# oadm new-project rsyslog --node-selector="" $ oc project rsyslog
The rsyslog pods need to run privileged in order to access certain system resources.
-
/etc/machine-id - read
-
/etc/hostname - read
-
/etc/localtime - read
-
/var/log - read/write
-
/run/log - read/write
As system:admin do the following:
# oadm policy add-scc-to-user privileged system:serviceaccount:rsyslog:default
If you are using a different user than admin, you have to grant a daemonset clusterrole.
As Admin, create a dedicated cluster role:
cat <<EOF | oc create -f - apiVersion: v1 kind: ClusterRole metadata: name: system:daemonset-admin rules: - resources: - daemonsets apiGroups: - extensions verbs: - create - get - list - watch - delete - update EOF
Grant the daemonset cluster role to your user in the right namespace
# oadm policy add-role-to-user system:daemonset-admin [email protected] -n rsyslog
root@master:~$ oadm new-project rsyslog --node-selector="" Created project rsyslog root@master:~$ oc project rsyslog Already on project "rsyslog" on server "https://master.manage.bm.chmouel.com:8443". root@master:~$ oadm policy add-scc-to-user privileged system:serviceaccount:rsyslog:default root@master:~$ oc create -f ds-rsyslog.yaml daemonset "rsyslog" created root@master:~$ oc create -f cm-rsyslog.yaml configmap "rsyslog-config-cm" created root@master:~$ oc get po NAME READY STATUS RESTARTS AGE rsyslog-acuhj 1/1 Running 0 1m rsyslog-mvqkc 1/1 Running 0 1m rsyslog-o2fmf 1/1 Running 0 1m root@master:~$ oc rsh rsyslog-acuhj ls -la /etc/rsyslog.d total 4 drwxrwxrwx. 3 root root 78 Sep 14 08:13 . drwxr-xr-x. 49 root root 4096 Sep 14 08:13 .. drwxr-xr-x. 2 root root 27 Sep 14 08:13 ..9989_14_09_08_13_25.009400751 lrwxrwxrwx. 1 root root 31 Sep 14 08:13 ..data -> ..9989_14_09_08_13_25.009400751 lrwxrwxrwx. 1 root root 21 Sep 14 08:13 container.conf -> ..data/container.conf root@master:~$ oc rsh rsyslog-acuhj cat /etc/rsyslog.d/container.conf *.* @remote-log-host.example.org