Configuring Fluent Bit in Kubernetes with Non-Root Privileges for Elasticsearch Output

[praveenk-raveendran]

Hello Fluent Bit Community,

I am reaching out to seek guidance and discuss a challenge I'm facing with configuring Fluent Bit in a Kubernetes cluster. Our security policies require that containers run with non-root privileges, and I am trying to ensure that Fluent Bit adheres to this policy while also being able to write logs to Elasticsearch effectively.

Here's the context of the issue:

Environment: Kubernetes cluster
Requirement: Running Fluent Bit as a non-root user
Objective: To write logs to an Elasticsearch cluster

Despite following the documentation and trying out various configurations, I am encountering difficulties in getting Fluent Bit to work as expected under these constraints. When I'm giving the following permissions, then only it is working and write logs to Elasticsearch.

securityContext: capabilities: drop: - ALL add: - FOWNER - CHOWN - DAC_OVERRIDE - FSETID runAsNonRoot: false

I am looking for advice from the community on best practices for this scenario and any potential workarounds or configurations that may have been successful for others. Here are some questions I have:

1. Has anyone successfully configured Fluent Bit to run with non-root privileges in Kubernetes and write to Elasticsearch?
2. Are there specific configurations or Kubernetes manifests that help facilitate this setup?
3. Are there any known limitations or considerations that I should be aware of when running Fluent Bit as a non-root user?

I am open to suggestions and would greatly appreciate any insights or experiences that you could share. If there are existing threads or resources that address this issue, please point me in the right direction.

Thank you in advance for your time and assistance.

Best regards,
Praveen

[patrick-stephens]

My guess is you're using tail input which is the actual driver of permissions here? The main thing it needs is reading the kubelet logs mounted in. It is possible to do but you need to ensure the fs permissions are correct to allow the user to read the files.

I can't see why the output would be affected.