This is documentation for the next version of Alloy. For the latest stable release, go to the latest version.
Deploy Grafana Alloy on OpenShift
You can deploy Alloy on the Red Hat OpenShift Container Platform (OCP).
Before you begin
- These steps assume you have a working OCP environment.
- You can adapt the suggested policies and configuration to meet your specific needs and security policies.
Configure RBAC
You must configure Role-Based Access Control (RBAC) to allow secure access to Kubernetes and OCP resources.
- Download the rbac.yaml configuration file. This configuration file defines the OCP verbs and permissions for Alloy.
- Review the
rbac.yaml
file and adapt as needed for your local environment. Refer to Managing Role-based Access Control (RBAC) topic in the OCP documentation for more information about updating and managing your RBAC configurations.
Run Alloy as a non-root user
You must configure Alloy to run as a non-root user. This ensures that Alloy complies with your OCP security policies.
Apply security context constraints
OCP uses Security Context Constraints (SCC) to control Pod permissions. Refer to Managing security context constraints for more information about how you can define and enforce these permissions. This ensures that the pods running Alloy comply with OCP security policies.
Note
The security context is only configured at the container level, not at the container and deployment level.
You can apply the following SCCs when you deploy Alloy.
Note
Not all of these SCCs are required for each use case. You can adapt the SCCs to meet your local requirements and needs.
RunAsUser
: Specifies the user ID under which Alloy runs. You must configure this constraint to allow a non-root user ID.SELinuxContext
: Configures the SELinux context for containers. If you run Alloy as root, you must configure this constraint to make sure that SELinux policies don’t block Alloy. This SCC is generally not required to deploy Alloy as a non-root user.FSGroup
: Specifies the fsGroup IDs for file system access. You must configure this constraint to give Alloy group access to the files it needs.Volumes
: Specifies the persistent volumes used for storage. You must configure this constraint to give Alloy access to the volumes it needs.
Example DaemonSet configuration
The following example shows a DaemonSet configuration that deploys Alloy as a non-root user:
apiVersion: aapps/v1
kind: DaemonSet
metadata:
name: alloy-logs
namespace: monitoring
spec:
selector:
matchLabels:
app: alloy-logs
template:
metadata:
labels:
app: alloy-logs
spec:
containers:
- name: alloy-logs
image: grafana/alloy:<ALLOY_VERSION>
ports:
- containerPort: 12345
# The security context configuration
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
runAsUser: 473
runAsGroup: 473
fsGroup: 1000
volumes:
- name: log-volume
emptyDir: {}
Replace the following:
<ALLOY_VERSION>
: Set to the specific Alloy version you are deploying. For example,1.5.1
.
Note
This example uses the simplest volume type,emptyDir
. In this example configuration, if your node restarts, your data will be lost. Make sure you set the volume type to a persistent storage location for production environments. Refer to Using volumes to persist container data in the OpenShift documentation for more information.
Example SSC definition
The following example shows an SSC definition that deploys Alloy as a non-root user:
kind: SecurityContextConstraints
apiVersion: security.openshift.io/v1
metadata:
name: scc-alloy
runAsUser:
type: MustRunAs
uid: 473
fsGroup:
type: MustRunAs
uid: 1000
volumes:
- '*'
users:
- my-admin-user
groups:
- my-admin-group
seLinuxContext:
type: MustRunAs
user: <SYSTEM_USER>
role: <SYSTEM_ROLE>
type: <CONTAINER_TYPE>
level: <LEVEL>
Replace the following:
<SYSTEM_USER>
: The user for your SELinux context.<SYSTEM_ROLE>
: The role for your SELinux context.<CONTAINER_TYPE>
: The container type for your SELinux context.<LEVEL>
: The level for your SELinux context.
Refer to SELinux Contexts in the RedHat documentation for more information on the SELinux context configuration.
Note
This example sets
volumes:
to*
. In a production environment, you should setvolumes:
to only the volumes that are necessary for the deployment. For example:volumes: - configMap - downwardAPI - emptyDir - persistentVolumeClaim - secret
Refer to Deploy Grafana Alloy for more information about deploying Alloy in your environment.