This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 81%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKA%3C/text%3E%3C/svg%3E)
I am running a customized fluent-bit workload on a Kubernetes Windows worker node.
https://github.com/fluent/fluent-bit/blob/master/dockerfiles/Dockerfile.windows
I am mounting var/log/containers host filesystem to the fluent-bit pod
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
app: fluent-bit
name: fluent-bit-windows
namespace: signpath
spec:
selector:
matchLabels:
app: fluent-bit
template:
metadata:
labels:
app: fluent-bit
spec:
nodeSelector:
beta.kubernetes.io/os: windows
tolerations:
- key: "windows"
operator: "Equal"
value: "2019"
effect: "NoSchedule"
containers:
- image: kartheekakkur1/fluent-bit-1.8:latest
imagePullPolicy: IfNotPresent
name: fluent-bit
resources:
limits:
memory: 200Mi
requests:
cpu: 100m
memory: 200Mi
env:
- name: LOGGLY_TAG
valueFrom:
secretKeyRef:
name: fluent-loggly-secrets
key: tag
- name: LOGGLY_TOKEN
valueFrom:
secretKeyRef:
name: fluent-loggly-secrets
key: token
volumeMounts:
- mountPath: /var/log
name: varlog
readOnly: false
- mountPath: /fluent-bit/etc
name: fluent-bit-windows-config
volumes:
- name: varlog
hostPath:
path: /var/log
- configMap:
defaultMode: 420
name: fluent-bit-windows-config
name: fluent-bit-windows-config
serviceAccountName: fluent-bit-win
updateStrategy:
type: RollingUpdate
All the windows containers are created using the user “user manager\containeradministrator” but the logs written to the folder var/log/containers have BUILTIN/Administrator. Even when I grant the folder access still the fluent-bit cannot read the log files.
Checking back to see if anyone can help me with this question
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 73%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPJ%3C/text%3E%3C/svg%3E)
Hi,
I left a comment for you here: https://coolstercodes.com/windows-pod-host-file-mount-on-kubernetes/#comment-6
But essentially, if your pod still cannot read the files you wish on the host, even after granting permissions to BUILTIN\Users group, you could try using instead, a HostProcess windows pod.
HostProcess pods run as an elevated pod with elevated permissions, so you could specify in the pod yaml, permissions sufficient for this case.
I'm going to paste the comment below from the other thread here for visibility too
Thanks!
Hi Vasudev,
If your pod still cannot read the host files you’ve mentioned, even with this command to the “/var/log/containers” directory: “icacls C:\users\azureuser /grant BUILTIN\Users:(OI)(CI)(F) /t” then what I would suggest is to use instead, a HostProcess Pod to deploy your app
I can make a post to identify more specifically your situation soon, but in the meantime, here is a post about HostProcess pods and how to make one.
Even more specifically, in the “hostprocesspod.yaml” code segment, the part that relates to pod permissions on the host is
securityContext:
windowsOptions:
hostProcess: true
runAsUserName: “NT AUTHORITY\Local service”
And then more documentation on the possible values of “runAsUserName” are here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-runasusername/
“Examples of acceptable values for the runAsUserName field: ContainerAdministrator, ContainerUser, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE.”
Hope it helps!
Thank you very much for your reply.
I tried to configure the host process but ran into issues when i enable the host process in windows options for security context in the daemonset it resulted in a validation error
error: error validating "fluent-bit-windows/fluent-bit-windows-kubernetes.yaml": error validating data: ValidationError(DaemonSet.spec.template.spec.securityContext.windowsOptions): unknown field "hostProcess" in io.k8s.api.core.v1.WindowsSecurityContextOptions; if you choose to ignore these errors, turn validation off with --validate=false
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
app: fluent-bit
name: fluent-bit-windows
namespace: signpath
spec:
selector:
matchLabels:
app: fluent-bit
template:
metadata:
labels:
app: fluent-bit
spec:
hostNetwork: true
securityContext:
windowsOptions:
hostProcess: true
runAsUserName: "NT AUTHORITY\Local service"
Once I removed the windows options host process : true, I was able to deploy the Daemonset but the pod failed to start with the below error
Failed to create pod sandbox: rpc error: code = Unknown desc = failed to start sandbox container for pod "fluent-bit-windows-k5ghx": Error response from daemon: network host not found
spec:
hostNetwork: true
securityContext:
windowsOptions:
# hostProcess: true
runAsUserName: "NT AUTHORITY\\Local service"
I think this is to do with my k8s version. right now I am on 1.21.
Windows HosProcess containers are alpha feature in 1.22 and beta in 1.23 which is trying to address the issue that i mentioned.
https://kubernetes.io/blog/2021/08/16/windows-hostprocess-containers/
https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/
Here's a post more specific to your use case, using HostProcess pods: https://coolstercodes.com/windows-hostprocess-pod-host-file-access/