Skip to content

fix(helm): allow loki to use hostPath volumes #17680

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix(helm): allow loki to use hostPath volumes #17680

wants to merge 2 commits into from

Conversation

rurod
Copy link

@rurod rurod commented May 13, 2025

What this PR does / why we need it:
This PR updates the SecurityContextConstraints helm template. It allows Loki to use HostPath volumes in an OpenShift Environment.

Which issue(s) this PR fixes:
Fixes #17679

Special notes for your reviewer:
Feel free to suggest any change!

Checklist

  • Reviewed the CONTRIBUTING.md guide (required)
  • Title matches the required conventional commits format, see here
    • Note that Promtail is considered to be feature complete, and future development for logs collection will be in Grafana Alloy. As such, feat PRs are unlikely to be accepted unless a case can be made for the feature actually being a bug fix to existing behavior.
  • Changes that require user attention or interaction to upgrade are documented in docs/sources/setup/upgrade/_index.md
  • If the change is deprecating or removing a configuration option, update the deprecated-config.yaml and deleted-config.yaml files respectively in the tools/deprecated-config-checker directory. Example PR
@rurod rurod requested a review from a team as a code owner May 13, 2025 09:34
@jkroepke
Copy link
Contributor

@rurod What did you think about leave the default to false and make the values configurable through the values.yaml?
@rurod
Copy link
Author

rurod commented Jun 30, 2025
edited
Loading

Hi, thanks for having a look.

The issue here is the fact that ˋhostPathis listed in thevolumeswhile theallowHostDirVolumePluginparameter defaults tofalse`.

Thus OpenShift loops on the SCC and removes hostPath from the volumes list.

Then ArgoCD patches the SCC again to add hostPath to the volumes list.

Finally, the two controllers end up being in concurrence and they loop on it forever.

I see two solutions :

  1. Having a boolean that sets the value of allowHostDirVolumePlugin to true ˋ and append ˋhostPath` value to the list.
  2. Having the allowHostDirVolumePlugin set to true and the hostPath value in the ˋvolumes` list by default.

What do you think @jkroepke ?
@jkroepke
Copy link
Contributor

Thanks for clarify that. I have not much OpenShift knowledge. But I understand the config drift leads to unstable ArgoCD syncs.

I also not understand the point of the SecurityContextConstraints. Normally, the service accounts of the deployment should be linked under users.

First, I had the feeling that ˋhostPath` should not be allowed by default, but I'm fine that administrators can enable hostPath if they wish.

I also found grafana/k8s-monitoring-helm#487 that introduces a toggle, like the mentioned option 2.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/helm size/XS
3 participants
@rurod @jkroepke @JStickler