Skip to content

Add spec.fluentBitAgentNamespace to run Fluent Bit in a dedicated namespace #2105

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Add spec.fluentBitAgentNamespace to run Fluent Bit in a dedicated namespace #2105

wants to merge 2 commits into from

Conversation

1it
Copy link

@1it 1it commented Sep 23, 2025
edited
Loading

Summary

  • Introduces Logging.spec.fluentBitAgentNamespace (immutable) to place Fluent Bit resources in a separate namespace from the control plane. Fixes 2104
  • Defaults to spec.controlNamespace for backwards compatibility.
    Motivation
  • Separate privileged node agents from restricted control plane to comply with PSA and organizational segregation.
  • Clearer ownership and RBAC boundaries for platform vs. infra teams.

What’s changed

  • API: LoggingSpec gains fluentBitAgentNamespace; defaulting is applied in SetDefaults()
  • FluentBit reconcilers:
    • ObjectMeta.Namespace now uses logging.Spec.fluentBitAgentNamespace
    • RBAC subjects reference ServiceAccount in fluentBitAgentNamespace
  • CRDs and Helm chart CRDs/docs regenerated
  • E2E: new suite fluentbit-agent-namespace
    • Installs operator in control ns
    • Creates dedicated node agent ns
    • Asserts fluentd in control ns, fluentbit in agents ns
    • Verifies logs reach test receiver

Backwards compatibility

  • If spec.fluentBitAgentNamespace is omitted, Fluent Bit continues to deploy into spec.controlNamespace (current behavior).

Testing

  • Local:
    • make generate
    • make check
    • make docker-build-e2e-test
    • `make test-e2e E2E_TEST=fluentbit-agent-namespace
  • Coverage artifacts are collected from the operator during e2e.

Docs

  • CRD reference updated (logging_types.md)
  • Helm README refreshed via helm-docs

Risks / Notes

  • The field is immutable; changing it requires resource recreation.
  • Large CRD diffs due to regeneration are expected.

Release note

  • Add Logging.spec.fluentBitAgentNamespace to deploy Fluent Bit into a dedicated namespace (defaults to controlNamespace). Aggregators remain in controlNamespace.

Checklist

  • DCO signed
  • Unit tests pass
  • E2E added for node agents namespace
  • CRDs and Helm docs regenerated
  • Docs updated

@1it 1it force-pushed the feature/nodeagents-namespace branch from 9930882 to 97b9515 Compare September 23, 2025 13:25
feat(logging): support dedicated Fluent Bit namespace via spec.nodeAg…
a137766 
…entNamespace

- Add Logging.spec.nodeAgentNamespace (immutable), defaulting to spec.controlNamespace
- Reconcile all Fluent Bit resources (DS, SA, RBAC, Services, monitors) into nodeAgentNamespace
- Keep aggregators and control-plane resources in controlNamespace
- Update Fluent Bit reconcilers to use nodeAgentNamespace for ObjectMeta and RBAC subjects
- Regenerate CRDs and Helm chart CRDs/docs
- Add e2e: verify fluentd in control ns, fluent-bit in node agents ns, logs delivered end-to-end

Backwards compatibility:
- If nodeAgentNamespace is empty, it falls back to controlNamespace (no change for existing clusters)

Testing:
- make generate && make check
- make test-e2e E2E_TEST=fluentbit-nodeagents-namespace

Signed-off-by: Ivan Tuzhilkin <ivan.tuzhilkin@workday.com>
@1it 1it force-pushed the feature/nodeagents-namespace branch from 97b9515 to a137766 Compare September 23, 2025 13:28
csatib02
csatib02 reviewed Sep 24, 2025
View reviewed changes
Copy link
Member

@csatib02 csatib02 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @1it,

Thanks for this contribution!

We've just deprecated the nodeAgent custom-resource, so the naming should be changed to fluentBitAgentNamespace.

@csatib02 csatib02 added the enhancement New feature or request label Sep 24, 2025
@1it
Copy link
Author

1it commented Sep 24, 2025

Hey @1it,

Thanks for this contribution!

We've just deprecated the nodeAgent custom-resource, so the naming should be changed to fluentBitAgentNamespace.

Hey @csatib02
Thanks for the quick reply and feedback. I agree on your points. I'll sweep the codebase once again, and prepare the changes shortly.

feat(logging)!: rename nodeAgentNamespace -> fluentBitAgentNamespace …
5408e92 
…and wire everywhere

- API: replace Logging.spec.nodeAgentNamespace with spec.fluentBitAgentNamespace (omitempty, defaults to controlNamespace)
- fluentbit: reconcile all FB resources using spec.fluentBitAgentNamespace (meta, RBAC subjects, config secret)
- fluentbit: fix ServiceMonitor NamespaceSelector to use fluentBitAgentNamespace (both metrics and buffer metrics)
- helm(logging): render spec.fluentBitAgentNamespace from values.logging.fluentBitAgentNamespace
- helm(values): add logging.fluentBitAgentNamespace, update description (FluentBit)
- e2e: add fluentbit-agent-namespace suite; assert FB runs in agent ns, aggregator in control ns; DNS-1123-safe ns name
- tests/lint: all updated; JSON tags fixed

Signed-off-by: Ivan Tuzhilkin <ivan.tuzhilkin@workday.com>
@1it 1it changed the title Add spec.nodeAgentNamespace to run Fluent Bit in a dedicated namespace Add spec.fluentBitAgentNamespace to run Fluent Bit in a dedicated namespace Sep 24, 2025
@csatib02 csatib02 requested review from pepov and OverOrion September 24, 2025 12:08
csatib02
csatib02 approved these changes Sep 25, 2025
View reviewed changes
Copy link
Member

@csatib02 csatib02 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@csatib02 csatib02 csatib02 approved these changes

@pepov pepov Awaiting requested review from pepov

@OverOrion OverOrion Awaiting requested review from OverOrion

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add Nodeagents namespace for security compliance
2 participants
@1it @csatib02