From 707481c6fafe1daa8dc551c7b7943482600f99ea Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Fri, 28 Nov 2025 21:26:42 -0600
Subject: [PATCH] fluent-bit: deploy DaemonSet

This DaemonSet runs Fluent Bit on all nodes in the cluster.  The
ConfigMap that contains the pipeline configuration is actually managed
by Ansible, so that it can remain in sync with the configuration used by
Fluent Bit on non-Kubernetes nodes.
---
 fluent-bit/fluent-bit.yaml    | 87 +++++++++++++++++++++++++++++++++++
 fluent-bit/kustomization.yaml | 25 ++++++++++
 fluent-bit/namespace.yaml     |  6 +++
 fluent-bit/rbac.yaml          | 42 +++++++++++++++++
 4 files changed, 160 insertions(+)
 create mode 100644 fluent-bit/fluent-bit.yaml
 create mode 100644 fluent-bit/kustomization.yaml
 create mode 100644 fluent-bit/namespace.yaml
 create mode 100644 fluent-bit/rbac.yaml

diff --git a/fluent-bit/fluent-bit.yaml b/fluent-bit/fluent-bit.yaml
new file mode 100644
index 0000000..d03b0ab
--- /dev/null
+++ b/fluent-bit/fluent-bit.yaml
@@ -0,0 +1,87 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: fluent-bit
+  labels: &labels
+    app.kubernetes.io/name: fluent-bit
+    app.kubernetes.io/component: fluent-bit
+spec:
+  selector:
+    matchLabels: *labels
+  template:
+    metadata:
+      labels: *labels
+    spec:
+      containers:
+      - name: fluent-bit
+        image: cr.fluentbit.io/fluent/fluent-bit
+        imagePullPolicy: IfNotPresent
+        args:
+        - -c
+        - /etc/fluent-bit/fluent-bit.yml
+        env:
+        - name: HOSTNAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        securityContext:
+          readOnlyRootFilesystem: true
+          capabilities:
+            drop:
+            - ALL
+            add:
+            - CAP_DAC_READ_SEARCH
+        volumeMounts:
+        - mountPath: /etc/fluent-bit
+          name: fluent-bit-config
+          readOnly: true
+        - mountPath: /etc/machine-id
+          name: machine-id
+          readOnly: true
+        - mountPath: /etc/pki/ca-trust/source/anchors
+          name: dch-ca
+          readOnly: true
+        - mountPath: /run/log
+          name: run-log
+          readOnly: true
+        - mountPath: /var/lib/fluent-bit
+          name: fluent-bit-data
+        - mountPath: /var/log
+          name: var-log
+          readOnly: true
+      dnsPolicy: ClusterFirstWithHostNet
+      securityContext:
+        seLinuxOptions:
+          type: spc_t
+      serviceAccountName: fluent-bit
+      tolerations:
+      - effect: NoExecute
+        operator: Exists
+      - effect: NoSchedule
+        operator: Exists
+      volumes:
+      - name: dch-ca
+        configMap:
+          name: dch-root-ca
+          items:
+          - key: dch-root-ca.crt
+            path: dch-root-ca-r2.crt
+      - name: fluent-bit-config
+        configMap:
+          name: fluent-bit
+      - name: fluent-bit-data
+        hostPath:
+          path: /var/lib/fluent-bit
+          type: DirectoryOrCreate
+      - name: machine-id
+        hostPath:
+          path: /etc/machine-id
+          type: File
+      - name: run-log
+        hostPath:
+          path: /run/log
+          type: Directory
+      - name: var-log
+        hostPath:
+          path: /var/log
+          type: Directory
diff --git a/fluent-bit/kustomization.yaml b/fluent-bit/kustomization.yaml
new file mode 100644
index 0000000..c0c43ab
--- /dev/null
+++ b/fluent-bit/kustomization.yaml
@@ -0,0 +1,25 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: fluent-bit
+
+labels:
+- pairs:
+    app.kubernetes.io/instance: fluent-bit
+  includeTemplates: false
+  includeSelectors: true
+- pairs:
+    app.kubernetes.io/part-of: fluent-bit
+  includeTemplates: true
+  includeSelectors: false
+
+resources:
+- namespace.yaml
+- rbac.yaml
+- fluent-bit.yaml
+#- network-policy.yaml
+- ../dch-root-ca
+
+images:
+- name: cr.fluentbit.io/fluent/fluent-bit
+  newTag: 3.2.8
diff --git a/fluent-bit/namespace.yaml b/fluent-bit/namespace.yaml
new file mode 100644
index 0000000..725f7af
--- /dev/null
+++ b/fluent-bit/namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: fluent-bit
+  labels:
+    app.kubernetes.io/name: fluent-bit
diff --git a/fluent-bit/rbac.yaml b/fluent-bit/rbac.yaml
new file mode 100644
index 0000000..c8ad467
--- /dev/null
+++ b/fluent-bit/rbac.yaml
@@ -0,0 +1,42 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: fluent-bit
+  labels:
+    app.kubernetes.io/name: fluent-bit
+    app.kubernetes.io/component: fluent-bit
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: fluent-bit
+  labels:
+    app.kubernetes.io/name: fluent-bit
+    app.kubernetes.io/component: fluent-bit
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - namespaces
+  - pods
+  - nodes
+  - nodes/proxy
+  verbs:
+  - get
+  - list
+  - watch
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: fluent-bit
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: fluent-bit
+subjects:
+  - kind: ServiceAccount
+    name: fluent-bit
+    namespace: fluent-bit