Menu
Documentationbreadcrumb arrow Grafana Cloudbreadcrumb arrow Instrument and send databreadcrumb arrow Grafana Alloybreadcrumb arrow Set upbreadcrumb arrow Installbreadcrumb arrow OpenShift
Grafana Cloud

Deploy Grafana Alloy on OpenShift

You can deploy Alloy on the Red Hat OpenShift Container Platform (OCP).

Before you begin

  • These steps assume you have a working OCP environment.
  • You can adapt the suggested policies and configuration to meet your specific needs and security policies.

Configure RBAC

You must configure Role-Based Access Control (RBAC) to allow secure access to Kubernetes and OCP resources.

  1. Download the rbac.yaml configuration file. This configuration file defines the OCP verbs and permissions for Alloy.
  2. Review the rbac.yaml file and adapt as needed for your local environment. Refer to Managing Role-based Access Control (RBAC) topic in the OCP documentation for more information about updating and managing your RBAC configurations.

Run Alloy as a non-root user

You must configure Alloy to run as a non-root user. This ensures that Alloy complies with your OCP security policies.

Apply security context constraints

OCP uses Security Context Constraints (SCC) to control Pod permissions. Refer to Managing security context constraints for more information about how you can define and enforce these permissions. This ensures that the pods running Alloy comply with OCP security policies.

Note

The security context is only configured at the container level, not at the container and deployment level.

You can apply the following SCCs when you deploy Alloy.

Note

Not all of these SCCs are required for each use case. You can adapt the SCCs to meet your local requirements and needs.
  • RunAsUser: Specifies the user ID under which Alloy runs. You must configure this constraint to allow a non-root user ID.
  • SELinuxContext: Configures the SELinux context for containers. If you run Alloy as root, you must configure this constraint to make sure that SELinux policies don’t block Alloy. This SCC is generally not required to deploy Alloy as a non-root user.
  • FSGroup: Specifies the fsGroup IDs for file system access. You must configure this constraint to give Alloy group access to the files it needs.
  • Volumes: Specifies the persistent volumes used for storage. You must configure this constraint to give Alloy access to the volumes it needs.

Example DaemonSet configuration

The following example shows a DaemonSet configuration that deploys Alloy as a non-root user:

yaml 
apiVersion: aapps/v1
kind: DaemonSet
metadata:
  name: alloy-logs
  namespace: monitoring
spec:
  selector:
    matchLabels:
      app: alloy-logs
   template:
     metadata:
       labels:
         app: alloy-logs
      spec:
        containers:
        - name: alloy-logs
          image: grafana/alloy:<ALLOY_VERSION>
          ports:
          - containerPort: 12345
          # The security context configuration
          securityContext:
            readOnlyRootFilesystem: true
            allowPrivilegeEscalation: false
            runAsUser: 473
            runAsGroup: 473
            fsGroup: 1000
         volumes:
         - name: log-volume
           emptyDir: {}

Replace the following:

  • <ALLOY_VERSION>: Set to the specific Alloy version you are deploying. For example, 1.5.1.

Note

This example uses the simplest volume type, emptyDir. In this example configuration, if your node restarts, your data will be lost. Make sure you set the volume type to a persistent storage location for production environments. Refer to Using volumes to persist container data in the OpenShift documentation for more information.

Example SSC definition

The following example shows an SSC definition that deploys Alloy as a non-root user:

yaml 
kind: SecurityContextConstraints
apiVersion: security.openshift.io/v1
metadata:
  name: scc-alloy
runAsUser:
  type: MustRunAs
  uid: 473
fsGroup:
  type: MustRunAs
  uid: 1000
volumes: 
- '*'
users:
- my-admin-user
groups:
- my-admin-group
seLinuxContext:
  type: MustRunAs
  user: <SYSTEM_USER>
  role: <SYSTEM_ROLE>
  type: <CONTAINER_TYPE>
  level: <LEVEL>

Replace the following:

  • <SYSTEM_USER>: The user for your SELinux context.
  • <SYSTEM_ROLE>: The role for your SELinux context.
  • <CONTAINER_TYPE>: The container type for your SELinux context.
  • <LEVEL>: The level for your SELinux context.

Refer to SELinux Contexts in the RedHat documentation for more information on the SELinux context configuration.

Note

This example sets volumes: to *. In a production environment, you should set volumes: to only the volumes that are necessary for the deployment. For example:

yaml 
volumes:
  - configMap
  - downwardAPI
  - emptyDir
  - persistentVolumeClaim
  - secret

Refer to Deploy Grafana Alloy for more information about deploying Alloy in your environment.

Next steps