Kubernetes manifest includes RBAC resources

[wendorf]

When deploying the scalyr-agent to a cluster with RBAC enabled, we need to give the agent a custom service account bound to a role with correct permissions. It's possible to read through the code to figure out all the Kubernetes API permissions required, but this makes updating to new versions nerve-wracking, or at least time consuming.

It would be great to see k8s/scalyr-agent-2.yaml include ServiceAccount, Role, and RoleBinding manifests, and to have the daemonset use the serviceaccount in the pods.

[czerwingithub]

Hello, thanks for this note. We are in the process of figuring out the best way to deploy the ServiceAccount, Role, and RoleBinding for an upcoming release (and of course making sure we always have the right permissions set for what the agent needs).

If you would like, you could use the tentative definition for the upcoming release (though it is defined in a separate YAML file right now). You can get it at https://raw.githubusercontent.com/scalyr/scalyr-agent-2/feature/k8sV2Support/k8s/scalyr-service-account.yaml

Since I have you, we are thinking of making helm the primary way we have folks of deploying the agent on Kubernetes. Would you use that support if it was available? To some degree, it better handles config issues like this.

[wendorf]

Thanks for sharing that branch! That'll be very useful (and great to have confirmation whether or not we missed any API calls).

I'd definitely support a Helm chart. We actually made our own chart from the available manifest, so having an officially-supported chart would be very useful. If you'd like, feel free to add me as a reviewer on any PR to add a chart, whether in this repo or github.com/helm/charts.

[akhy]

Our Scalyr agents were suddenly stop sending logs due to this same issue recently.. the latest image update (my bad, I'm using latest tag with Always image pull policy) seems to introduce new Kubernetes API calls that needs RBAC resources to properly set up to work correctly.

Creating and using a service account with built-in viewer cluster-role solved the issue. But I'm not sure if the permissions granted are excessive or not.

---

Since I have you, we are thinking of making helm the primary way we have folks of deploying the agent on Kubernetes. Would you use that support if it was available? To some degree, it better handles config issues like this.

We will definitely using it 👍
I'd plan to make it by myself, if I didn't find this GH issue.

[scottrigby]

Hi everyone 👋 I needed a chart for a Codecademy infrastructure project, so I added one here: https://github.com/codecademy-engineering/helm-charts/tree/master/charts/scalyr (see Installing the chart).

There was some work done by @pierreozoux here helm/charts#1066 (from #42) but it was abandoned in 2017, and is at this point pretty far behind the current Scalyr k8s docs.

Although I'm a Helm org and charts maintainer, I didn't add this to the https://github.com/helm/charts mono-repo because in a separate initiative we're working on moving charts to distributed chart repos with a search entry point at https://hub.helm.sh (see Proposal: Search of Distributed Repositories for background). So I started one at Codecademy that includes this 😄

I read the docs, and have been working with Scalyr a bit, but am by no means a Scalyr expert. Would love collaboration on this chart with anyone interested.