grafana · clayton-cornell · Oct 9, 2024 · Nov 1, 2024 · Nov 20, 2024 · Nov 20, 2024
@@ -5,7 +5,7 @@ aliases:
 description: Learn how to install Grafana Alloy with Ansible
 menuTitle: Ansible
 title: Install Grafana Alloy with Ansible
-weight: 550
+weight: 510
 ---
 
 # Install or uninstall {{% param "FULL_PRODUCT_NAME" %}} using Ansible

@@ -5,7 +5,7 @@ aliases:
 description: Learn how to install Grafana Alloy with Chef
 menuTitle: Chef
 title: Install Grafana Alloy with Chef
-weight: 550
+weight: 520
 ---
 
 # Install {{% param "FULL_PRODUCT_NAME" %}} with Chef

@@ -0,0 +1,124 @@
+---
+canonical: https://grafana.com/docs/alloy/latest/set-up/install/openshift/
+description: Learn how to deploy Grafana Alloy on OpenShift
+menuTitle: OpenShift
+title: Deploy Grafana Alloy on OpenShift
+weight: 530
+---
+
+# Deploy {{% param "FULL_PRODUCT_NAME" %}} on OpenShift
+
+You can deploy {{< param "PRODUCT_NAME" >}} on the Red Hat OpenShift Container Platform (OCP).
+
+## Before you begin
+
+* These steps assume you have a working OCP environment.
+* You can adapt the suggested policies and configuration to meet your specific needs and [security][] policies.
+
+## Configure RBAC
+
+You must configure Role-Based Access Control (RBAC) to allow secure access to Kubernetes and OCP resources.
+
+1. Download the [rbac.yaml][] configuration file. This configuration file defines the OCP verbs and permissions for {{< param "PRODUCT_NAME" >}}.
+1. Review the `rbac.yaml` file and adapt as needed for your local environment. Refer to [Managing Role-based Access Control (RBAC)][rbac] topic in the OCP documentation for more information about updating and managing your RBAC configurations.
+
+## Run {{% param "PRODUCT_NAME" %}} as a non-root user
+
+You must configure {{< param "PRODUCT_NAME" >}} to [run as a non-root user][nonroot].
+This ensures that {{< param "PRODUCT_NAME" >}} complies with your OCP security policies.
+
+## Apply security context constraints
+
+OCP uses Security Context Constraints (SCC) to control Pod permissions.
+Refer to [Managing security context constraints][scc] for more information about how you can define and enforce these permissions.
+This ensures that the pods running {{< param "PRODUCT_NAME" >}} comply with OCP security policies.
+
+{{< admonition type="note" >}}
+The security context is only configured at the container level, not at the container and deployment level.
+{{< /admonition >}}
+
+You can apply the following SCCs when you deploy {{< param "PRODUCT_NAME" >}}.
+
+{{< admonition type="note" >}}
+Not all of these SCCs are required for each use case.
+You can adapt the SCCs to meet your local requirements and needs.
+{{< /admonition >}}
+
+* `RunAsUser`: Specifies the user ID under which {{< param "PRODUCT_NAME" >}} runs.
+  You must configure this constraint to allow a non-root user ID.
+* `SELinuxContext`: Configures the SELinux context for containers.
+  If you run {{< param "PRODUCT_NAME" >}} as root, you must configure this constraint to make sure that SELinux policies don't block {{< param "PRODUCT_NAME" >}}.
+  This SCC is generally not required to deploy {{< param "PRODUCT_NAME" >}} as a non-root user.
+* `FSGroup`: Specifies the fsGroup IDs for file system access.
+  You must configure this constraint to give {{< param "PRODUCT_NAME" >}} group access to the files it needs.
+* `Volumes`: Specifies the persistent volumes used for storage.
+  You must configure this constraint to give {{< param "PRODUCT_NAME" >}} access to the volumes it needs.
+
+The following example shows a DaemonSet configuration that deploys {{< param "PRODUCT_NAME" >}} as a non-root user:
+
+```yaml
+apiVersion: aapps/v1
+kind: DaemonSet
+metadata:
+  name: alloy-logs
+  namespace: monitoring
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: alloy-logs
+   template:
+     metadata:
+       lables:
+         app: alloy-logs
+      spec:
+        containers:
+        - name: alloy-logs
+          image: grafana/alloy:latest
+          ports:
+          - containerPort: 12345
+          # The security context configuration
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsUser: 473
+            runAsGroup: 473
+            fsGroup: 1000
+         volumes:
+         - name: log-volume
+           emptyDir: {}
+```
+
+The following example shows an SSC definition that deploys {{< param "PRODUCT_NAME" >}} as a non-root user:
+
+```yaml
+kind: SecurityContextConstraints
+apiVersion: security.openshift.io/v1
+metadata:
+  name: scc-alloy
+runAsUser:
+  type: MustRunAs
+  uid: 473
+fsGroup:
+  type: MustRunAs
+  uid: 1000
+volumes: 
+- '*'
+users:
+- my-admin-user
+groups:
+- my-admin-group
+```
+
+Refer to [Deploy {{< param "FULL_PRODUCT_NAME" >}}][deploy] for more information about deploying {{< param "PRODUCT_NAME" >}} in your environment.
+
+## Next steps
+
+* [Configure {{< param "PRODUCT_NAME" >}}][Configure]
+
+[rbac.yaml]: https://github.com/grafana/alloy/blob/main/operations/helm/charts/alloy/templates/rbac.yaml
+[rbac]: https://docs.openshift.com/container-platform/3.11/admin_guide/manage_rbac.html
+[security]: https://grafana.com/docs/grafana-cloud/monitor-infrastructure/kubernetes-monitoring/configuration/troubleshooting/#openshift-support
+[nonroot]: ../../../configure/nonroot/
+[scc]: https://docs.openshift.com/container-platform/latest/authentication/managing-security-context-constraints.html
+[Configure]: ../../../configure/linux/
+[deploy]: ../../deploy/
@@ -5,7 +5,7 @@ aliases:
 description: Learn how to install Grafana Alloy with Puppet
 menuTitle: Puppet
 title: Install Grafana Alloy with Puppet
-weight: 560
+weight: 540
 ---
 
 # Install {{% param "FULL_PRODUCT_NAME" %}} with Puppet