Title
p
Pierre Filliolaud
02/06/2023, 10:53 AMHi, I am facing to an issue to deploy Signoz with Helm on my GKE autopilot mode.
Error: INSTALLATION FAILED: admission webhook "<http://gkepolicy.common-webhooks.networking.gke.io|gkepolicy.common-webhooks.networking.gke.io>" denied the request: GKE Warden rejected the request because it violates one or more policies: {"[denied by autogke-no-host-port]":["container my-release-k8s-infra-otel-agent specifies a host port; disallowed in Autopilot. Requested by user: 'xxx@xxxx.xx', groups: 'system:authenticated'."],"[denied by autogke-no-write-mode-hostpath]":["hostPath volume varlibdockercontainers used in container my-release-k8s-infra-otel-agent uses path /var/lib/docker/containers which is not allowed in Autopilot. Allowed path prefixes for hostPath volumes are: [/var/log/].s
Srikanth Chekuri
02/06/2023, 11:33 AM@Prashant Shahi can help with this. I don’t think we have tested the autopilot mode.
p
Prashant Shahi
02/06/2023, 12:56 PMHi @Pierre Filliolaud, I don't think log collection would be possible in OtelCollector at the moment for GKE autopilot.
You will need to disable the log collection. You can do that by including the below in `override-values.yaml`:
k8s-infra:
presets:
logsCollection:
enabled: falseYou might also have to switch to readonly kubelet endpoint:
k8s-infra:
presets:
kubeletMetrics:
authType: none
endpoint: ${K8S_NODE_NAME}:10255p
Pierre Filliolaud
02/06/2023, 3:09 PMThank you @Prashant Shahi I am going to test
I set the override-values.yaml with
global:
storageClass: gce-resizable
clickhouse:
cloud: gcp
installCustomStorageClass: true
k8s-infra:
presets:
logsCollection:
enabled: false
kubeletMetrics:
authType: none
endpoint: ${K8S_NODE_NAME}:10255and I am still getting the error
Error: INSTALLATION FAILED: admission webhook "<http://gkepolicy.common-webhooks.networking.gke.io|gkepolicy.common-webhooks.networking.gke.io>" denied the request: GKE Warden rejected the request because it violates one or more policies: {"[denied by autogke-no-host-port]":["container signoz-app-k8s-infra-otel-agent specifies a host port; disallowed in Autopilot. Requested by user: 'xxx@xxx.xx', groups: 'system:authenticated'."],"[denied by autogke-no-write-mode-hostpath]":["hostPath volume varlibdockercontainers used in container signoz-app-k8s-infra-otel-agent uses path /var/lib/docker/containers which is not allowed in Autopilot. Allowed path prefixes for hostPath volumes are: [/var/log/]. Requested by user: 'xxx@xxx.xx', groups: 'system:authenticated'."]}p
Prashant Shahi
02/07/2023, 5:58 AM@Pierre Filliolaud I see that Autopilot has some security limitations which is causing this. Unfortunately, it will require some changes and experiments from our side to confirm that it works GKE Autopilot.
Can you create an issue in SigNoz charts repo for this?
I will discuss with our team and see if this can be prioritised.
Ref: https://cloud.google.com/kubernetes-engine/docs/concepts/daemonset#autopilot-ds-best-practices
cc @Ankit Nayan
tracking issue: https://github.com/SigNoz/charts/issues/162
p
Pierre Filliolaud
02/07/2023, 7:34 AMtks you