apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: loki labels: app.kubernetes.io/name: loki spec: privileged: false allowPrivilegeEscalation: false volumes: - 'configMap' - 'emptyDir' - 'persistentVolumeClaim' - 'secret' - 'projected' - 'downwardAPI' hostNetwork: false hostIPC: false hostPID: false runAsUser: rule: 'MustRunAsNonRoot' seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'MustRunAs' ranges: - min: 1 max: 65535 fsGroup: rule: 'MustRunAs' ranges: - min: 1 max: 65535 readOnlyRootFilesystem: true requiredDropCapabilities: - ALL --- apiVersion: v1 kind: ServiceAccount metadata: name: loki namespace: monitoring labels: app.kubernetes.io/name: loki --- apiVersion: v1 kind: ConfigMap metadata: name: loki namespace: monitoring labels: app.kubernetes.io/name: loki data: loki.yaml: | auth_enabled: false chunk_store_config: max_look_back_period: 0s compactor: shared_store: filesystem working_directory: /data/loki/boltdb-shipper-compactor ingester: chunk_block_size: 262144 chunk_idle_period: 3m chunk_retain_period: 1m lifecycler: ring: kvstore: store: inmemory replication_factor: 1 max_transfer_retries: 0 limits_config: enforce_metric_name: false reject_old_samples: true reject_old_samples_max_age: 168h schema_config: configs: - from: "2020-10-24" index: period: 24h prefix: index_ object_store: filesystem schema: v11 store: boltdb-shipper server: http_listen_port: 3100 storage_config: boltdb_shipper: active_index_directory: /data/loki/boltdb-shipper-active cache_location: /data/loki/boltdb-shipper-cache cache_ttl: 24h shared_store: filesystem filesystem: directory: /data/loki/chunks table_manager: retention_deletes_enabled: true retention_period: 720h --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: loki namespace: monitoring labels: app.kubernetes.io/name: loki rules: - apiGroups: ['extensions'] resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: [loki] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: loki namespace: monitoring labels: app.kubernetes.io/name: loki roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: loki subjects: - kind: ServiceAccount name: loki --- apiVersion: v1 kind: Service metadata: name: loki-headless namespace: monitoring labels: app.kubernetes.io/name: loki variant: headless spec: clusterIP: None ports: - port: 3100 protocol: TCP name: http-metrics targetPort: http-metrics selector: app.kubernetes.io/name: loki --- apiVersion: v1 kind: Service metadata: name: loki namespace: monitoring labels: app.kubernetes.io/name: loki spec: type: ClusterIP ports: - port: 3100 protocol: TCP name: http-metrics targetPort: http-metrics selector: app.kubernetes.io/name: loki --- apiVersion: apps/v1 kind: StatefulSet metadata: name: loki namespace: monitoring labels: app.kubernetes.io/name: loki spec: podManagementPolicy: OrderedReady replicas: 1 selector: matchLabels: app.kubernetes.io/name: loki serviceName: loki-headless template: metadata: labels: app.kubernetes.io/name: loki annotations: prometheus.io/port: http-metrics prometheus.io/scrape: "true" spec: serviceAccountName: loki securityContext: fsGroup: 10001 runAsGroup: 10001 runAsNonRoot: true runAsUser: 10001 containers: - name: loki image: "grafana/loki:2.2.1" imagePullPolicy: IfNotPresent args: - "-config.file=/etc/loki/loki.yaml" volumeMounts: - name: config mountPath: /etc/loki - name: storage mountPath: "/data" subPath: ports: - name: http-metrics containerPort: 3100 protocol: TCP livenessProbe: httpGet: path: /ready port: http-metrics initialDelaySeconds: 45 readinessProbe: httpGet: path: /ready port: http-metrics initialDelaySeconds: 45 securityContext: readOnlyRootFilesystem: true terminationGracePeriodSeconds: 4800 volumes: - name: config configMap: name: loki volumeClaimTemplates: - metadata: name: storage spec: accessModes: - ReadWriteOnce resources: requests: storage: "10Gi" storageClassName: scw-bssd