONFIGMAP +kubectl -n "$LOG_NS" apply -f $FB_CONFIGMAP # Create ConfigMap containing Viya-customized parsers (delete it first) -kubectl -n $LOG_NS delete configmap fb-viya-parsers --ignore-not-found -kubectl -n $LOG_NS create configmap fb-viya-parsers --from-file=logging/fb/viya-parsers.conf +kubectl -n "$LOG_NS" delete configmap fb-viya-parsers --ignore-not-found +kubectl -n "$LOG_NS" create configmap fb-viya-parsers --from-file=logging/fb/viya-parsers.conf TRACING_ENABLE="${TRACING_ENABLE:-false}" if [ "$TRACING_ENABLE" == "true" ]; then @@ -151,14 +151,14 @@ fi MON_NS="${MON_NS:-monitoring}" # Create ConfigMap containing Kubernetes container runtime log format -kubectl -n $LOG_NS delete configmap fb-env-vars --ignore-not-found -kubectl -n $LOG_NS create configmap fb-env-vars \ +kubectl -n "$LOG_NS" delete configmap fb-env-vars --ignore-not-found +kubectl -n "$LOG_NS" create configmap fb-env-vars \ --from-literal=KUBERNETES_RUNTIME_LOGFMT="$KUBERNETES_RUNTIME_LOGFMT" \ --from-literal=LOG_MULTILINE_PARSER="${LOG_MULTILINE_PARSER}" \ --from-literal=SEARCH_SERVICENAME="${ES_SERVICENAME}" \ --from-literal=MON_NS="${MON_NS}" -kubectl -n $LOG_NS label configmap fb-env-vars managed-by=v4m-es-script +kubectl -n "$LOG_NS" label configmap fb-env-vars managed-by=v4m-es-script # Check to see if we are upgrading from earlier version requiring root access if [ "$( kubectl -n $LOG_NS get configmap fb-dbmigrate-script -o name --ignore-not-found)" != "configmap/fb-dbmigrate-script" ]; then @@ -167,9 +167,9 @@ if [ "$( kubectl -n $LOG_NS get configmap fb-dbmigrate-script -o name --ignore-n fi # Create ConfigMap containing Fluent Bit database migration script -kubectl -n $LOG_NS delete configmap fb-dbmigrate-script --ignore-not-found -kubectl -n $LOG_NS create configmap fb-dbmigrate-script --from-file logging/fb/migrate_fbstate_db.sh -kubectl -n $LOG_NS label configmap fb-dbmigrate-script managed-by=v4m-es-script +kubectl -n "$LOG_NS" delete configmap fb-dbmigrate-script --ignore-not-found +kubectl -n "$LOG_NS" create configmap fb-dbmigrate-script --from-file logging/fb/migrate_fbstate_db.sh +kubectl -n "$LOG_NS" label configmap fb-dbmigrate-script managed-by=v4m-es-script ## Get Helm Chart Name log_debug "Fluent Bit Helm Chart: repo [$FLUENTBIT_HELM_CHART_REPO] name [$FLUENTBIT_HELM_CHART_NAME] version [$FLUENTBIT_HELM_CHART_VERSION]" @@ -189,6 +189,7 @@ helm $helmDebug upgrade --install --namespace $LOG_NS v4m-fb \ $chart2install #pause to allow migration script to complete (if necessary) +log_debug "Pausing to allow migration script to complete" sleep 20 #Container Security: Disable Token Automounting at ServiceAccount; enable for Pod